You are here: Home>Cenkes>BlogPost>SecureDynamicDnsWithBind (09 Nov 2007, Main.AndrewPantyukhin)EditAttach
Tags:
create new tag
, view all tags

Secure Dynamic DNS with BIND

10 Oct 2007 - 07:19:11 by in General

Legend

  • heka.cenkes.org is a server
  • saiph.cenkes.org is a client, connects to stream with mpd(8)
  • nekkar.cenkes.org is a client, connects to mtu with ppp(8)
  • all machines run FreeBSD with recent BIND from base system (9.[34].x at the time of writing)
  • stream is an ISP
  • mtu is an ISP

Configure a dynamic zone 

heka% cd /etc/namedb/
heka% cat named.conf
<...>
zone "cenkes.org" {
   type master;
   file "master/cenkes.org";
   update-policy { grant * self *; };
};
<...>
heka# chown bind master master/cenkes.org

Generate and use saiph certificate 

saiph% cd /etc/namedb/
saiph# dnssec-keygen -a DSA -b 1024 -k -n host saiph.cenkes.org.
saiph% ls Ksaiph.cenkes.org*
Ksaiph.cenkes.org.+003+37329.key
Ksaiph.cenkes.org.+003+37329.private
saiph% scp Ksaiph.cenkes.org.+003+37329.key heka:/tmp
heka# cat /tmp/Ksaiph.cenkes.org.+003+37329.key >> master/cenkes.org

Try it 

saiph# printf "update add saiph.cenkes.org. 123 A 1.2.3.4\nsend\n"|\
saiph> nsupdate -k Ksaiph.cenkes.org.+003+37329.private

Automate

saiph 

saiph% cat /usr/local/etc/mpd4/mpd.conf
stream:
   set iface up-script /usr/local/etc/mpd4/stream-up.sh
   <...>

saiph% cat /usr/local/etc/mpd4/stream-up.sh
#!/bin/sh
oldip=`cat /var/run/stream-ip`
if [ "$#" -ge 3 ];then
 newip="${3%/*}"
 echo $newip > /var/run/stream-ip
else
 newip=$oldip
fi
(
sleep 15
route delete $oldip
route add $newip -iface lo0
echo "`date` - Yay! - $newip" >> /var/log/stream-up.log
printf "update delete saiph.cenkes.org. A\n\
 update add saiph.cenkes.org. 300 A $newip\n\
 send\n" |\
nsupdate -k /etc/namedb/Ksaiph.cenkes.org.+003+37329 > /var/log/stream-up.sh
rndc retransfer cenkes.org
)&

nekkar 

nekkar% cat /etc/ppp/ppp.linkup
mtu:
   !bg /usr/local/sbin/ddclient
   !bg /etc/ppp/stream-up-nekkar.sh 0 0 MYADDR

nekkar% cat /etc/ppp/stream-up-nekkar.sh
#!/bin/sh
oldip=`cat /var/run/stream-ip`
if [ "$#" -ge 3 ];then
 newip="${3%/*}"
 echo $newip > /var/run/stream-ip
else
 newip=$oldip
fi
(
sleep 15
echo "`date` - Yay! - $newip" >> /var/log/stream-up.log
printf "update delete nekkar.cenkes.org. A\n\
 update add nekkar.cenkes.org. 300 A $newip\n\
 send\n" |\
nsupdate -k /etc/namedb/Knekkar.cenkes.org.+003+36544 > /dev/null
)&

Caveats

  • nsupdate(8) is quirky. Sometimes it doesn't work, sometimes it dumps core (named 9.4.1-P1). Running it a few seconds (e.g. 15) after the link is up helps.
  • Very conveniently, zone serial number gets bumped automatically and notifies are also sent right away after each update.

Comments (edit)

 

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | More topic actions
Topic revision: r3 - 09 Nov 2007 - 18:33:20 - Main.AndrewPantyukhin
 

Cenkes - IT Pro Bono