[Freeipa-users] pfSense DHCP to IPA's BIND dynamic updates success

Wed Sep 9 05:09:31 UTC 2015

On Wed, 09 Sep 2015, John Keates wrote:
>So I was having a DNS mess the other day and decided to clean it up.
>Before, I was running Unbound on pfSense which then had a domain
>override to the IPA box. It would forward all queries and IPA-wise all
>was well.  Problem was that the domain was also used for a bunch of
>other things, like the outside world, and DHCP leases, because I want
>to be able to FQDN my machines and VM’s.
>
>At first, I thought I could somehow make a weird multi-master setup, or
>have Unbound rewrite queries or selectively forward or ignore the
>authoritative status of DNS servers, but that’s a rather nasty hackish
>way to attempt to fix things, so I went for the option to have DHCPd
>feed it’s leases and updates to BIND, and make Unbound the 2nd DNS
>server in case of an IPA meltdown.
>
>This turned out to be not-so-easy as you can’t use GSSAPI on the
>pfSense box and the IPA interface doesn’t allow you to create keys just
>like that. Solution? Manual edits!  Now, I’m not sure if they will be
>preserved, but since I was using SaltStack to manage pretty much
>everything config-wise, I just make sure it keeps my settings around.
>
>Here is how to configure things:
>
>BIND-side:
>
>1. Open /etc/named.conf in a root editor
>2. Insert a key like this:
>
>key "dhcp-key" {
>   algorithm   hmac-md5;
>   secret	“base64_string_here=";
>};
>
>Where the string “dhcp-key” can be anything, but you should remember
>what you put in there.  The Secret is a base64 string, if you are
>slightly clueless about that, use: echo “yoursecrethere” | base64
>and you will get your base64 string. Stick it in between the quotes and
>you’re good.
>
>3. Next, log in to the IPA UI and go to the Zone you’d like to have DHCP dynamically push to.
>4. Click settings and turn on “Dynamic update” if it’s not on already
>5. Add an update policy, in this format:
>
>grant dhcp-key wildcard * ANY;
>
>This is rather insecure as you give anything that authenticates using
>the key called “dhcp-key” full update rights for all types on that
>zone.  So if you want to restrict it, do so as you please. I believe it
>at least wants A and AAAA records and probably TXT.
>
>6. Click the update button and you are all set on this end. Note: if
>you want to have reverse lookups as well, you have to repeat step 5 for
>the reverse zone too!
>
>pfSense-side:
>
>1. In pfSense, go to the DHCP server page
>2. Enable "Enable registration of DHCP client names in DNS.”
>3. Enter the domain name of the zone you configured in IPA for dynamic updates
>4. Enter the required fields (IP of the IPA server, the name (which is dhcp-key in this example) and the base64 string you generated
>5. Press save and you’re good!
>
>A few extra’s:
>
>- You could add IPA as an NTP server here as well
>- You should add the IPA server as the 1st DNS server
>- You can add pfSense as the 2nd DNS server if you like
>
>Please remember that at this point no DNS-related stuff on pfSense is
>used anymore as all clients will talk to IPA for their DNS needs from
>now on.  If all you need is the one domain name, for example, if you
>use a unique domain just for internal IPA use, you’re better off using
>the domain override.
>
>I hope this helps someone, and might work as a basis for more robust
>and secure configuration, as this is something I just came up with
>today in a test environment.
This looks reasonable. You may want to put your key definition into something like
/etc/named/my-dhcp-keys.conf and include it from there via 'include'
statements but I think we don't upgrade named.conf after it was
originally created.

John, could you please add this to FreeIPA wiki?
-- 
/ Alexander Bokovoy