| View previous topic :: View next topic |
| Author |
Message |
gareth
Apprentice
Joined: 15 Nov 2003
Posts: 234
Location: UK
|
 Posted: Sat Nov 20, 2004 4:48 pm Post subject: BIND as a caching DNS server |
 |
|
Any BIND gurus out there ?
I have a local network of three machines, one of which is a Gentoo machine I use as a Samba/DNS/mail etc server for fun, and to learn; and two Windows machines. The three machines are on a hub, and also plugged in is an ADSL router (one of the simple Conexant chip ones).
I've created a zone file for static IP machines - currently the server and the router (I'll look at configuring Dynamic DNS for the two windows machines later), and it seems to work OK.
But being the inquisitive type, I ran the Ethereal packet sniffer on one of the Windows machine, and noticed that BIND wasn't caching my queries. I used ping on the Windows machine to ping web sites.
My setup is to use the 'forward' directive within the named.conf file to point my server at the router's built-in DNS server if the server can't find anything in it's cache. My thinking is that BIND should ask the router the first time it is queried for a 'new' site, and susequently cache this for future use. When I run a ping for the first time, Ethereal shows this:- | Code: | No. Time Source Destination Protocol Info
28 2.493896 10.0.0.145 server.garethwilliams.me.uk DNS Standard query A www.gentoo.org
29 2.495491 server.garethwilliams.me.uk router.garethwilliams.me.uk DNS Standard query A www.gentoo.org
31 2.520749 router.garethwilliams.me.uk server.garethwilliams.me.uk DNS Standard query response A 65.19.163.231 A 66.45.74.45 A 199.246.73.203
32 2.522168 server.garethwilliams.me.uk 10.0.0.145 DNS Standard query response A 199.246.73.203 A 65.19.163.231 A 66.45.74.45
35 2.534230 10.0.0.145 www.gentoo.org ICMP Echo (ping) request
36 2.748464 www.gentoo.org 10.0.0.145 ICMP Echo (ping) reply
47 3.535625 10.0.0.145 www.gentoo.org ICMP Echo (ping) request
48 3.657501 www.gentoo.org 10.0.0.145 ICMP Echo (ping) reply
59 4.537117 10.0.0.145 www.gentoo.org ICMP Echo (ping) request
60 4.662440 www.gentoo.org 10.0.0.145 ICMP Echo (ping) reply
71 5.543504 10.0.0.145 www.gentoo.org ICMP Echo (ping) request
72 5.689423 www.gentoo.org 10.0.0.145 ICMP Echo (ping) reply
|
(I've filtered on DNS or ICMP packets so that it doesn't display the multitude of SMB/NetBios junk that Windows kicks out - hence the non-contiguous line numbers).
If I leave it for long enough for Windows to forget the cached entries and ask DNS when it pings, I get the same result: In lines 29 & 30, the server (running BIND) queries the router (running it's own DNS) for info on www.gentoo.org. Surely, if it's a caching name server, then it should have these details in it's cache!
I've looked through example setups on the Internet, and can't see any pointers to how long BIND caches DNS entries, and all the zone files I've created are for the localhost and my local network (garethwilliams.me.uk).
Anyone any ideas?
Thanks in advance,
Gareth |
|
| Back to top |
|
 |
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sat Nov 20, 2004 5:21 pm Post subject: |
|
|
could you post your bind configuration?
cheers
SteveB |
|
| Back to top |
|
|
gareth
Apprentice
Joined: 15 Nov 2003
Posts: 234
Location: UK
|
| Posted: Sat Nov 20, 2004 5:29 pm Post subject: |
|
|
Here is my named.conf:- | Code: | logging {
channel to_file {
file "/var/log/bind.log";
};
category default {to_file;};
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};
key "rndc_key" {
algorithm hmac-md5;
secret "oxGqmCbuKxJjWWVwEk8FzQ==";
};
options {
directory "/var/bind";
# Ask router's DNS for non-local queries.
forwarders {10.0.0.2;};
# Let router's DNS find out the answer, don't do it ourselves.
forward only;
# Only queries from local net.
allow-query {"localnets";};
# Don't do zone-transfers to anyone!
allow-transfer{"none";};
};
