From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: DHCP and Unbound Integration Date: Fri, 19 Nov 2021 11:32:11 +0000 Message-ID: <8FC96470-D754-45A2-81D3-E92279DB9E3E@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5758899486506256579==" List-Id: --===============5758899486506256579== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Paul, Nice to e-meet you. > On 2 Nov 2021, at 13:37, paul kairis wrote: >=20 > I had an email exchange with Adolf Belka and he suggested I join the DEV li= st and post my issues there. Yes, this is absolutely the right place. > The way I understand it is that the DHCP table should match the Unbound tab= le at any given time. Yes. > Example >=20 > I install linux on ssd and move the ssd to a laptop and deploy on the netwo= rk. I use a fast system i7-7700K to install linux, do post-install configurat= ions, shutdown, move the ssd to a laptop (e6500), and boot. DHCP server gets = confused since now I have two different mac, two different ip, and the same h= ost. >=20 > 10.0.0.33 f4:6d:04:76:60:f8 mx 28/10/2021 06:04:27 <=3D=3D=3D=3D i7-7700K m= ac >=20 > 10.0.0.50 78:24:af:3e:18:53 mx 28/10/2021 06:10:31 <=3D=3D=3D=3D laptop e65= 00 mac >=20 > Unbound is confused, it tries to resolve mx to 10.0.0.50 but a reverse look= up shows 10.0.0.33 Even if I run my 3-line script (rst) to restart DHCP and u= nbound, the cache is not cleared. I have to wait 15 min which is half of the = default lease time (30) for .33 to expire in DHCP and then run my script agai= n so that unbound properly (and reverse lookup) resolves the laptop to .50 >=20 > Is there a way that when a system shuts down, DHCP *immediately* removes th= at entry from its list and, via the bridge code, unbound is notified as well = to forget that (host,ip) pair, *immediately*. I reduced Default Lease time to= 5 min, Max Lease time to 10 so I have to wait 2.5 min but then /var/log/mess= ages keeps growing. That is a very short lease time and I would advise against it. Especially in = larger networks you will keep the system busy handing out IP addresses and cr= eate more pressure for the unbound/DHCP bridge. DHCP clients can hand back a lease (on Windows using ipconfig /release), but = in normal operation, clients will unlikely do it. If you close a laptop=E2=80= =99s lid, it will hibernate immediately and usually phones just leave the wir= eless reception area and won=E2=80=99t even be able to tell the DHCP server t= hat they are gone. The usual way is that leases will time out. In that case, the bridge should remove the A and PTR record from unbound. > Example >=20 > Clients do not implement DHCPRELEASE. Per the RFC, this is optional. I shut= down my laptop (e6500) but when I look at ipfire > Network > DHCP server, the= entry is still there for a few min till the lease expires. Yes, this is what I would expect from most clients. > Example >=20 > I come to a party, the DHCP server is at the door. Hi, I am e6500 and would= like to enter. Sure, DHCP server says, your ip is 10.0.0.33, then the bridge= updates Unbound with pair (e6500,10.0.0.33) I walk around the party with a t= ag (e6500,10.0.0.33) I mingle with people, ping, ssh by name or ip ... all go= od. I leave the party but DHCP has no knowledge I left till the lease expires= . So for the next 5-10 min, I'm still shown in the party even though I left. = What I'd like is a complete sync between the DHCP table and the Unbound table= . pfSense does that but it is BSD which I don't know much about. Yes, this is the protocol design. I do not know what else I can say about it :) Do you think there is a bug here anywhere? -Michael > Regards, >=20 > Pavlos Kairis >=20 >=20 >=20 > REF: >=20 > https://community.ipfire.org/t/dhcp-hosts-not-reliably-propagated-to-dns/34= 31/37 >=20 >=20 > Appendix >=20 > First script is dns_verify (adjusted for my network 10.0.0.*)=20 >=20 > This script uses dig to do a lookup for an ip, get the name, then do a reve= rse lookup using the name to make sure they are the same ip. >=20 >=20 >=20 > #### dns_verify see https://calomel.org/dns_verify.html >=20 > # >=20 > i=3D0 ## counter >=20 > NETS=3D"10.0.0" ## network >=20 > IPS=3D$(seq 1 60) ## for Linux >=20 > DNS=3D"@10.0.0.1" ## DNS to use >=20 > # >=20 > echo >=20 > echo -e "\tip \t-> hostname \t\t-> ip" >=20 > echo '-----------------------------------------------------------' >=20 > for NET in $NETS; do >=20 > for n in $IPS; do >=20 > A=3D${NET}.${n} >=20 > HOST=3D$(dig $DNS -x $A +short) >=20 > if test -n "$HOST"; then >=20 > ADDR=3D$(dig $DNS $HOST +short) >=20 > if test "$A" =3D "$ADDR"; then >=20 > echo -e "ok\t$A \t-> $HOST \t\t-> $ADDR" >=20 > ((i++)) >=20 > elif test -n "$ADDR"; then >=20 > echo -e "fail\t$A \t-> $HOST \t\t-> $ADDR" >=20 > else >=20 > echo -e "fail\t$A \t-> $HOST \t\t-> [unassigned]" >=20 > fi >=20 > fi >=20 > done >=20 > done >=20 > echo "" >=20 > echo $i "hosts DONE." >=20 >=20 >=20 >=20 > Second script is watchDNS. I=E2=80=99m running watchDNS and every 5 sec, it= clears the screen and shows me what Unbound has in its table. I turn on the = e6500 laptop. Unbound does not show it since the bridge fails to register tha= t change. But if I look at the ipfire > Network > DHCP server, I see that e65= 00 got a 10.0.0.33 I run my 3-line script to restart DHCP and unbound, e6500 = shows up! Wait a few min, then shutdown the laptop. DHCP will keep the lease = until lease time expires (could be in 5, 10, 15 min) even though the laptop i= s gone from the network. If you run watchDNS, you see the laptop still has 10= .0.0.33 and unbound is not notified to remove that entry. >=20 > while true; do >=20 > clear >=20 > echo '+--------------------------------------------------------+' >=20 > echo '| DNS info every 5 seconds |' >=20 > echo '+--------------------------------------------------------+' >=20 > . dns_verify >=20 > sleep 5 >=20 > done >=20 >=20 >=20 > Third script is rst. It restarts DHCP and Unbound (and the bridge) >=20 > /etc/init.d/dhcp stop >=20 > /etc/init.d/dhcp start >=20 > /etc/init.d/unbound restart >=20 >=20 >=20 > END OF DOCUMENT >=20 >=20 >=20 >=20 --===============5758899486506256579==--