Bug #10158
closed
Dhcp client hostname request does not go into master in a HA config
0%
Description
Setup:
two identical pfsense (7100 by netgate) firewalls, using multiple vlans. dhcp, static and dynamic work fine. failover works fine.
However, when a client requested a dhcp lease AND offered its hostname, then for some reason the backup dhcp server answered and entered the name to ip mapping into the backup DNS lists of unbound. I verified that this is happening and the name shows in the /var/unbound/dhcpleases_entries.conf on the backup FW only. My solution was to put a fw rule on that interface blocking udp port 67 to the LAN address (not the carp ip). this way only the dhcp server that owns the CARP ip gets the requests. I understand that the base and skew values should be honored by dhcp but there is no way to tell it to listen on that if and it probably does not read the carp config nor does it know about it. just using the carp ip as GW and dns would not tell dhcp that info either. The point of using peer IPs in the dhcp config is also not helping there and while the dhcp info gets synced between the dhcp instances on master and backup, the DNS info did not in the case that a client requested a particular hostname. Unless I made a config error, there is, in my opinion, a bug in the operation of carp/dhcp/dns/hostname-request.
I think the reason why the backup dhcp server responded (faster) is because the master may have been busy doing its master duties. by definition of the dhcp operation the client will communicate with the first responding dhcp server.
To reproduce, I would have a HA config. then keep the master busy with traffic. then make a dhcp request with a client supplied hostname. the backup may respond, sync its lease with the master but the unbound registration only happens on backup. next time the master has an unbound config change it may overwrite the backup leases/files. I verified the presence of the dns entry by looking at the lease files in both backup and master, and did a host lookup with he requested name from backup and master, and only the backup knew the requested hostname after the lease was given out.
if dhcp would not use unbound but "named" where dns registrations are done via by network instead of writing to filenames this would not be an issue.
Updated by Jim Pingle over 5 years ago
- Category set to DHCP (IPv4)
- Status changed from New to Duplicate
- Priority changed from High to Normal
This is a known issue -- It's a limitation of ISC DHCPD. Nothing we can do. We are not going to put a full-featured authoritative name server on the firewall by default, but if you want to setup the BIND package (or better yet, an external name server), feel free.
Duplicate of #4061