# Not using this, as the router's DNS will find the answers for us
# using the 'forward' options above.
#zone "." IN {
#type hint;
#file "named.ca";
#};
# zone info for localhost
zone "localhost" IN {
type master;
file "pri/localhost.zone";
};
# reverse lookup zone info for localhost
zone "0.0.127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
};
# zone info for local machines
zone "garethwilliams.me.uk" IN {
type master;
file "pri/garethwilliams.me.uk.zone";
};
# reverse lookup zone info for local machines
zone "0.0.10.in-addr.arpa" IN {
type master;
file "pri/0.0.10.in-addr.arpa.zone";
}; |
Please ignore the first few lines. I've not even got round to looking at them yet!!!!
Thanks,
Gareth |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sat Nov 20, 2004 6:03 pm Post subject: |
|
|
you miss serval points in your configuration. if you want, i could post a configuration i would use in your situation. but bevore i continue, let me ask you serval things:- do you use dhcp in your setup?
- what is the ip of the router?
- what is the ip of the server?
- what is your internal network range (10.0.0.0/24)?
cheers
SteveB |
|
| Back to top |
|
|
gareth
Apprentice
Joined: 15 Nov 2003
Posts: 234
Location: UK
|
| Posted: Sat Nov 20, 2004 6:35 pm Post subject: |
|
|
I use the DHCP server on the router. Unfortunately, it doesn't update the DNS server on the router, which is the real reason I started to play with BIND (and also to get DNS for my local machines).
At first, I had DHCP and DNS running on the server (can't remember which package), but with that setup, I trashed the server while playing around, and couldn't get onto the Internet to ask search/ask for help!
The Conexant router is set to the factory default of 10.0.0.2.
I've put my server at 10.0.0.3.
I use 10.0.0.0./24 for the network.
Thanks for your help with this. I could give up and use a simpler DNS server, but that's a defeatist attitude isn't it 
Thanks,
Gareth |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sat Nov 20, 2004 6:48 pm Post subject: |
|
|
| gareth wrote: | I use the DHCP server on the router. Unfortunately, it doesn't update the DNS server on the router, which is the real reason I started to play with BIND (and also to get DNS for my local machines).
At first, I had DHCP and DNS running on the server (can't remember which package), but with that setup, I trashed the server while playing around, and couldn't get onto the Internet to ask search/ask for help!
The Conexant router is set to the factory default of 10.0.0.2.
I've put my server at 10.0.0.3.
I use 10.0.0.0./24 for the network.
Thanks for your help with this. I could give up and use a simpler DNS server, but that's a defeatist attitude isn't it
Thanks,
Gareth |
okay. then allow me to be the bad guy and show you how to configure dhcp and bind to allow you to manage local clients and allow dhcpd to update your bind server automaticly.
first create a key for the dhcp updater: | Code: | cd /etc/dhcp
dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
sed -n "s/^Key: \(.*\)$/\1/gIp" *.private |
the above command will print your key to the console. now use this key and change in your /etc/bind/named.conf the line with secret "xxxxx" under the section key "dhcp_updater" and replace the xxx in the quotes with the key you just generated.
replace your current /etc/bind/named.conf configuration with the following one (please backup your old one first): | Code: | # /etc/bind/named.conf
// Set up our ACLs
acl "xfer" {
// Allow no transfers. If we have other
// name servers, place them here.
none;
};
acl "bogon" {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc. If you see DNS queries or updates with
// a source address within these networks, this is likely
// of malicious origin.
