Azmawee 127.0.0.1

"Mauiwagen. Das Server." – pub 4096R/712DAA69

Dynamic DNS with nsupdate (bind)

Let’s get started!..

1. Create a dnssec key in client server, example USER = [email protected]

# dnssec-keygen -a HMAC-MD5 -b 512 -n USER user.email.com.
Kuser.email.com.+157+16287
# more Kuser.email.com.+157+16287.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: HJd+RVWNsPB4obNtOlSF6C/QWK5+1EWMI6h/YHrYVQZ10KRmfISGXLioA+3kCLjoje0HmkjtkqxVNeSEKZKjhw==
Bits: AAA=

2. Save the Key, we need to put the key inside the DNS server that handle your domain, or give it to your DNS admin.

3. Go to the DNS server, and create keys.conf in /etc/namedb (or anywhere), put in your private Key in “secret” line.

* Sample of keys.conf:

key user.email.com. {
algorithm HMAC-MD5;
secret “HJd+RVWNsPB4obNtOlSF6C/QWK5+1EWMI6h/YHrYVQZ10KRmfISGXLioA+3kCLjoje0HmkjtkqxVNeSEKZKjhw==”;
};

** The keys.conf file need to be own by bind:wheel, so,

# chown bind:wheel keys.conf

*** you can chmod 600 this files for more security.

4. Edit or create zone file for you domain and put it in /etc/namedb/dynamic/

* Sample of zone file:

$TTL 1H
@    1H    IN   SOA   ns1.domain.com. admin.domain.com. (
2011122801 ; Serial
30M        ; Refresh
15M        ; Retry
1W         ; Expire
30M )      ; MIN TTL
;
IN   NS      ns1.domain.com.
IN   NS      ns2.domain.com.
@           IN   MX  20  mx.domain.com.
;
@           IN   A       192.168.1.1
ns1         IN   A       192.168.1.1
ns2         IN   A       192.168.1.2
www         IN   A       192.168.1.1
mx          IN   A       192.168.1.1
pop3        IN   A       192.168.1.1
smtp        IN   A       192.168.1.1

4. Edit your /etc/namedb/named.conf, and add these:

include “keys.conf”;

zone “domain.com” {
type master;
file “/etc/namedb/dynamic/domain.com”;
allow-update { key user.domain.com.; };
};

* Below is a example config for a fine control/security if you have multiple user updating their own subdomain.

zone “domain.com” {
type master;
file “/etc/namedb/dynamic/domain.com”;
update-policy {
grant user2.email.com. name subdomain2.domain.com. A TXT;
grant user3.email.com. name subdomain3.domain.com. A TXT;
grant user.email.com. subdomain example.com. ANY;
};
};

**  example above, user2.email.com. key only can update his subdomain which is subdomain2.domain.com, so is with the user3.email.com key, and user.email.com. key can update all of the A records un the domain zone.

5. Restart your named services:

# sh /etc/rc.d/named restart

6. Now, go back to the client server, create one file for dynamic dns update.

* Example, content of update.domain file

server ns1.domain.com
zone domain.com
update delete domain.com. A
update delete *.domain.com. A
update add domain.com. 300 A 10.10.10.6
update add *.domain.com. 300 A 10.10.10.6
show
send

7. Run nsupdate to update your A record to your DNS server:

# nsupdate -k /path/to/Kuser.email.com.+157+16287.private -v update.domain

8. Successful output should look like this:

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;win-2u.com.                    IN      SOA

;; UPDATE SECTION:
*.domain.com.           0       ANY     A
*.domain.com.           300 IN   A       10.10.10.6

9. nslookup your domain to check the latest A record, if your domain still not updated, wait until the ttl value expired (to check the value, run dig domain.com).

10. I have make an auto update script for a host/client that use pppoe connection (streamyx/unifi), just chmod 775 and link the script with your ip-up files, support both freebsd userland ppp and mpd5:

http://azmawee.com/script/dyn_nsupdate/dyn_nsupdate.sh.txt
* Millions thanks to Najwa Latiff, for creating an amazing songs to listen while working with the stuff above, and I already bought your original album!!

** Also millions thanks to benzy (freenode #mybsd) for testing out the script and report some bugs.

# Any comment, medals, threat letter, pizza (domino pizza thin crust), maggi (chicken flavor), F1 cars, sport rim, iphone 4S (ohh prestige.. prestige…), Skylanders (to those who know what it is) or you want to give me your money (prefered RM1 million), can contact me at:

– maui[at]mybsd.org.my ; azmawee[at]azmawee.com

, , , , , , , , , , , ,

One Response to “Dynamic DNS with nsupdate (bind)”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Azmawee 127.0.0.1
MaUi^ - pub 4096R/712DAA69
Fingerprint 8BF7 D0AF CA45 5313 A3BF ACFB B90B 66C7 712D AA69
Website Security Test
0110010101100001011100110111010001100101011100100010000001100101011001110110011100100000011011100110111100101110001000000011000000110110