{"id":255457,"date":"2016-04-08T22:02:56","date_gmt":"2016-04-08T14:02:56","guid":{"rendered":"http:\/\/blog.zhenglei.net\/?p=255457"},"modified":"2016-04-10T21:13:50","modified_gmt":"2016-04-10T13:13:50","slug":"debian-dynamic-dns","status":"publish","type":"post","link":"https:\/\/blog.zhenglei.net\/?p=255457","title":{"rendered":"Debian Dynamic DNS"},"content":{"rendered":"

http:\/\/perceptionistruth.com\/2013\/05\/running-your-own-dynamic-dns-service-on-debian\/<\/a><\/p>\n

\n

Running your own Dynamic DNS Service (on Debian)<\/h1>\n
May 10, 2013<\/a><\/span> tony<\/a><\/span><\/span> 6 Comments<\/a><\/span><\/div>\n<\/header>\n
\n

I used to have a static IP address on my home ADSL connection, but then I moved to BT Infinity, and they don\u2019t provide that ability.\u00a0 For whatever reason, my Infinity connection resets a few times a week, and it always results in a new IP address.<\/p>\n

Since I wanted to be able to connect to a service on my home IP address, I signed up to dyn.com and used their free service for a while, using a CNAME with my hosting provider (Gandi) so that I could use a single common host, in my own domain, and point it to the dynamic IP host and hence, dynamic IP address.<\/p>\n

While this works fine, I\u2019ve had a few e-mails from dyn.com where either the update process hasn\u2019t been enough to prevent the \u201930 day account closure\u2019 process, or in recent times, a mail saying they\u2019re changing that and you now need to log in on the website once every 30 days to keep your account.<\/p>\n

I finally decided that since I run a couple of VPSs, and have good control over DNS via Gandi, I may as well run my own bind9 service and use the dynamic update feature to handle my own dynamic DNS needs.\u00a0 Side note: I think Gandi do support DNS changes through their API, but I couldn\u2019t get it working.\u00a0 Also, I wanted something agnostic of my hosting provider in case I ever move DNS in future (I\u2019m not planning to, since I like Gandi very much).<\/p>\n

The basic elements of this are,<\/p>\n

    \n
  1. a bind9 service running somewhere, which can host the domain and accept the updates.<\/li>\n
  2. delegation of a subdomain to that bind9 service.\u00a0 Since Gandi runs my top level domain for me, I need to create a subdomain and delegate to it, and then make dynamic updates into that subdomain.\u00a0 I can still use CNAMEs in the top level domain to hide the subdomain if I wish.<\/li>\n
  3. configuration of the bind9 service to accept secure updates.<\/li>\n
  4. a script to do the updates.<\/li>\n<\/ol>\n

    In the interests of not re-inventing the wheel, I copied most of the activity from this post<\/a>.\u00a0 But I\u2019ll summarise it here in case that ever goes away.<\/p>\n

    Installing \/ Configuring bind9<\/h4>\n

    You\u2019ll need somewhere to run a DNS (bind9 in my case) service.\u00a0 This can\u2019t be on the machine with the dynamic IP address for obvious reasons.\u00a0 If you already have a DNS service somewhere, you can use that, but for me, I installed it on one of my Debian VPS machines.\u00a0 This is of course trivial with Debian (I don\u2019t use sudo, so you\u2019ll need to be running as root to execute these commands),<\/p>\n