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
169.254.0.0/16;
192.0.2.0/24;
// 10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
224.0.0.0/3;
240.0.0.0/4;
};
acl "trusted" {
10.0.0.0/24; // garethwilliams.me.uk ip range: 10.0.0.0/255.255.255.0
127.0.0.1; // localhost
};
key "dhcp_updater" {
// Set the KEY, secret = key generated by dnssec-keygen
// wich zones schould be updated in DNS
// secred key created with: dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxx";
};
key "rndc-key" {
algorithm hmac-md5;
secret "oxGqmCbuKxJjWWVwEk8FzQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/var/bind";
// uncomment the following lines to turn on DNS forwarding,
// and change the forwarind ip address(es) :
forward first;
forwarders {
10.0.0.2; // router.garethwilliams.me.uk
};
listen-on-v6 { none; };
// listen-on port 53;
listen-on port 53 {
10.0.0.3; // server.garethwilliams.me.uk
127.0.0.1; // localhost
};
// to allow only specific hosts to use the DNS server:
allow-query {
trusted; // trusted clients
};
allow-transfer {
// Zone tranfers limited to members of the
// "xfer" ACL
xfer;
};
allow-recursion {
trusted; // trusted clients
};
blackhole {
// Deny anything from the bogon networks as
// detailed in the "bogon" ACL.
bogon;
};
// if you have problems and are behind a firewall:
//query-source address * port 53;
pid-file "/var/run/named/named.pid";
// misc stuff
version "Hay hacker, why you want to know my version? Get away from me.";
auth-nxdomain yes;
};
// Recently verisign added a wildcard A record to the .COM and .NET TLD
// zones making all .com and .net domains appear to be registered
// This causes many problems such as breaking important anti-spam checks
// which verify source domains exist. ISC released a patch for BIND which
// adds 'delegation-only' zones to allow admins to return the .com and .net
// domain resolution to their normal function.
// zone com IN { type delegation-only; };
// zone net IN { type delegation-only; };
// Link in our zones
zone "." IN {
type hint;
file "named.ca";
};
// Allow queries for the localhost network, but not zone transfers.
// Every name server, both slave and master, will be a master
// for this zone.
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update {
none;
};
notify no;
};
// Allow queries for the 127/8 network, but not zone transfers.
// Every name server, both slave and master, will be a master
// for this zone.
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update {
none;
};
notify no;
};
// Allow queries for the 10.0.0.0/24 network, but allow only
// updates to key DHCP_UPDATER.
zone "0.0.10.in-addr.arpa" IN {
type master;
file "pri/0.0.10.in-addr.arpa.zone";
allow-update {
key "dhcp_updater";
};
notify no;
// For secondary DNS server
// notify yes;
// also-notify {
// 10.0.0.x;
// };
};
// Allow queries for the garethwilliams.me.uk network, but allow
// only updates to key DHCP_UPDATER.
zone "garethwilliams.me.uk" IN {
type master;
file "pri/garethwilliams.me.uk.zone";
allow-update {
key "dhcp_updater";
};
notify no;
// For secondary DNS server
// notify yes;
// also-notify {
// 10.0.0.x;
// };
};
logging {
channel query_logging {
file "/var/log/bind/query.log" versions 3 size 10M;
print-time yes;
};
channel to_file {
file "/var/log/bind/bind.log" versions 3 size 10M;
print-time yes;
};
category queries {
query_logging;
};
category default {
to_file;
};
category lame-servers { null; };
}; |
if you do not have the directory /var/log/bind then please make it first: | Code: | mkdir -p /var/log/bind
chwon -R bind:bind /var/log/bind |
for dhcp change your /etc/dhcp/dhcpd.conf to be something like this (you need as well to replace the secret key for the dhcp_updater): | Code: | # /etc/dhcp/dhcpd.conf
