Dynamic DNS with nsupdate (bind)
Let’s get started!..
1. Create a dnssec key in client server, example USER = [email protected]
# dnssec-keygen -a HMAC-MD5 -b 512 -n USER user.email.com.
Kuser.email.com.+157+16287
# more Kuser.email.com.+157+16287.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: HJd+RVWNsPB4obNtOlSF6C/QWK5+1EWMI6h/YHrYVQZ10KRmfISGXLioA+3kCLjoje0HmkjtkqxVNeSEKZKjhw==
Bits: AAA=
2. Save the Key, we need to put the key inside the DNS server that handle your domain, or give it to your DNS admin.
3. Go to the DNS server, and create keys.conf in /etc/namedb (or anywhere), put in your private Key in “secret” line.
* Sample of keys.conf:
key user.email.com. {
algorithm HMAC-MD5;
secret “HJd+RVWNsPB4obNtOlSF6C/QWK5+1EWMI6h/YHrYVQZ10KRmfISGXLioA+3kCLjoje0HmkjtkqxVNeSEKZKjhw==”;
};
** The keys.conf file need to be own by bind:wheel, so,
# chown bind:wheel keys.conf
*** you can chmod 600 this files for more security.
4. Edit or create zone file for you domain and put it in /etc/namedb/dynamic/
* Sample of zone file:
$TTL 1H
@ 1H IN SOA ns1.domain.com. admin.domain.com. (
2011122801 ; Serial
30M ; Refresh
15M ; Retry
1W ; Expire
30M ) ; MIN TTL
;
IN NS ns1.domain.com.
IN NS ns2.domain.com.
@ IN MX 20 mx.domain.com.
;
@ IN A 192.168.1.1
ns1 IN A 192.168.1.1
ns2 IN A 192.168.1.2
www IN A 192.168.1.1
mx IN A 192.168.1.1
pop3 IN A 192.168.1.1
smtp IN A 192.168.1.1
4. Edit your /etc/namedb/named.conf, and add these:
include “keys.conf”;
zone “domain.com” {
type master;
file “/etc/namedb/dynamic/domain.com”;
allow-update { key user.domain.com.; };
};
* Below is a example config for a fine control/security if you have multiple user updating their own subdomain.
zone “domain.com” {
type master;
file “/etc/namedb/dynamic/domain.com”;
update-policy {
grant user2.email.com. name subdomain2.domain.com. A TXT;
grant user3.email.com. name subdomain3.domain.com. A TXT;
grant user.email.com. subdomain example.com. ANY;
};
};
** example above, user2.email.com. key only can update his subdomain which is subdomain2.domain.com, so is with the user3.email.com key, and user.email.com. key can update all of the A records un the domain zone.
5. Restart your named services:
# sh /etc/rc.d/named restart
6. Now, go back to the client server, create one file for dynamic dns update.
* Example, content of update.domain file
server ns1.domain.com
zone domain.com
update delete domain.com. A
update delete *.domain.com. A
update add domain.com. 300 A 10.10.10.6
update add *.domain.com. 300 A 10.10.10.6
show
send
7. Run nsupdate to update your A record to your DNS server:
# nsupdate -k /path/to/Kuser.email.com.+157+16287.private -v update.domain
8. Successful output should look like this:
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;win-2u.com. IN SOA
;; UPDATE SECTION:
*.domain.com. 0 ANY A
*.domain.com. 300 IN A 10.10.10.6
9. nslookup your domain to check the latest A record, if your domain still not updated, wait until the ttl value expired (to check the value, run dig domain.com).
10. I have make an auto update script for a host/client that use pppoe connection (streamyx/unifi), just chmod 775 and link the script with your ip-up files, support both freebsd userland ppp and mpd5:
http://azmawee.com/script/dyn_nsupdate/dyn_nsupdate.sh.txt
* Millions thanks to Najwa Latiff, for creating an amazing songs to listen while working with the stuff above, and I already bought your original album!!
** Also millions thanks to benzy (freenode #mybsd) for testing out the script and report some bugs.
# Any comment, medals, threat letter, pizza (domino pizza thin crust), maggi (chicken flavor), F1 cars, sport rim, iphone 4S (ohh prestige.. prestige…), Skylanders (to those who know what it is) or you want to give me your money (prefered RM1 million), can contact me at:
– maui[at]mybsd.org.my ; azmawee[at]azmawee.com
- Bad disk detached and I wonder why, why, why, why, why. - September 21, 2016
- How I play Pokemon Go (0.37+) on rooted Android phone - September 15, 2016
- DMARC || SPF Check script with full recursive report - July 28, 2016
Dynamic DNS dengan nsupdate (bind) Dynamic DNS auto-update script for nsupdate (bind)
cool!
2 likes