[Freeipa-users] pfSense DHCP to IPA's BIND dynamic updates success

Tue Sep 8 22:59:27 UTC 2015

So I was having a DNS mess the other day and decided to clean it up.
Before, I was running Unbound on pfSense which then had a domain override to the IPA box. It would forward all queries and IPA-wise all was well.
Problem was that the domain was also used for a bunch of other things, like the outside world, and DHCP leases, because I want to be able to FQDN my machines and VM’s.

At first, I thought I could somehow make a weird multi-master setup, or have Unbound rewrite queries or selectively forward or ignore the authoritative status of DNS servers, but
that’s a rather nasty hackish way to attempt to fix things, so I went for the option to have DHCPd feed it’s leases and updates to BIND, and make Unbound the 2nd DNS server in case of an IPA meltdown.

This turned out to be not-so-easy as you can’t use GSSAPI on the pfSense box and the IPA interface doesn’t allow you to create keys just like that. Solution? Manual edits!
Now, I’m not sure if they will be preserved, but since I was using SaltStack to manage pretty much everything config-wise, I just make sure it keeps my settings around.

Here is how to configure things:

BIND-side:

1. Open /etc/named.conf in a root editor
2. Insert a key like this:

key "dhcp-key" {
   algorithm   hmac-md5;
   secret	“base64_string_here=";
};

Where the string “dhcp-key” can be anything, but you should remember what you put in there.
The Secret is a base64 string, if you are slightly clueless about that, use: echo “yoursecrethere” | base64
and you will get your base64 string. Stick it in between the quotes and you’re good.

3. Next, log in to the IPA UI and go to the Zone you’d like to have DHCP dynamically push to.
4. Click settings and turn on “Dynamic update” if it’s not on already
5. Add an update policy, in this format:

grant dhcp-key wildcard * ANY;

This is rather insecure as you give anything that authenticates using the key called “dhcp-key” full update rights for all types on that zone.
So if you want to restrict it, do so as you please. I believe it at least wants A and AAAA records and probably TXT.

6. Click the update button and you are all set on this end. Note: if you want to have reverse lookups as well, you have to repeat step 5 for the reverse zone too!

pfSense-side:

1. In pfSense, go to the DHCP server page
2. Enable "Enable registration of DHCP client names in DNS.”
3. Enter the domain name of the zone you configured in IPA for dynamic updates
4. Enter the required fields (IP of the IPA server, the name (which is dhcp-key in this example) and the base64 string you generated
5. Press save and you’re good!

A few extra’s:

- You could add IPA as an NTP server here as well
- You should add the IPA server as the 1st DNS server
- You can add pfSense as the 2nd DNS server if you like

Please remember that at this point no DNS-related stuff on pfSense is used anymore as all clients will talk to IPA for their DNS needs from now on.
If all you need is the one domain name, for example, if you use a unique domain just for internal IPA use, you’re better off using the domain override.

I hope this helps someone, and might work as a basis for more robust and secure configuration, as this is something I just came up with today in a test environment.

John