Hallo,

ich habe in meinem Windows/Linux Netzwerk einen Debian Woody Server mit DNS und DHCP Server.
Plötzlich, ohne dass ich etwas an den entsprechenden confis geändert habe (ich habe was mit vpn probiert) bekommen die PCs mit fester IP nicht mehr Ihre feste IP, sondern eine dynamische. Die Einträge für feste IPs sind aber noch in der dhcp.conf.

Das syslog sagt, wenn ich ne IP holen will:
Jul 18 13:57:08 server dhcpd: DHCPACK on 192.168.200.15 to 00:00:39:27:df:a1 (PC-CHRISTOPH) via eth0
Jul 18 13:58:57 server dhcpd: Can't update forward map pc-carsten.intra.c-bytes.de to 192.168.200.18: no such RRset
Jul 18 13:58:57 server dhcpd: DHCPREQUEST for 192.168.200.18 from 00:0c:6e:1e:46:b3 (pc-carsten) via eth0
Jul 18 13:58:57 server dhcpd: DHCPACK on 192.168.200.18 to 00:0c:6e:1e:46:b3 (pc-carsten) via eth0


Was soll ich denn da tun?

uns mal deine config-dateien rüberschieben, oder sollen wir deine fehler erraten?

An denen hat sich wie gesagt nichts geändert:

named.conf

options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.

query-source address * port 53;

// On which IP are we allowed to listen?
// listen-on { 192.168.0.1; 127.0.0.1; 192.168.42.2; };

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {
194.25.2.129;
};
};

// reduce log verbosity on issues outside our control
logging {
category lame-servers { null; };
category cname { null; };
channel update_debug {
file "/var/log/update-debug.log";
severity debug 3;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/named-auth.info";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category update { update_debug; };
category security { security_info; };
};

key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret RqU3XhIgJ+Hr060R1V7ubw==;
};

// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
type master;
file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

// add entries for other zones below here
zone "intra.c-bytes.de" {
type master;
file "/etc/bind/db.intra.c-bytes.de";
notify no;
allow-update { key DHCP_UPDATER; };
};

zone "200.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.200";
notify no;
allow-update { key DHCP_UPDATER; };
};


dhcpd.conf

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks...
ddns-domainname "intra.c-bytes.de";
ddns-rev-domainname "in-addr.arpa";
option domain-name "intra.c-bytes.de";
option domain-name-servers 192.168.200.1;
option broadcast-address 192.168.200.255;
option netbios-name-servers 192.168.200.1;
option time-servers 192.168.200.1;
option ntp-servers 192.168.200.1;
option netbios-node-type 2;
ddns-update-style interim;
ddns-updates on;
default-lease-time 600;
max-lease-time 7200;
option routers 192.168.200.1;


key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret RqU3XhIgJ+Hr060R1V7ubw==;
};


# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;

# NEU !!!
use-host-decl-names on;

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

zone intra.c-bytes.de {
primary 127.0.0.1;
key DHCP_UPDATER;
}

zone 200.168.192.in-addr.arpa {
primary 127.0.0.1;
key DHCP_UPDATER;
}


subnet 192.168.200.0 netmask 255.255.255.0 {
range 192.168.200.4 192.168.200.20;
option routers 192.168.200.1;
ddns-updates on;
ddns-update-style interim;
ddns-domainname "intra.c-bytes.de";
ddns-rev-domainname "in-addr.arpa";
}


host pc-heide {
hardware ethernet 00:50:BF:4E:A3:C2;
fixed-address pc-heide.intra.c-bytes.de;
}

host pc-carsten {
hardware ethernet 00:0C:6E:1E:46:B3;
fixed-address pc-carsten.intra.c-bytes.de;
}

host pc-horst {
hardware ethernet 00:30:AB:01:09:E1;
fixed-address pc-horst.intra.c-bytes.de;
}
host pc-christoph {
hardware ethernet 00:00:39:27:DF:A1;
fixed-address pc-christoph.intra.c-bytes.de;
}


Braucht Ihr eventuell noch die Firewall-iptables oder kann es daran nicht liegen?

"Can't update forward map"

Wie kann ich denn dem beikommen?
Kann es denn an den ipatbles liegen?

Hier meine ipatbles:

#!/bin/sh

case "$1" in
start)
echo -n "Firewall is starting... "

echo 7 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -N block
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED \
-j ACCEPT
/sbin/iptables -A block -m state --state NEW -i ! ppp0 -j \
ACCEPT


# VPN
# allow IPsec
# iptables -A FORWARD -i ipsec+ -o ppp0 -j ACCEPT
# iptables -A FORWARD -i ppp0 -o ipsec+ -j ACCEPT

# anpassen je nachdem über welche Verbindung ipsec geht
# IKE negotiations

# iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
# iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT

# ESP encrypton and authentication
# iptables -A INPUT -p 50 -j ACCEPT
# iptables -A OUTPUT -p 50 -j ACCEPT

# AH authentication header
# iptables -A INPUT -p 51 -j ACCEPT
# iptables -A OUTPUT -p 51 -j ACCEPT

# CS-Server
# /sbin/iptables -A block -p tcp --dport 27015 --syn -j ACCEPT
# /sbin/iptables -A block -p udp --dport 27015 -j ACCEPT
# /sbin/iptables -t nat -I PREROUTING -i ppp0 -p tcp --dport 27015 -j DNAT --to 192.168.200.2
# /sbin/iptables -t nat -I PREROUTING -i ppp0 -p udp --dport 27015 -j DNAT --to 192.168.200.2

# GNUMP3D
/sbin/iptables -A block -p tcp --dport 8000 --syn -j ACCEPT

# Apache
/sbin/iptables -A block -p tcp --dport 8001 --syn -j ACCEPT

# FTP
/sbin/iptables -A block -p tcp --dport 8003 --syn -j ACCEPT



/sbin/iptables -A block -p tcp --syn -i ! lo -j DROP
# /sbin/iptables -t nat -I PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.0.2
# /sbin/iptables -A block -j LOG
/sbin/iptables -A block -j REJECT
/sbin/iptables -A INPUT -j block
/sbin/iptables -A FORWARD -j block



echo "done."
;;
stop)
echo -n "Firewall is shutting down... "

echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_dynaddr

/sbin/iptables -F
# /sbin/iptables -F block
/sbin/iptables -X block
/sbin/iptables -t nat -F
echo "done."
;;
*)
echo "Usage: $0 (start|stop)"
;;
esac

Ist da alles korrekt?
Es sollte alle geblockt werden, was von außen kommt, außer die zugelassenen Dienste.
Von innen sollte alles rauskommen.

zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};


was soll das denn sein, das solltest du mal löschen, weil ohne zweck und erschwert die fehlersuche.
der inhalt von

/etc/bind/db.intra.c-bytes.de
/etc/bind/db.192.168.200

wäre mal interessant. wäre auch gut die konfiguration so einfach wie möglich zu halten.