Configuring DHCP Dynamic Host registration on DNS Bind9 on your pfSense

Posted on by Thiago Crepaldi

Last Updated on March 18, 2023 by Thiago Crepaldi

On a previous post, we’ve discussed how to use Bind9 on your pfSense in a way that external names were forwarded to other name servers and internal names were statically resolved. In this post, we are going to integrate pfSense’s DHCP Server and Bind9, so that when DHCP assigns an IP to a device, it informs Bind9 to add DNS entries for them.

pfBlockerNG depends on Unbound, so don’t replace it with Bind if you still want to block stuff with it.

This integration requires changes on both Bind and DHCP Server, to allow them to communicate securely. The first step is creating a secret key that will be shared by both services. Run the following on your pfSense or on a linux machine with bid9 package installed:

tsig-keygen -a HMAC-SHA256 dhcpupdate

The output would be something similar to:

key "dhcpupdate" {
        algorithm hmac-sha256;
        secret "rgZrbe9tzrI5GbL7weyaIY7f9AKbq0xc+76XuoS2muI=";
};

Now that we have a key, we need to configure bind to use it. Go to Service >> BIND DNS Server. In the Settings tab, scroll down and click on Show Advanced Options and paste the key entry as returned by tsig-keygen at the Global Settings field and click on Save.

Next go to ACLs tab and click on Add

  • ACLs
    • General Options:
      • ACL Name: DHCPUpdate-ACL
      • Description: ACL for DHCP Updates
      • Enter IP or network range block: key dhcpupdate

Click on Save. Now we have to change both the forward and reverse zones to use the dhcpupdate key for DNS updates.

For the forward zone, click on edit (pencil), go to the Master Zone Configuration section, and on allow-update field, select DHCPUpdate-ACL and click on Save.

Similarly, for the reverse zone, click on edit (pencil), go to the Master Zone Configuration section, and on allow-update field, select DHCPUpdate-ACL and click on Save.

At this point, bind is ready to accept updates coming through using our specil dhcpupdate key. All we need is to make the DHCP Server reach bind with such key.

Go to Services >> DHCP Server and click on the tab that corresponds to the interface you want to configure bind9 dynamic hosts. Scroll down to Other Options and click on Show Advanced when you see the Dynamic Updates field:

  • Dynamic DNS
    • Enable registrations of DHCP client names in DNS: Checked
    • DDNS domain: lan.example.com
    • DDNS Hostnames: Checked
    • Primary DDNS address: 127.0.0.1
    • DNS Domain Key: dhcpupdate
    • Key Algorithm: HMAC-SHA256
    • DNS Domain key secret: rgZrbe9tzrI5GbL7weyaIY7f9AKbq0xc+76XuoS2muI=
      • No quotes, just the play string from the “secret” field
    • DDNS Client Updates: Ignore

Finally, click on Save and Apply. Now the DHCP Server will use the dhcpupdate key to send a DDNS update to bind9, which will use the same dhcpkey to authenticate the request.

Have fun!

1 thought on “Configuring DHCP Dynamic Host registration on DNS Bind9 on your pfSense

Leave a Reply