# option definitions common to all supported networks...
option domain-name "garethwilliams.me.uk";
option domain-name-servers 10.0.0.3, server.garethwilliams.me.uk, localhost;
default-lease-time 14400;
max-lease-time 28800;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# Dynamic DNS update
ddns-update-style ad-hoc; # can be 'none', 'ad-hoc', or 'interim'
ddns-domainname "garethwilliams.me.uk"; # name of the domain
ddns-rev-domainname "0.0.10.in-addr.arpa"; # reverse domain name
update-static-leases true; # update static adresses in DNS as well
# garethwilliams.me.uk network (10.0.0.1 - 10.0.0.254)
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.50 10.0.0.100; # Internal DHCP range
range dynamic-bootp 10.0.0.101 10.0.0.105; # BOOTP range
option nntp-server 10.0.0.3; # NTP
option domain-name-servers 10.0.0.3,10.0.0.3; # DNS servers
option netbios-node-type 8; # WINS hybrid type (WINS - broadcast)
option netbios-name-servers 10.0.0.3,10.0.0.3; # WINS name servers
option domain-name "garethwilliams.me.uk"; # Domain name
option routers 10.0.0.3,10.0.0.3; # Router
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.0.255;
default-lease-time 300;
max-lease-time 360;
#######################################################
# Set the KEY, secret = key generated by dnssec-keygen
# wich zones schould be updated in DNS
# secred key created with: dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
key dhcp_updater {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxxx";
}
#######################################################
zone garethwilliams.me.uk. {
primary 10.0.0.3;
key "dhcp_updater";
}
#######################################################
zone 0.0.10.in-addr.arpa. {
primary 10.0.0.3;
key "dhcp_updater";
}
#######################################################
#######################################################
# I N T E R N A L C L I E N T S
#######################################################
#
#######################################################
# gareth's workstation
host gareth {
hardware ethernet 00:00:00:00:00:00;
fixed-address 10.0.0.xxx;
}
#######################################################
# END
#######################################################
#######################################################
# R E S E R V E D F O R S E R V E R S / S E R V I C E
#######################################################
# Use IP addresses, allowing them to use BOOTP and
# other services.
# Probably they will NOT use DHCP to get the address,
# but we list them here anyway.
#######################################################
#
#######################################################
# ADSL Router
host router {
hardware ethernet 00:00:00:00:00:00;
fixed-address 10.0.0.2;
}
#######################################################
# Server
host server {
hardware ethernet 00:00:00:00:00:00;
fixed-address 10.0.0.3;
}
#######################################################
# END
#######################################################
}
#######################################################
# ADSL modem range
subnet abc.abc.abc.abc netmask xyz.xyz.xyz.xyz {
not authoritative;
}
####################################################### |
the above configuration only reserves addresses from 10.0.0.50 to 10.0.0.100 for local clients (i hope you have not more?).
if you want to use dhcp to give always the same address to certain hosts, then look at the bottom of the dhcp configuration. you only need to add there the host name (the one you use in bind configuration for that specific system) and you need to add the mac address and a fixed ip address.
please add/change the mac address for the server and the router in the dhcpd configuration (now i have set them up as 00:00:00:00:00:00).
another thing i would suggest is to add a subnet for your adsl modem and flag that subnet as not authorative.
let me know if this is okay for you and if you need more help.
cheers
SteveB |
|
| Back to top |
|
|
ARC2300
Apprentice
Joined: 30 Mar 2003
Posts: 267
|
| Posted: Sat Nov 20, 2004 6:54 pm Post subject: |
|
|
Simply way to make it caching and not forwarding:
Remove the forwarder statements and uncomment your "named.ca" section. By default, if BIND can't resolve the name with your DNS files, it'll hit the root servers for the info.
[edit]BTW, I just noticed in the ACL of that BIND config given that 169.254.x.x is blackholed. Bad idea. Those are APIPA addresses, and if your Winders machines ever assign themselves APIPA addresses, you won't have crap for name resolution.
But, that's just my opinion. If my dhcp goes down, I still like to be able to get into my server to restart DHCP or whatever (and yes, DHCP did crash a while back because of a problem with the ebuild).
_________________
It's fun to take a trip
Put acid in your veins |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sat Nov 20, 2004 7:16 pm Post subject: |
|
|
i hope he does not just route everything from internal to the external adsl router. according to the definition for APIPA, windows will look every 5 minutes for the dhcp server and try to get the address again.
i personaly like to know when something goes wrong. and what benefit does one have if every windows system can get to the internet, but every other system can not?
better is to get the system to be secure and reliable then tweaking around to work around problems of windows.
i have only 2 systems runing with windows (one old 98se and a winnt4 system) and everything else (more then 30 cpu's) run linux (even my workstation. i have no windows at all and i do my job with my workstation and my laptop. and all my clients (i am consultant and developer) have only windows and some of them have mac on the client.)
definition of APIP: | Code: | Short for Automatic Private IP Addressing, a feature of later Windows operating systems. With APIPA, DHCP clients can automatically self-configure an IP address and subnet mask when a DHCP server isn't available. When a DHCP client boots up, it first looks for a DHCP server in order to obtain an IP address and subnet mask. If the client is unable to find the information, it uses APIPA to automatically configure itself with an IP address from a range that has been reserved especially for Microsoft. The IP address range is 169.254.0.1 through 169.254.255.254. The client also configures itself with a default class B subnet mask of 255.255.0.0. A client uses the self-configured IP address until a DHCP server becomes available.