    apt-get install bind9 bind9-doc<\/pre>\n
    If the machine you\u2019ve installed bind9 onto has a firewall, don\u2019t forget to open ports 53 (both TCP and UDP).\u00a0 You now need to choose and configure your subdomain.\u00a0 You\u2019ll be creating a single zone, and allowing dynamic updates.<\/p>\n
    The default config for bind9 on Debian is in \/etc\/bind, and that includes zone files.\u00a0 However, dynamically updated zones need a journal file, and need to be modified by bind.\u00a0 I didn\u2019t even bother trying to put the file into \/etc\/bind, on the assumption bind won\u2019t have write access, so instead, for dynamic zones, I decided to create them in \/var\/lib\/bind.\u00a0 I avoided \/var\/cache\/bind because the cache directory, in theory, is for transient files that applications can recreate.\u00a0 Since bind can\u2019t recreate the zone file entirely, it\u2019s not appropriate to store it there.<\/p>\n
    I added this section to \/etc\/bind\/named.conf.local,<\/p>\n
    \/\/ Dynamic zone\r\n  zone \"home.example.com\" {\r\n    type master;\r\n    file \"\/var\/lib\/bind\/home.example.com\";\r\n    update-policy {\r\n      \/\/ allow host to update themselves with a key having their own name\r\n      grant *.home.example.com self home.example.com.;\r\n    };\r\n  };<\/pre>\n
    This sets up the basic entry for the master zone on this DNS server.<\/p>\n
    Create Keys<\/h4>\n
    So I\u2019ll be honest, I\u2019m following this section mostly by rote from the article I linked.\u00a0 I\u2019m pretty sure I understand it, but just so you know.\u00a0 There are a few ways of trusting dynamic updates, but since you\u2019ll likely be making them from a host with a changing IP address, the best way is to use a shared secret.\u00a0 That secret is then held on the server and used by the client to identify itself.\u00a0 The configuration above allows hosts in the subdomain to update their own entry, if they have a key (shared secret) that matches the one on the server.\u00a0 This stage creates those keys.<\/p>\n
    This command creates two files.\u00a0 One will be the server copy of the key file, and can contain multiple keys, the other will be a single file named after the host that we\u2019re going to be updating, and needs to be moved to the host itself, for later use.<\/p>\n
    ddns-confgen -r \/dev\/urandom -q -a hmac-md5 -k thehost.home.example.com -s thehost.home.example.com. | tee -a \/etc\/bind\/home.example.com.keys > \/etc\/bind\/key.thehost.home.example.com<\/pre>\n
    The files will both have the same content, and will look something like this,<\/p>\n
    key \"host.home.example.com\" {\r\nalgorithm hmac-md5;\r\nsecret \"somesetofrandomcharacters\";\r\n};<\/pre>\n
    You should move the file key.thehost.home.example.com to the host which is going to be doing the updating.\u00a0 You should also change the permissions on the home.example.com.keys file,<\/p>\n
    chown root:bind \/etc\/bind\/home.example.com.keys\r\nchmod u=rw,g=r,o= \/etc\/bind\/home.example.com.keys<\/pre>\n
    You should now return to \/etc\/bind\/named.conf.local and add this section (to use the new key you have created),<\/p>\n
    \/\/ DDNS keys\r\ninclude \"\/etc\/bind\/home.example.com.keys\";<\/pre>\n
    With all that done, you\u2019re ready to create the empty zone.<\/p>\n
    Creating the empty Zone<\/h4>\n
    The content of the zone file will vary, depending on what exactly you\u2019re trying to achieve.\u00a0 But this is the one I\u2019m using.\u00a0 This is created in \/var\/lib\/bind\/home.example.com,<\/p>\n
    $ORIGIN .\r\n$TTL 300 ; 5 minutes\r\nhome.example.com IN SOA nameserver.example.com. root.example.com. (\r\n    1 ; serial\r\n    3600 ; refresh (1 hour)\r\n    600 ; retry (10 minutes)\r\n    604800 ; expire (1 week)\r\n    300 ; minimum (5 minutes)\r\n    )\r\nNS nameserver.example.com.\r\n$ORIGIN home.example.com.<\/pre>\n
    In this case, namesever.example.com is the hostname of the server you\u2019ve installed bind9 onto.\u00a0 Unless you\u2019re very careful, you shouldn\u2019t add any static entries to this zone, because it\u2019s always possible they\u2019ll get overwritten, although of course, there\u2019s no technical reason to prevent it.<\/p>\n
    At this stage, you can recycle the bind9 instance (\/etc\/init.d\/bind9 reload), and resolve any issues (I had plenty, thanks to terrible typos and a bad memory).<\/p>\n
    Delegation<\/h4>\n
    You can now test your nameserver to make sure it responds to queries about the home.example.com domain.\u00a0 In order to properly integrate it though, you\u2019ll need to delegate the zone to it, from the nameserver which handles example.com.\u00a0 With Gandi, this was as simple as adding the necessary NS entry to the top level zone.\u00a0 Obviously, I only have a single DNS server handling this dynamic zone, and that\u2019s a risk, so you\u2019ll need to set up some secondaries, but that\u2019s outside the scope of this post.\u00a0 Once you\u2019ve done the delegation, you can try doing lookups from anywhere on the Internet, to ensure you can get (for example) the SOA for home.example.com.<\/p>\n
