Adventures in DDNS Part 1

In order to provide some simplicity in accessing my new Xen hosts, I decided to set up BIND. Since I've done static DNS tons of times, I figured it was time to try some Dynamic DNS, or DDNS, out.

Dynamic DNS is a method of updating your DNS server without having to reload the configuration. If set up wrong, it can be a huge security hazard. Fortunately, securing it fairly well isn't that hard -- just setting up a shared key and one BIND option.

Once BIND is set up, you'll need to have some way to tell it what to update. I chose to use DHCP. This way, whenever a Xen client comes online, it can grab an address via DHCP and DHCP can then tell DNS to update the A and PTR records accordingly.

As usual, I'll be using Debian for this.

Setting up DHCP for DDNS is pretty straightforward. First, you'll need a DHCP package that supports DDNS.

apt-get install dhcp3-server

Next, edit the /etc/dhcp3/dhcpd.conf file to add a few DDNS-specific config options.

server-identifier servername;
authoritative;
ddns-update-style interim;

Of first interest is the ddns-update-style declaration. Currently, there are two valid options: ad-hoc and interim. The dhcpd.conf man page says ad-hoc is depreciated and should not be used. Well, that leaves interim. What exactly is interim?

interim provides two main features. The first is allowing the client to be able to pick their own name rather than the server. The DHCP server can always be used to prevent this, though. The second is prevention of duplicate naming. If you have a pool of DHCP servers, interim does some nice magic with TXT records and MD5 to prevent another server from serving an already used address.

Next, add a key statement to the dhcpd.conf file. To create a key, run the following command:

dnssec-keygen -a hmac-md5 -b 128 -n host example.com

where example.com is the domain you're setting DDNS up for.

After that command is run, there will be a corresponding .key file. Inside, there will be a statement similar to the following:

key MYKEY {
    algorithm hmac-md5;
    secret "blargh";
};

Copy this statement to the dhcpd.conf file.

Now add some zone records to dhcpd.conf. This tells DHCP what zones it's allowed to try and edit.

zone example.com. {
    primary 127.0.0.1;
    key MYKEY;
}

zone 1.168.192.in-addr.arpa. {
    primary 127.0.0.1;
    key MYKEY;
}

The primary tells DHCP where to look for the authoritative name server. The key statement is self-explanatory.

Finally, add your usual DHCP subnet block.

subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.10 192.168.1.20;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.1.255;
    option domain-name "example.com";
    one-lease-per-client on;
    default-lease-time 604800;
    max-lease-time 604800;
    option routers 192.168.1.1;
    option domain-name-servers 192.168.1.1;
}

The domain-name option needs to match up with one of your zone entries.

Now it's time to configure BIND. This is a lot shorter.

First, add the corresponding key statement to named.conf. Just copy and paste the same one from dhcpd.conf.

Next, add an allow-update statement to your zone entry:

zone "example.com" {
    type master;
    notify no;
    file "/etc/bind/zones/example";
    allow-update { key MYKEY; };
};

Do the same thing for the reverse zone.

Finally, make sure the user that BIND is running as has permission to write to the directory where your zone files are. BIND will create journal files in there.

Once you have all of that done, your DNS and DHCP servers are ready for DDNS. In Part 2, we'll look at client configuration.

Resources:

• http://www.realmtech.net/documents/DynamicDNS.pdf
  
• http://www.mattfoster.clara.co.uk/ddns.htm

Menu

• Home
• About
• Articles
• Reviews
• Contact

Advertisements

© 2008 Adminspotting.net