The APIPA service also checks regularly for the presence of a DHCP server (every five minutes, according to Microsoft). If it detects a DHCP server on the network, APIPA stops, and the DHCP server replaces the APIPA networking addresses with dynamically assigned addresses.
APIPA is meant for nonrouted small business environments, usually less than 25 clients. |
btw: if you use newer versions of windows, then you can assign an alternative configuration to your nic. there you could use another ip address and not allow windows to use APIPA adresses.
cheers
SteveB |
|
| Back to top |
|
|
gareth
Apprentice
Joined: 15 Nov 2003
Posts: 234
Location: UK
|
| Posted: Sat Nov 20, 2004 7:23 pm Post subject: |
|
|
Thanks very very very very....... much. Unfortunately, my DHCP clients are Windows, and my DHCP server is on the router.
Although I could disable it there, and run one on the server, it would mean that if (or should I say when) my server dies, I can't use any of the machines. Also, I have a friend plugged into my router, and if I go away for a reasonable length of time, I switch the server off and leave the router on for him. Therefore the router must be the DHCP server and have a DNS server running on it so that he can surf while I'm away.
Any ideas on getting BIND to update from windows clients if at all possible?
Thanks again,
Gareth |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sat Nov 20, 2004 7:37 pm Post subject: |
|
|
| gareth wrote: | Thanks very very very very....... much. Unfortunately, my DHCP clients are Windows, and my DHCP server is on the router.
Although I could disable it there, and run one on the server, it would mean that if (or should I say when) my server dies, I can't use any of the machines. Also, I have a friend plugged into my router, and if I go away for a reasonable length of time, I switch the server off and leave the router on for him. Therefore the router must be the DHCP server and have a DNS server running on it so that he can surf while I'm away.
Any ideas on getting BIND to update from windows clients if at all possible?
Thanks again,
Gareth |
hmmm.. and if the router dies, then you can go to the internet as well.
anyway... i would do the following:- leave the router at 10.0.0.2
- switch YOUR network to 10.0.1.0/24
- install bind and dhcp on the server
- install a firewall on the server (mybe something like shorewall)
- use 2 nic's in the server
- connecting one nic to the adsl modem and use the dhcp server build into the adsl modem to get the ip address.
- use shorewall to mask your 10.0.1.0/24 network and route every other traffic to 10.0.0.2.
- configure bind and dhcp to serve the 10.0.1.0/24 network.
with that setup your friend could still use the router directly and you can turn off the server when you are away, without breaking the routing for your friend. and your network is protected from your friend (don't know if you want that?) and it is as well protected from any possible security trouble/problem with the router.
cheers
SteveB |
|
| Back to top |
|
|
gareth
Apprentice
Joined: 15 Nov 2003
Posts: 234
Location: UK
|
| Posted: Sat Nov 20, 2004 7:45 pm Post subject: |
|
|
Excellent idea - that's why you are a consultant, and I merely play with these things! I actually trust my friend, but it would be worth doing that just for the learning experience. I'll look into getting another network card.
In the mean time, my system is doing exactly as it was in the first post, even after installing your named.conf:-
If I ping 'www.sky.com' and monitor the network using Ethereal, BIND ask the router's DNS for the IP address, gets it, and returns it to the machine. If I ping 'www.sky.com' again, it does the same. Shouldn't it cache the first query instead though, and not have to ask the router the second time?
Thanks again,
Gareth |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sat Nov 20, 2004 7:55 pm Post subject: |
|
|
did you restarted bind? maybe it would be better to stop it first and then kill all runing bind processes and then start bind again.
cheers
SteveB |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sat Nov 20, 2004 8:02 pm Post subject: |
|
|
btw: to which dns server does your win client point to? 10.0.0.2 or 10.0.0.3?
cheers
steve |
|
| Back to top |
|
|
gareth
Apprentice
Joined: 15 Nov 2003
Posts: 234
Location: UK
|
| Posted: Sat Nov 20, 2004 8:06 pm Post subject: |
|
|
As I'm 'messing about' with BIND at the moment, I'm running it on the command line as 'named -t /chroot/dns -g -u named'. I then get to see some debug messages, and if all the zone files are OK etc. I always stop and start the server after any changes. Once it's running OK, I'll start it as a daemon.
