Running a secure DDNS service with BIND

If you lack of static ip for your home machines but would like to have static address to access them there is a simple setup to make on your primary DNS server to achieve that.

On our client side let’s generate some keys:

#replace keyname with anything
dnssec-keygen -a HMAC-MD5 -b 512 -r /dev/urandom -n HOST keyname

1 2	#replace keyname with anything dnssec-keygen -a HMAC-MD5 -b 512 -r /dev/urandom -n HOST keyname

This will results in creating Kkeyname.***.key and Kkeyname.***.private, we will need to copy key from *.private file which will look like this:

Key: pRP5FapFoJ95JEL06sv4PQ==

1	Key: pRP5FapFoJ95JEL06sv4PQ==

Now on server let us edit BIND configuration file (eg. named.conf or named.conf.local) and add:

key "keyname." {
  algorithm hmac-md5;
  secret "pRP5FapFoJ95JEL06sv4PQ==";
};

key "keyname." {

algorithm hmac-md5;

secret "pRP5FapFoJ95JEL06sv4PQ==";

};

From now on we can allow zone updates by editing zone declaration and adding allow-update:

zone "example.com" {
  type master;
  file "master/db.example.com";
  allow-update { key "keyname."; };
};

zone "example.com" {

type master;

file "master/db.example.com";

allow-update { key "keyname."; };

};

Last thing that we need to do on server i restart BIND

On client side we would need to use something capable of updating dns records (eg. nsupdate)

#!/bin/bash
# Script to update DNS zones on a remote server
# Copyright © 2005-2007 - Julien Valroff <julien@kirya.net>
# Parts of the script Copyright © 2001-2002 - Dag Wieers <dag@wieers.com>
 
KEY="/root/Kkeyname.+157+29630.private"
SERVER="ns.domain.com"
LOGFILE="/var/log/syslog"
PPP_IFACE="ppp0"
 
if [ "$PPP_LOCAL" != '' ]; then
   if [ "$PPP_IFACE" != "$PPP_IFACE" ]; then
      echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: ABORTED: Not updating dynamic IP \
        address $PPP_LOCAL (already done for $(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }'))" >>$LOGFILE 2>&1
      exit 0
   fi
   IPADDR=$PPP_LOCAL
   sleep 3
else
   IPADDR=$(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }')
fi
 
(
cat <<EOF | nsupdate -k "$KEY"
server $SERVER
zone example.com
update delete example.com. A
update add example.com. 60 A $IPADDR
update delete mail.example.com. A
update add mail.example.com. 60 A $IPADDR
send
EOF
 
  RC=$?
 
  if [ $RC != 0 ]; then
    echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: FAILURE: Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"
    (
        echo "Subject: DDNS update failed"
        echo
        echo "Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"
    ) | /usr/sbin/sendmail root
  else
    echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: SUCCESS: Updating dynamic IP $IPADDR on $SERVER succeeded"
  fi
) >>$LOGFILE 2>&1
 
exit $RC

#!/bin/bash

# Script to update DNS zones on a remote server

KEY="/root/Kkeyname.+157+29630.private"

SERVER="ns.domain.com"

LOGFILE="/var/log/syslog"

PPP_IFACE="ppp0"

if [ "$PPP_LOCAL" != '' ]; then

if [ "$PPP_IFACE" != "$PPP_IFACE" ]; then

echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: ABORTED: Not updating dynamic IP \

address $PPP_LOCAL (already done for $(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }'))" >>$LOGFILE 2>&1

exit 0

IPADDR=$PPP_LOCAL

sleep 3

else

IPADDR=$(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }')

(

cat <<EOF | nsupdate -k "$KEY"

server $SERVER

zone example.com

update delete example.com. A

update add example.com. 60 A $IPADDR

update delete mail.example.com. A

update add mail.example.com. 60 A $IPADDR

send

EOF

RC=$?

if [ $RC != 0 ]; then

echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: FAILURE: Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"

(

echo "Subject: DDNS update failed"

echo

echo "Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"

) | /usr/sbin/sendmail root

else

echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: SUCCESS: Updating dynamic IP $IPADDR on $SERVER succeeded"

) >>$LOGFILE 2>&1

exit $RC

Fixing BIND’s journal out of sync with zone error

When BIND stop to work and throw error like this:

zone example.com/IN: journal rollforward failed: journal out of sync with zone
zone example.com/IN: not loaded due to errors.

1 2	zone example.com/IN: journal rollforward failed: journal out of sync with zone zone example.com/IN: not loaded due to errors.

The simplest and fastest fix is by removing that journal file for zone

rm /var/cache/bind/zones/example.com.jnl

1	rm /var/cache/bind/zones/example.com.jnl

and then restart bind

service bind9 restart
# or
systemctl restart bind9

service bind9 restart

# or

systemctl restart bind9

Linux – Hide Bind version

If we would like to hide version of our bind server and make it harder for bot to sniff what version you use (assuming you always update 😉 ) you can make it by editing file: /etc/bind/named.conf.options:

#lets add this into 'options {'
version "unknown";
#or use other text in brackets

#lets add this into 'options {'

version "unknown";

#or use other text in brackets

Restart service:

service bind9 restart

1	service bind9 restart

Use dig to check that version you use now:

dig @example.com -c CH -t txt version.bind

1	dig @example.com -c CH -t txt version.bind

Linux – Own DNS server (bind9)

The second most important service for internet use is DNS server.

In my opinion www server (Apache/NginX) is most important part but DNS is just after it ;-). DNS service use very useful when we are managing your own domain.

Here is the simplest setup for own service:

apt-get install bind9
#config file
vim /etc/bind/named.conf.local
### named.conf.local ###
acl slaves {
        ip.adres.secondary.dns;
};

zone "example.com" {
        type master;
        file "/etc/bind/zones/db.example.com";
        allow-transfer { slaves; };
};
### end named.conf.local ###
# this setup allow you to use your server as master-slave setup

vim /etc/bind/zones/db.example.com
### db.example.com ###
; example.com
$TTL    604800
@       IN      SOA     ns1.example.com. root.example.com. (
                     2006020201 ; Serial
                         604800 ; Refresh
                          86400 ; Retry
                        2419200 ; Expire
                         604800); Negative Cache TTL
;
@       IN      NS      ns1
        IN      MX      10 mail
        IN      A       192.0.2.1
ns1     IN      A       192.0.2.1
mail    IN      A       192.0.2.128
www     IN      A       192.0.2.1
client1 IN      A       192.0.2.201
### end db.example.com ###

apt-get install bind9

#config file

vim /etc/bind/named.conf.local

### named.conf.local ###

acl slaves {

ip.adres.secondary.dns;

};

zone "example.com" {

type master;

file "/etc/bind/zones/db.example.com";

allow-transfer { slaves; };

};

### end named.conf.local ###

# this setup allow you to use your server as master-slave setup

vim /etc/bind/zones/db.example.com

### db.example.com ###

; example.com

$TTL 604800

@ IN SOA ns1.example.com. root.example.com. (

2006020201 ; Serial

604800 ; Refresh

86400 ; Retry

2419200 ; Expire

604800); Negative Cache TTL

;

@ IN NS ns1

IN MX 10 mail

IN A 192.0.2.1

ns1 IN A 192.0.2.1

mail IN A 192.0.2.128

www IN A 192.0.2.1

client1 IN A 192.0.2.201

### end db.example.com ###

Everytime we add ‘zone’ file we need to restart server:

service bind9 restart

1	service bind9 restart

M	T	W	T	F	S	S
« Jul
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31