Results 1 to 9 of 9

Thread: WINS/DHCP lease time

  1. #1
    Junior Member
    Join Date
    Apr 2004
    Posts
    4

    WINS/DHCP lease time

    Hi!

    Is there any security issues with having short leasing times on a WINS/DHCP server, i.e. 1 day or even shorter? The default is 3 days (I think) but this value causes some issues for us and we are planning to lower this value to 1 day. Well this will cause more network traffic and DHCP communication but is there other issues this change can cause?
    --- Time is pleasure ---

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Nope, no security issues but what business need would make you shorten your lease time? Limited IPs in your scope?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Junior Member
    Join Date
    Apr 2004
    Posts
    4
    No, but when a user moves from a "office connection" to a VPN connection their computername is still pointing on the previous ip which is renewed/released 50% of the lease time. This causes issues with some applications since the data is sent to the "old" address registered in WINS and not their newly given VPN address. We suspect that the issue is the lease time and will change it but need to investigate if a shorter lease time can cause any problems.
    --- Time is pleasure ---

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Windows hosts will use the last DHCP address pulled as long as it's available. It's odd to me that you're seeing a 50% turnover unless I'm totally missing the story here. When you see windows hosts turning over DHCP addresses frequently it's a sign that the scope is limited and a bunch of hosts are using it.

    Anyway, what VPN solution are you using?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Junior Member
    Join Date
    Apr 2004
    Posts
    4
    The issue is when a user leaves office and connects a couple of hours later to the network via VPN and recieves a new IP-address, WINS still thinks that the users host name have the IP that was given earlier and not the newly given. This causes issues with some applications and can be solved by forcing a release of the registered address in WINS/DHCP.

    With "50%" I meant that a "client renew address request" is sent after 50% of the lease time, i.e if the lease time is set to 72 hours a new request will be usually sent after 36 hours. We are using Check Point VPN.

    Basically I'm wondering if a shorter lease time can cause issues in a point of security or other perspectives which seemes not to be the case. So, thanks for your answer and if a increase of the network traffic is the only result then a try shouldn't cause any harm.
    --- Time is pleasure ---

  6. #6
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Do you have any DNS servers on your domain? This shouldn't really happen. You may have a more deep rooted problem somewhere?

    When the user leaves the office, is he turning his machine off or just logging off / locking the work station?

    When someone connects via VPN are they using the same DHCP server or one on a firewall/router etc?

  7. #7
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    This behavior is quite normal, but its not DHCP causing your problem its WINS. Windows clients that recieve an IP address from a DHCP offer, can also recieve a WINS server address from the DHCP server. WINS works much like DDNS, in that once the client gets its IP it will then attempt to register its (NetBIOS) name with its WINS server. The WINS server maintains a database like DNS and then resolves names to IPs Machines shutdown cleanly will actually 'release' their names, but if its a laptop, the user often just suspends and disconnects from the network. This will leave the name registered. The default period for it to hold the name (the 'release interval') is 6 days. So once the host appears elsewhere on the network, WINS will still resolve to the old location. The new name may be refused by the WINS server (the host will retry every 10 minutes), of course the name may also be accepted by another WINS server on the network but then you get WINS replication playing havoc (Some have the new address, some dont) and all sorts of silliness. Basically, you need to reconfigure the 'release interval' for WINS on the WINS server(s), under intervals in the WINS admin snap.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  8. #8
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    I'm with Maestr0 on this one ... Seems to me to be more a WINS/DNS related problem.

    How is your VPN configured, does your VPN server/Box have a DHCP relay, does it have the same settings as the inside DHCP (except for the gateway) ... Or are you using other setting on the VPN server/box itself ?

    Like TH13 said ...even if you reboot your computer and it "asks" for an IP-address, it will normally get the same as before the reboot (aslong as it's available). So shortening the lease will not fix that problem.

    Automatic scavenging of the WINS database takes place at defined intervals, this between the Renewal and the Extinct intervals you defined ... So maybe you need to check those intervals ??

    Basically again ... I'm with Maestr0 on this one, and I'm not telling anything new or anything my fellow AO'ers mentioned.

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  9. #9
    Junior Member
    Join Date
    Apr 2004
    Posts
    4
    Thanks for the answer and Maestr0 is right the issue lies within the WINS release time which we will look over. Again thanks for the answers.
    --- Time is pleasure ---

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •