diy_rfc2136_dyndns_with_bind

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
diy_rfc2136_dyndns_with_bind [25.06.2021 08:17] – [DIY RFC2136 dyndns with bind] Pascal Suterdiy_rfc2136_dyndns_with_bind [25.06.2021 12:39] (current) Pascal Suter
Line 2: Line 2:
 ever since dyndns stopped to be completely free (including hassle-free) i was looking for alternatives. i recently stumbled across RFC2136 which can be used to provide dynamic dns services. since i have access to two nameservers running bind i decided to try it out.. it works pretty nicely :) ever since dyndns stopped to be completely free (including hassle-free) i was looking for alternatives. i recently stumbled across RFC2136 which can be used to provide dynamic dns services. since i have access to two nameservers running bind i decided to try it out.. it works pretty nicely :)
  
-there is [[https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS|howto in the pfsense wiki]], however, that did not work for mei had to use allow-update reather than update-policy.. don't know whysomehow it just seemed to have been ignored by the version of bind9 i am running on the servers. I've used in general the setup described in [[http://www.shakabuku.org/writing/dyndns.html|this very detailed webpage about dyndns with bind9]]+this is an improved version, now that i know more about bind, over my [[diy_rfc2136_dyndns_with_bind&rev=1624605040|previous setup]] and it has been updated to work with bind 9.16 which no longer creates TSIG keys using ''dnssec-keygen'' but instead uses the much more comfortable tool ''tsig-keygen''The main disadvantage of my previous setup wasthat any user holding one of the allowed keys could update any host entry, so the user was not limited to a single hostname which can be a seurity issue
  
