Kroko Just another WordPress weblog

March 29, 2009

RUNNING A SECURE DDNS SERVICE WITH BIND

Filed under: Linux — Tags: , , — admin @ 5:22 pm

This article will give you a short introduction to DDNS, and will only apply to a precise example. I will not detail the reasons of my choice. However, the links provided at the end of the document will allow you further understand the uses that can be made of DDNS.

REQUIREMENTS

  • 2 machines running GNU/Linux: one at home with a dynamic IP, the other elsewhere with a fix IP
  • BIND 9.2.0 or newer should be installed on the external machine (and act as primary DNS for your domain – the setup won’t be detailed here)
  • the nsupdate utility on your router at home. This comes as part of the dnsutilsDebian package.

GENERATING THE KEY

Updates being initiated from the client, the process needs to be secured by a TSIG key:”(TSIG keys are symmetric HMAC-MD5 keys; although asymmetric SIG keys can also be used, the set up is a bit more complicated)”:.

On the external machine running BIND 9, run as root:

dnssec-keygen -a HMAC-MD5 -b 512 -n HOST <keyname>

where <keyname> should be replaced by a whatever name you want, and 512 is the key size (512 is the maximum with the HMAC-MD5 algorithm).

This will generate 2 files like Kkeyname.+157+12505.key andKkeyname.+157+12505.private. Both files should remain private (remember, we work with symmetric key).

ON THE SERVER SIDE

Both files created before do contain the secret key, which needs to be set up on the BIND configuration file (eg.named.conf or named.conf.local in Debian) as follows:

key "keyname." {
  algorithm hmac-md5;
  secret "v9BhsbwDu4q95g/Gf/EiXA==";
};

Once this is defined, you can start using this shared secret in the definition of your zone:

zone "example.com" {
  type master;
  file "master/db.example.com";
  allow-update { key "keyname."; };
};

The BIND service should obviously be reloaded to start using the new configuration:

# /etc/init.d/bind9 reload

ON THE CLIENT SITE

UPDATING THE ZONE WHEN YOUR DSL PROVIDER IP CHANGES – NSUPDATE

If you can’t get a fix IP address from your xDSL provider and still want to host your server at home, you can use third services companies like DynDNS.org or Zonedit.com, but did you know you can set up a secure DDNS service using the BIND DNS server and the nsupdate utility. Still, you need to have control on a machine with a static IP somewhere on the public Internet.

nsupdate is the tool needed to update the IP on the DNS server. You can use it manually whenever you want (see manpage for additional information), or in scripts run automatically by cron or, better, directly by ppp through the ppp-ip facilty.

In Debian, save the following script as /etc/ppp/ip-up.d/ddupdate, change the options at the top of the file and make it executable:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/bin/bash
# Script to update DNS zones on a remote server
# Copyright © 2005-2007 - Julien Valroff <julien@kirya.net>
# Parts of the script Copyright © 2001-2002 - Dag Wieers <dag@wieers.com>

KEY="/root/Kkeyname.+157+29630.private"
SERVER="ns.domain.com"
LOGFILE="/var/log/syslog"
PPP_IFACE="ppp0"

if [ "$PPP_LOCAL" != '' ]; then
   if [ "$PPP_IFACE" != "$PPP_IFACE" ]; then
      echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: ABORTED: Not updating dynamic IP \
        address $PPP_LOCAL (already done for $(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }'))" >>$LOGFILE 2>&1
      exit 0
   fi
   IPADDR=$PPP_LOCAL
   sleep 3
else
   IPADDR=$(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }')
fi

(
cat <<EOF | nsupdate -k "$KEY"
server $SERVER
zone example.com
update delete example.com. A
update add example.com. 60 A $IPADDR
update delete mail.example.com. A
update add mail.example.com. 60 A $IPADDR
send
EOF

  RC=$?

  if [ $RC != 0 ]; then
    echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: FAILURE: Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"
    (
        echo "Subject: DDNS update failed"
        echo
        echo "Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"
    ) | /usr/sbin/sendmail root
  else
    echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: SUCCESS: Updating dynamic IP $IPADDR on $SERVER succeeded"
  fi
) >>$LOGFILE 2>&1

exit $RC

Next time your connection will be restarted, the IP will be updated on your DNS server, and you’ll see an entry in your log file:
Mar 12 18:43:26 athena ddupdate[14507]: SUCCESS: Updating dynamic IP 81.13.52.124 on ns.domain.com succeeded
An e-mail will alert the system administrator in case the update fails.

Remember to use low TTL for the zone which is meant to be updated, 60 seconds seems to be a good value.

UPDATING THE DNS WITH DYNAMIC IP ON YOUR LOCAL NETWORK – DHCPD

DDNS can also be used in conjunction with dhcpd to dynamically update the DNS when a machine is given an IP. A very detailed article was written by Adam Trickett for debian-administration.org to explain this setup.

COMBINE BOTH METHODS WITH A ROADWARRIOR CLIENT

I plan to combine the methods described earlier to allow a roadwarrior to be reachable by its name wherever it is located.

When out of the company, the roadwarrior is connected to the network through a secureOpenVPN tunnel. Thanks to the --client-connect and --client-disconnectdirectives, the OpenVPN server can update the DNS entry for the given host (cf.ifconfig_pool_remote_ip and common_name environmental variables in OpenVPN man page).

When directly connected to the local network, the roadwarrior gets an IP from the DHCP server which updates the DNS.

I haven’t yet worked on this setup, and am not sure it would be very useful, but this is an example of use of dynamic DNS.

OTHER (MORE DETAILED) ARTICLES ON DDNS

As usual, here are some external resources which helped me writing this article, and which will allow you to study the DDNS methods in details:

  • ISC BIND homepage: www.isc.org/index.pl?/sw/bind/
  • ISC DHCP homepage: www.isc.org/index.pl?/sw/dhcp/
  • www.oceanwave.com/technical-resources/unix-admin/nsupdate.html
  • ops.ietf.org/dns/dynupd/secure-ddns-howto.html
  • dag.wieers.com/howto/bits/bind-ddns.php
  • linux.yyz.us/nsupdate/

Powered by WordPress