I've set the Windows clients to look at 10.0.0.3 first, then 10.0.0.2
Thanks again,
Gareth |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sat Nov 20, 2004 8:09 pm Post subject: |
|
|
| gareth wrote: | | I've set the Windows clients to look at 10.0.0.3 first, then 10.0.0.2 |
okay... then no one can guarantee you that windows will NOT use 10.0.0.2 for lookups.
if you wan to force the caching, then use only 10.0.0.3.
cheers
SteveB |
|
| Back to top |
|
|
gareth
Apprentice
Joined: 15 Nov 2003
Posts: 234
Location: UK
|
| Posted: Sat Nov 20, 2004 8:17 pm Post subject: |
|
|
When I ping someone, it always goes like this:-Client asks BIND
BIND asks router
router returns information to BIND
BIND informs client
The client never asks the router directly. On the other hand, I've just ran the 'dig' program on the server, and the reply time is amazing. The first time (no cache) it takes between 30ms and 600ms to query the real world, and the second and subsequent times it takes approx 3ms to query BIND. So it seems to work there!!!! Very strange.
Regards,
Gareth |
|
| Back to top |
|
|
ARC2300
Apprentice
Joined: 30 Mar 2003
Posts: 267
|
| Posted: Sat Nov 20, 2004 8:22 pm Post subject: |
|
|
| steveb wrote: | i hope he does not just route everything from internal to the external adsl router. according to the definition for APIPA, windows will look every 5 minutes for the dhcp server and try to get the address again.
i personaly like to know when something goes wrong. and what benefit does one have if every windows system can get to the internet, but every other system can not?
better is to get the system to be secure and reliable then tweaking around to work around problems of windows.
i have only 2 systems runing with windows (one old 98se and a winnt4 system) and everything else (more then 30 cpu's) run linux (even my workstation. i have no windows at all and i do my job with my workstation and my laptop. and all my clients (i am consultant and developer) have only windows and some of them have mac on the client.)
definition of APIP: | Code: | Short for Automatic Private IP Addressing, a feature of later Windows operating systems. With APIPA, DHCP clients can automatically self-configure an IP address and subnet mask when a DHCP server isn't available. When a DHCP client boots up, it first looks for a DHCP server in order to obtain an IP address and subnet mask. If the client is unable to find the information, it uses APIPA to automatically configure itself with an IP address from a range that has been reserved especially for Microsoft. The IP address range is 169.254.0.1 through 169.254.255.254. The client also configures itself with a default class B subnet mask of 255.255.0.0. A client uses the self-configured IP address until a DHCP server becomes available.
The APIPA service also checks regularly for the presence of a DHCP server (every five minutes, according to Microsoft). If it detects a DHCP server on the network, APIPA stops, and the DHCP server replaces the APIPA networking addresses with dynamically assigned addresses.
APIPA is meant for nonrouted small business environments, usually less than 25 clients. |
btw: if you use newer versions of windows, then you can assign an alternative configuration to your nic. there you could use another ip address and not allow windows to use APIPA adresses.
cheers
SteveB |
Thank you for the definition of something I already know. It's really appreciated. Guess I shouldn't assume anymore that someone asking about BIND and DHCP doesn't know how to change his APIPA address on his/her Windows machines. How stupid of me.
_________________
It's fun to take a trip
Put acid in your veins |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sat Nov 20, 2004 8:29 pm Post subject: |
|
|
| ARC2300 wrote: | | Thank you for the definition of something I already know. It's really appreciated. Guess I shouldn't assume anymore that someone asking about BIND and DHCP doesn't know how to change his APIPA address on his/her Windows machines. How stupid of me. |
Cool! You are great! When I grow up, I want just to be like you!
cheers
SteveB |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
