Running a secure DDNS service with BIND

2018-23-01 Leave a comment

If you lack of static ip for your home machines but would like to have static address to access them there is a simple setup to make on your primary DNS server to achieve that.

On our client side let’s generate some keys:

#replace keyname with anything
dnssec-keygen -a HMAC-MD5 -b 512 -r /dev/urandom -n HOST keyname

This will results in creating Kkeyname.***.key and Kkeyname.***.private, we will need to copy key from *.private file which will look like this:

Key: pRP5FapFoJ95JEL06sv4PQ==

Now on server let us edit BIND configuration file (eg. named.conf or named.conf.local) and add:

key "keyname." {
  algorithm hmac-md5;
  secret "pRP5FapFoJ95JEL06sv4PQ==";
};

From now on we can allow zone updates by editing zone declaration and adding allow-update:

zone "example.com" {
  type master;
  file "master/db.example.com";
  allow-update { key "keyname."; };
};

Last thing that we need to do on server i restart BIND

 

On client side we would need to use something capable of updating dns records (eg. nsupdate)

#!/bin/bash
# Script to update DNS zones on a remote server
# Copyright © 2005-2007 - Julien Valroff <julien@kirya.net>
# Parts of the script Copyright © 2001-2002 - Dag Wieers <dag@wieers.com>
 
KEY="/root/Kkeyname.+157+29630.private"
SERVER="ns.domain.com"
LOGFILE="/var/log/syslog"
PPP_IFACE="ppp0"
 
if [ "$PPP_LOCAL" != '' ]; then
   if [ "$PPP_IFACE" != "$PPP_IFACE" ]; then
      echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: ABORTED: Not updating dynamic IP \
        address $PPP_LOCAL (already done for $(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }'))" >>$LOGFILE 2>&1
      exit 0
   fi
   IPADDR=$PPP_LOCAL
   sleep 3
else
   IPADDR=$(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }')
fi
 
(
cat <<EOF | nsupdate -k "$KEY"
server $SERVER
zone example.com
update delete example.com. A
update add example.com. 60 A $IPADDR
update delete mail.example.com. A
update add mail.example.com. 60 A $IPADDR
send
EOF
 
  RC=$?
 
  if [ $RC != 0 ]; then
    echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: FAILURE: Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"
    (
        echo "Subject: DDNS update failed"
        echo
        echo "Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"
    ) | /usr/sbin/sendmail root
  else
    echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: SUCCESS: Updating dynamic IP $IPADDR on $SERVER succeeded"
  fi
) >>$LOGFILE 2>&1
 
exit $RC

 

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*