 this following howto will explain how i did my setup so that i could have a little bash script that would allow me to add new hosts to my dyndns with a single command. all my hosts will end with .dyn.mydomain.ch.  this following howto will explain how i did my setup so that i could have a little bash script that would allow me to add new hosts to my dyndns with a single command. all my hosts will end with .dyn.mydomain.ch. 
Line 34: Line 34:
  type master;   type master; 
  file "/etc/bind/dyn/dyn.mydomain.ch";   file "/etc/bind/dyn/dyn.mydomain.ch"; 
- allow-update {  + update-policy {  
- //add_keys_here//+ grant *.dyn.mydomain.ch. self *.dyn.mydomain.ch. A; 
 + grant local-ddns zonesub any;
  };   }; 
  allow-query {   allow-query { 
Line 41: Line 42:
  };   }; 
 }; };
-</code bash add_new_host.sh> **note** keep the //add_keys_here// comment exactly as it is, this is the marker for our script so it knows where to add new keys +</code>  
-  * edit your main named.conf file, usually in /etc/bind/named.conf and add an include line at the end of your zone definitions like so: <code>include "/etc/bind/dyn/named.conf";</code> +  here are the contents of the script to add new hosts: <code bash add_new_host.sh>
-  * create the "add_new_host.sh" script that will add new hosts to our setup. here are the contents of the script: <code>+
 #!/bin/bash #!/bin/bash
 if [ -z "$1" -o "$1" == " " ]; then if [ -z "$1" -o "$1" == " " ]; then
Line 51: Line 51:
 fi fi
 cd /etc/bind/dyn/ cd /etc/bind/dyn/
-mkdir tmp 
-cd tmp 
 hostname=${1}.dyn.mydomain.ch. hostname=${1}.dyn.mydomain.ch.
 echo "generating key for ${hostname}" echo "generating key for ${hostname}"
-keyfile=`dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ${hostname}+key=$(tsig-keygen -a hmac-md5 ${hostname}) 
-key=`grep "Key" ${keyfile}.private | awk '{ print $2; }'` +echo "here is the HMAC-MD5 key i have generated, use this to configure your client:" 
-echo "here is the key i have generated, use this to configure your client: $key+echo "-----------------8<--------------" 
-cd .. +echo "${key}" | grep "secret" | awk -F '"' '{print $2}
-rm -rf tmp +echo "-----------------8<--------------
-echo "adding key to named.conf..." +echo "add key to bind config" 
-cat named.conf sed -"s/\/\/add_keys_here\/\//key ${hostname};\n\t\t\/\/add_keys_here\/\//| tee named.conf > /dev/null +echo $(echo "$key" | tr -d "\r\n">> keys.conf
-echo "key ${hostname} { algorithm hmac-md5; secret \"${key}\"; };" >> keys.conf +
-echo "done"+
 echo "reload bind"; echo "reload bind";
-/etc/init.d/bind9 reload+/usr/sbin/rndc reload
 echo "currently active hosts:" echo "currently active hosts:"
-grep "key " named.conf | awk '{ print $2; }' | tr -d ";" +grep "key " keys.conf | awk '{ print $2; }' | tr -d ";"</code>
-</code>+
   * now set the permissions so that especially the keys.conf file is only readable by bind and editable by root. also the dyn directory must be writeable by bind or if you don't want that, touch a file called dyn.mydomain.ch.jnl and make it writeable for bind, as well as making the dyn.mydomain.ch file writeable for bind. here is how i've set the permissions on my server: <code>   * now set the permissions so that especially the keys.conf file is only readable by bind and editable by root. also the dyn directory must be writeable by bind or if you don't want that, touch a file called dyn.mydomain.ch.jnl and make it writeable for bind, as well as making the dyn.mydomain.ch file writeable for bind. here is how i've set the permissions on my server: <code>
 drwxrwxr-- 2 root bind 4096 Oct 29 13:45 ./ drwxrwxr-- 2 root bind 4096 Oct 29 13:45 ./
Line 80: Line 75:
   * now use the script to add your first hostname. <code>./add_new_host myhost</code>if you did everything correctly (and if i described it all correctly) your client should now be able to update it's own dns entry with the key you received back from the script.    * now use the script to add your first hostname. <code>./add_new_host myhost</code>if you did everything correctly (and if i described it all correctly) your client should now be able to update it's own dns entry with the key you received back from the script. 
 ===== script to remove hosts ===== ===== script to remove hosts =====
-optionally you can also create a little script to remove hosts just as easily. create a file called remove_hosts.sh with the following contents<code>+optionally you can also create a little script to remove hosts just as easily. create a file called remove_hosts.sh with the following contents<code bash remove_hosts.sh>
 #!/bin/bash #!/bin/bash
 if [ -z "$1" -o "$1" == " " ]; then if [ -z "$1" -o "$1" == " " ]; then
Line 90: Line 85:
 hostname=${1}.dyn.mydomain.ch. hostname=${1}.dyn.mydomain.ch.
 echo "old keys.conf entry: " echo "old keys.conf entry: "
-grep ${hostname} keys.conf+grep -E '[ "]'"${hostname}"'[."]\s' keys.conf
 echo "remove key for ${hostname}" echo "remove key for ${hostname}"
-cat named.conf | sed -"/^\t\tkey ${hostname}.*$/d| tee named.conf > /dev/null +sed -i '/[ "]'"${hostname}"'[."]\s/dkeys.conf
-cat keys.conf | sed -e "/^key ${hostname}.*$/d" | tee keys.conf > /dev/null+
 echo "reload bind"; echo "reload bind";
-/etc/init.d/bind9 reload +/usr/sbin/rndc reload 
-echo "currently active hosts:" +echo "delete dns entry for ${hostname}" 
-grep "key " named.conf | awk '{ print $2; }' | tr -d ";"+echo -e "update delete ${hostname} a\nsend" | nsupdate -l -4 
 +/usr/sbin/rndc sync -clean 
 +echo "currently allowed hosts:" 
 +grep "key " keys.conf | awk '{ print $2; }' | tr -d ";"
 </code> </code>
 make it executable and run it to remove hotsts. **warning** make a backup of your keys.conf and your named.conf file before testing this :)  make it executable and run it to remove hotsts. **warning** make a backup of your keys.conf and your named.conf file before testing this :) 
   ./remove_host.sh myhost   ./remove_host.sh myhost
  
  • diy_rfc2136_dyndns_with_bind.1624601842.txt.gz
  • Last modified: 25.06.2021 08:17
  • by Pascal Suter