In MS DHCP, under Scope Properties
, on the DNS
tab, it says:
You can setup the DHCP server to automatically update authoritative DNS servers with the host (A) and pointer (PTR) records of DHCP clients.
And there are several options relating to security and whether the DHCP client or server should perform the update.
My question is: How does the DHCP server decide which DNS server to update?
I see two possible options. Both of which involve the server looking at its configured Scope Options
(which seems odd, since those options are for client consumption):
- 006 DNS Servers -- Array of DNS servers, by preference
- MS DHCP could contact these DNS server IP addresses directly
- 015 DNS Domain Name -- DNS Domain name for client resolutions
- MS DHCP could look up an authoritative DNS server for this domain
I would imagine the answer would be 015.
My rationale for asking:
We're trying to set up a DMZ (of sorts) which is dual-homed to the domain, and to an external zone. This DMZ has its own (Linux) DNS server, which forwards DNS requests either tot he domain or to the external zone, depending on the domain, of course.
We're trying to use the AD Domain DHCP server for this purpose, utilizing a DHCP relay in the firewall. We also have a dmz
zone in the AD DNS for the purpose of resolving the names of DHCP dynamic hosts in the DMZ.
_______________ ____________________ ~~~~~~~~~~
| | | | ( )
| AD Domain |--( Firewall )--| DMZ |---(Firewall)---( External )
| example.com | (DHCP relay) | dmz.example.com | ( )
| 10.0.1.0/24 | | 10.0.2.0/24 | ( )
| | | | ( )
| DC1 10.0.1.11 | <............|.. NS1 10.0.2.11 ..|...........> ( )
| - DNS | | | ( )
| - DHCP | | | ( )
|_______________| |____________________| ~~~~~~~~~~~
So for the DMZ
Scope, we tried to configure the options as:
- 006 DNS Servers:
10.0.2.11
- 015 DNS Domain Name:
dnz.example.com
But we found that DHCP Dynamic DNS updates stopped working.
The way we got it to work was to add 10.0.1.11
to the list of DNS servers. This makes us suspect that MS DHCP uses field 006. This has the bad side effect that DNS resolution in the DMZ becomes slow, because non-domain requests are first sent in to 10.0.1.11
, when they should go to 10.0.2.11
(to be routed appropriately).
By running a packet capture on a completely different IP address, we confirmed that option 006
is definitely used by the DHCP server to identify a DNS server. We only saw these DNS requests:
10.0.1.11-->10.0.2.99 DNS Q SOA foo.dmz.example.com
10.0.1.11-->10.0.2.99 DNS Q SOA foo.dmz.example.com
10.0.1.11-->10.0.2.99 DNS Q SOA foo.dmz.example.com
10.0.1.11-->10.0.2.99 DNS Q SOA foo.dmz.example.com
10.0.1.11-->10.0.2.99 DNS Q SOA foo.dmz.example.com
10.0.1.11-->10.0.2.99 DNS Q SOA 50.2.0.10.in-addr.arpa
10.0.1.11-->10.0.2.99 DNS Q SOA 50.2.0.10.in-addr.arpa
10.0.1.11-->10.0.2.99 DNS Q SOA 50.2.0.10.in-addr.arpa
10.0.1.11-->10.0.2.99 DNS Q SOA 50.2.0.10.in-addr.arpa
10.0.1.11-->10.0.2.99 DNS Q SOA 50.2.0.10.in-addr.arpa
0 Answers