    Making Updates<\/h4>\n
    You\u2019re now able to update the target nameserver, from your source host using the nsupdate command.\u00a0 By telling it where your key is (-k filename), and then passing it commands you can make changes to the zone.\u00a0 I\u2019m using exactly the same format presented in the original article I linked above.<\/p>\n
    cat <<EOF | nsupdate -k \/path\/to\/key.thehost.home.example.com\r\nserver nameserver.example.com\r\nzone home.example.com.\r\nupdate delete thehost.home.example.com.\r\nupdate add thehost.home.example.com. 60 A 192.168.0.1\r\nupdate add thehost.home.example.com. 60 TXT \"Updated on $(date)\"\r\nsend\r\nEOF<\/pre>\n
    Obviously, you can change the TTL\u2019s to something other than 60 if you prefer.<\/p>\n
    Automating Updates<\/h4>\n
    The last stage, is automating updates, so that when your local IP address changes, you can update the relevant DNS server.\u00a0 There are a myriad ways of doing this.\u00a0 I\u2019ve opted for a simple shell script which I\u2019ll run every couple of minutes via cron, and have it check and update DNS if required.\u00a0 In my instance, my public IP address is behind a NAT router, so I can\u2019t just look at a local interface, and so I\u2019m using dig to get my IP address from the opendns service.<\/p>\n
    This is my first stab at the script, and it\u2019s absolutely a work in progress (it\u2019s too noisy at the moment for example),<\/p>\n
    #!\/bin\/sh<\/p>\n
    # set some variables
    \nhost=thehost
    \nzone=home.example.com
    \ndnsserver=nameserver.example.com
    \nkeyfile=\/home\/bob\/conf\/key.$host.$zone
    \n#<\/p>\n
    # get current external address
    \next_ip=`dig +short @resolver1.opendns.com myip.opendns.com`<\/p>\n
    # get last ip address from the DNS server
    \nlast_ip=`dig +short @$dnsserver $host.$zone`<\/p>\n
    if [ ! -z \u201c$ext_ip\u201d ]; then
    \nif [ ! -z \u201c$last_ip\u201d ]; then
    \nif [ \u201c$ext_ip\u201d != \u201c$last_ip\u201d ]; then
    \necho \u201cIP addresses do not match (external=$ext_ip, last=$last_ip), sending an update\u201d<\/p>\n
    cat <<\/p>\n
    \n
    Related posts:<\/p>\n
      \n
    1. Exim4 (SMTP MTA) + Debian + Masquerading <\/a> I love Debian, and Exim4 seems to \u2018just work\u2019 for…<\/small><\/li>\n
    2. Debian \/ IPv6 \/ ip6tables \/ arno-iptables-firewall <\/a> Gandi turned IPv6 on, on my virtual host and I\u2019ve…<\/small><\/li>\n
    3. Debian, apache2, virtualhosts, FastCGI and PHP5 <\/a> I\u2019ve spent an amusing evening revisiting FastCGI under Apache2, in…<\/small><\/li>\n
    4. Custom Logwatch script for ngIRCd <\/a> So before I begin (or technically, just after I\u2019ve begun),…<\/small><\/li>\n
    5. Simple Debian Squeeze LAMP Config <\/a> Want the instant gratification solution?\u00a0 Scroll down to \u201cAll In…<\/small><\/li>\n<\/ol>\n<\/div>\n<\/div>\n
      http:\/\/www.foell.org\/justin\/diy-dynamic-dns-with-openwrt-bind\/<\/a><\/p>\n
      http:\/\/blog.infertux.com\/2012\/11\/25\/your-own-dynamic-dns\/<\/a><\/p>\n
      http:\/\/idefix.net\/~koos\/dyndnshowto\/dyndnshowto.html<\/a><\/p>\n
      https:\/\/blog.hqcodeshop.fi\/archives\/76-Doing-secure-dynamic-DNS-updates-with-BIND.html<\/a><\/p>\n
      https:\/\/0x2c.org\/rfc2136-ddns-bind-dnssec-for-home-router-dynamic-dns\/<\/a><\/p>\n
      http:\/\/agiletesting.blogspot.com\/2014\/12\/dynamic-dns-updates-with-nsupdate-new.html<\/a><\/p>\n
       <\/p>\n
       <\/p>\n","protected":false},"excerpt":{"rendered":"
      http:\/\/perceptionistruth.com\/2013\/05\/run … \u7ee7\u7eed\u9605\u8bfb →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,2,18],"tags":[275,256],"class_list":["post-255457","post","type-post","status-publish","format-standard","hentry","category-internet","category-linux","category-software-download","tag-bind","tag-ddns"],"_links":{"self":[{"href":"https:\/\/blog.zhenglei.net\/index.php?rest_route=\/wp\/v2\/posts\/255457","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.zhenglei.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.zhenglei.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.zhenglei.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.zhenglei.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=255457"}],"version-history":[{"count":8,"href":"https:\/\/blog.zhenglei.net\/index.php?rest_route=\/wp\/v2\/posts\/255457\/revisions"}],"predecessor-version":[{"id":255459,"href":"https:\/\/blog.zhenglei.net\/index.php?rest_route=\/wp\/v2\/posts\/255457\/revisions\/255459"}],"wp:attachment":[{"href":"https:\/\/blog.zhenglei.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=255457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.zhenglei.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=255457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.zhenglei.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=255457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}