IP Reverse DNS Resolution

Thibault Le Meur Thibault.LeMeur at supelec.fr
Thu Sep 13 16:40:55 CEST 2007


Hi,
 
>  I currently have a IPSEC/L2TP setup that uses FreeRadis (for 
> Active Directory auth).  Radius is handing out the IP 
> addresses to the clients. Is there a way to have it update my 
> DNS server so it can create reverse-dns entries for them? 

Yes it is.

In acct_users make a rule that run a custom program at Acct-Start and
Acct-Stop time:

DEFAULT NAS-IP-Address == A.B.C.D, Acct-Status-Type == Start
        Exec-Program = "/path/to/dnsupdate/acct-nsupdate.sh"

Then your acct-nsupdate.sh can use the "nsupdate" tool to update the DNS
server:

Note these interresting parameters that are available in the environment:
# ACCT_STATUS_TYPE = Start | Stop
# FRAMED_IP_ADDRESS = attributed IP address
# NAS_PORT
# USER_NAME
# ACCT_TERMINATE_CAUSE=User-Request (in normal case when Type=Stop)
# NAS_IP_ADDRESS

These parameters can be used to build the $newhostname, $assignedipaddr and
$A, $B, $C, $D decimal octets of the assigne IP addr.

For instance adding an IP:
nsupdate -k $KEYFILE > /dev/null << EOF
server $SERVER
zone $ZONE
prereq yxdomain $ZONE
update delete $newhostname A
update add $newhostname $TTL A $assignedipaddr
send
EOF
(This is with secure update, and KEYFILE holds the TSIG key file (man
dnssec-keygen))

Then updating reverse DNS:
nsupdate -k $KEYFILE > /dev/null << EOF
server $SERVER
zone $ZONEREV
prereq yxdomain $ZONEREV
update delete $D.$C.$B.$A.in-addr.arpa. PTR
update add $D.$C.$B.$A.in-addr.arpa. $TTL PTR $newhostname
send
EOF

HTH,
Thibault





More information about the Freeradius-Users mailing list