Dynamic DNS Question

Alan DeKok aland at deployingradius.com
Fri Nov 9 07:33:56 CET 2007

David Mitchell wrote:
> We've run into a potential problem with our FreeRadius setup. We
> currently use per-client keys for security. We have begun testing
> dynamic DNS updates and have run into the problem of having the radius
> server fail to start because an entry in clients.conf refers to a DNS
> entry which doesn't exist. We could use only IP addresses in
> clients.conf, but that means we can't have dynamic addresses for
> clients. We could also use per-subnet keys but we really want to keep
> the increase in security afforded by having unique keys for each host.

  Is it difficult to configure the clients with static IP's?  If so, why?

> My question is two-fold. One, does anybody know of a workaround with the
> current code base I haven't thought of? Two, what sorts of requirements
> should I include if I code up patch to add this feature? Certainly I
> would guess that there would have to be a way to keep the current
> functionality where responding to authentication requests would not
> require any DNS requests. But in our dynamic DNS case, I would like the
> server to look up the reverse DNS entry of the source IP address on an
> incoming request and use that result to determine which clients.conf
> entry to use.

  This would mean that an attacker can send you packets where the source
IP has no DNS entry.  The RADIUS server would then try to resolve DNS,
and fail, potentially causing a DoS attack.

  Remember, it has to do the right thing both for the cases you want it
to work, AND for the cases where you don't want it to die.

> This would mean caching the FQDN names from the
> clients.conf file somewhere and then searching that list with the
> results of the DNS query. Or alternatively doing something more
> sophisticated such as determining the key to use based on attributes in
> the request itself. Any feedback on the direction I should take before I
> start trying to code something up would be appreciated. Thanks in advance,

  I would suggest having a two-level client definition.  One, define a
network/mask for such dynamic clients.  Two, define a mapping of
secrets, based on the attributes in the packet.

  Alan DeKok.

More information about the Freeradius-Devel mailing list