-
Notifications
You must be signed in to change notification settings - Fork 3
Linux: Dynamic DNS with BIND and DNSSEC
This document is about setting up a dynamic DNS entry for a system on the internet without a static IP. The process involves two systems:
- Server: static IP, running BIND (int0x80.com)
- Home: dynamic IP, running Debian
I created a sub-domain, dyn.int0x80.com, to which hosts can be added.
The document asserts a working BIND setup already in place. Installing and configuring BIND is out of scope here.
First step is to generate a key on the server.
[int0x80] /etc/bind $ sudo dnssec-keygen -a HMAC-MD5 -b 512 -n HOST home.dyn.int0x80.com
This creates two files, which will be named differently based on individual runs.
[int0x80] /etc/bind $ sudo file Khome.dyn.int0x80.com.+157+62567.*
Khome.dyn.int0x80.com.+157+62567.key: ASCII text
Khome.dyn.int0x80.com.+157+62567.private: ASCII text
Here are the sanitized contents of each file.
Khome.dyn.int0x80.com.+157+62567.key:
home.dyn.int0x80.com. IN KEY 512 3 157 Mprj8I76jDiEldj3SgF7/Ph5bWm4eHYZu0nOcUB1vT4wU5PjbYNnp8T9 cb8XqmE0ANotnw+FBBbr3lA8O5uJ8A==
Khome.dyn.int0x80.com.+157+62567.private:
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: Mprj8I76jDiEldj3SgF7/Ph5bWm4eHYZu0nOcUB1vT4wU5PjbYNnp8T9cb8XqmE0ANotnw+FBBbr3lA8O5uJ8A==
Bits: AAA=
Created: 20160126233343
Publish: 20160126233343
Activate: 20160126233343
Notice that the Key: field in the .private file is simply the concatenated key from the .key file.
Next I created a key file at /etc/bind/key.home.dyn.int0x80.com.
key home.dyn.int0x80.com. {
algorithm HMAC-MD5;
secret "Mprj8I76jDiEldj3SgF7/Ph5bWm4eHYZu0nOcUB1vT4wU5PjbYNnp8T9 cb8XqmE0ANotnw+FBBbr3lA8O5uJ8A==";
};
Then add the following line to /etc/bind/named.conf.local to include the new key.
include "/etc/bind/key.home.dyn.int0x80.com";
The key is situated on the server, all that remains is to add a zone for BIND. This is my entry further down in /etc/bind/named.conf.local:
// Dynamic zone
zone "dyn.int0x80.com" IN {
type master;
file "/etc/bind/db.dyn.int0x80";
update-policy {
// allow host to update themselves with a key having their own name
grant home.dyn.int0x80.com. name home.dyn.int0x80.com. A TXT;
};
};
Lastly put the /etc/bind/db.dyn.int0x80 file into place.
$ORIGIN .
$TTL 14400 ; 4 hours
dyn.int0x80.com IN SOA ns1.int0x80.com. root.int0x80.com. (
9 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
NS ns1.int0x80.com.
Restart BIND with a simple sudo service bind9 restart and it's time for the client side.
First transfer the .key and .private files down to the client system via your transport mechanism of choice. Once situated, chmod each file to 0400.
-r-------- 1 user user 128 Jan 26 17:58 Khome.dyn.int0x80.com.+157+62567.key
-r-------- 1 user user 229 Jan 26 17:58 Khome.dyn.int0x80.com.+157+62567.private
The nsupdate tool in the dnsutils package will perform the update. I wrote a simple wrapper script in bash to run the update for me.
#!/bin/bash
# -----------------------------------------------------------
# update the dynamic dns for home system
#
# usage: do-nsupdate
# -----------------------------------------------------------
EXT_IP=$(wget -qO- http://ifconfig.me/ip)
KEY="/path/to/Khome.dyn.int0x80.com.+157+62567.private"
cat <<EOF | nsupdate -k "$KEY"
server int0x80.com
zone dyn.int0x80.com
update delete home.dyn.int0x80.com. A
update add home.dyn.int0x80.com. 86400 A $EXT_IP
show
send
EOFRunning the do-nsupdate script manually will show whether everything is working correctly.
After a manual run, a quick test with dig will show if the record updated. Note that 216.54.147.14 is the IP for int0x80.com.
$ dig @216.54.147.14 +short home.dyn.int0x80.com
70.115.x.x
The do-nsupdate script can be scheduled to run automatically on the client with cron. I put mine at every 15 minutes as I had some issues with my ISP flapping on addresses in the past.
$ crontab -l
*/15 * * * * /path/to/do-nsupdate