Quick dynamic DNS?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Quick dynamic DNS?

@lbutlr
Give that I have a authoritative bind9 server for example.com and given that I have a home connection that is (technically) dynamic home.example.com what is the easiest way for me to automatically update the DNS on the rare occasions that it changes?

The example.com domain is setup with DNSSEC and the home connection has a rPI already acting as an unbound/piHole server, if that helps.

I used to use a dynamic DNS service, but I figure I have the tools available to do this all myself. What am I doing right now is just manually changing the IP.

--
"There will always be women in rubber flirting with me."

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Quick dynamic DNS?

Bind-Users forum mailing list
On 12/23/20 6:53 PM, @lbutlr wrote:
> Give that I have a authoritative bind9 server for example.com and
> given that I have a home connection that is (technically) dynamic
> home.example.com what is the easiest way for me to automatically
> update the DNS on the rare occasions that it changes?

I assume:

1)  That example.com is a stand in for the real domain name(s)
2)  Your bind9 server is somewhere on the Internet
3)  You are asking how to dynamically update it to change where
home.example.com resolves to.

> The example.com domain is setup with DNSSEC and the home connection
> has a rPI already acting as an unbound/piHole server, if that helps.

Are you wanting to do some sort of zone transfer from the rPI to BIND?

Is home.example.com public or private?  Can the world query it?

> I used to use a dynamic DNS service, but I figure I have the tools
> available to do this all myself. What am I doing right now is just
> manually changing the IP.

ACK

I'm going to further assume:

4)  That you have home.example.com delegated to the rPI at your house.
5)  That you want to dynamically update this delegation.

You can use BIND's support for Dynamic DNS across the Internet.  (I
can't speak to the security of such.)  I assume that you will be using
something like TSIG keys or Kerberos to authenticate your Dynamic DNS
updates.  (Possibly even a VPN or the likes.)

Or you can use nsupdate on the system hosting your public BIND DNS server.

Please clarify where the Dynamic DNS client will be in comparison to the
BIND DNS server.  Then we can get into the minutia of how to go about
things.



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Quick dynamic DNS?

@lbutlr
On 23 Dec 2020, at 21:23, Grant Taylor via bind-users <[hidden email]> wrote:
> On 12/23/20 6:53 PM, @lbutlr wrote:
>> Give that I have a authoritative bind9 server for example.com and given that I have a home connection that is (technically) dynamic home.example.com what is the easiest way for me to automatically update the DNS on the rare occasions that it changes?
>
> I assume:
>
> 1)  That example.com is a stand in for the real domain name(s)

That is what example.com always is, yes.

> 2)  Your bind9 server is somewhere on the Internet

As I said, it is authoritative for example.com.

> 3)  You are asking how to dynamically update it to change where home.example.com resolves to.

Yep.

>> The example.com domain is setup with DNSSEC and the home connection has a rPI already acting as an unbound/piHole server, if that helps.
>
> Are you wanting to do some sort of zone transfer from the rPI to BIND?

No, I just want my bind server to get updated with the external IP of my home connection when it changes and update the A pointer.

> Is home.example.com public or private?  Can the world query it?

The world can reach my home connection, but no the world cannot send DNS queries to it since it does not run an external DNS server (unbound is just a catching server, piHole is a DNS blocker that prevents LAN machines from reaching known bad hosts).

>> I used to use a dynamic DNS service, but I figure I have the tools available to do this all myself. What am I doing right now is just manually changing the IP.
>
> ACK
>
> I'm going to further assume:
>
> 4)  That you have home.example.com delegated to the rPI at your house.

No, I just have home.example.com as a A record the points to my home IP address. There is no delegations and no subdomains for home.example.com.

> 5)  That you want to dynamically update this delegation.

I just want to update the IP address in a single A record.

> You can use BIND's support for Dynamic DNS across the Internet.  (I can't speak to the security of such.)  I assume that you will be using something like TSIG keys or Kerberos to authenticate your Dynamic DNS updates.  (Possibly even a VPN or the likes.)

Possibly, though that is certainly part of what I am asking.

> Or you can use nsupdate on the system hosting your public BIND DNS server.

But the bind server doesn't know the new IP address?

> Please clarify where the Dynamic DNS client will be in comparison to the BIND DNS server.  Then we can get into the minutia of how to go about things.

As I said. The bind server is at example.com. It is authoritative for example.com (and several other domains as well).

At home I have a connection to an ISP and that connection MAY change since it is in a DHCP pool. I want to be able to updated my DNS server so that "home.example.com" points to my home IP address.

I have done this in the past with various dynamic DNS services (like DynDNS) where their software client would automatically update a custom subdomain of one of their domains like homeftp.net (the have many and which one isn't relevant) and then on the Bind server I would have, for example, in example.com,

home CNAME lbutlr.homeftp.net. #example name, not real dynDNS address)

When the client updated my IP address, bind would simply relay connections to home.exmple.com to lbutlr.homeftp.net regardless of what the IP address was.

What I want to do is eliminate the 3rd party service and client so that the bind server can simply have:

home A 12.34.56.789 # obvs not a real IP

--
I went to a restaurant that serves "breakfast at any time". So I
        ordered French Toast during the Renaissance.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Quick dynamic DNS?

Stanley Weilnau
What you want is a program on the rPI that will query the internet to find what the current outside address is and then send that to the bind9 server.

There are several ways of doing this.  
1) Use a service and have a CNAME pointing to the DNS entry of the service. Some examples:
https://www.dynu.com/DynamicDNS/IPUpdateClient/RaspberryPi-Dynamic-DNS
http://www.darwinbiler.com/dynamic-dns-using-raspberry-pi/

2) Use a custom script that will use ntpupdate to update a dynamic zone on the bind9 server.  This is what I have done.
The script first queries the outside world for the ip address and then builds a nsupdate command set to send to the server.  I am doing this on a CentOS box, but it should work on a rPI.   I do use a key to prevent others from updating this record.

script
———————————
#!/bin/bash
# Servers: http://dynupdate.no-ip.com/ip.php, http://www.antedes.com/getip.php, ..?
# Less straifghtforward: http://checkip.dyndns.org/, ...
IPS=http://dynupdate.no-ip.com/ip.php

DNSP=/home/demouser/DNS_KEY

# First, retrieve IP address
CURIP=`curl -s $IPS | awk '{ print $1 }'`
OLDIP=`cat $DNSP/oldip`  
echo $OLDIP
# Compare to previously saved IP
[ "$CURIP" == "$OLDIP" ] && exit
echo $CURIP > $DNSP/oldip
echo `date` $CURIP >> $DNSP/oldips
echo $CURIP
# If different, tell DNS
echo "server mybind9serverIP" > $DNSP/zone
echo "zone dyn.example.com" >> $DNSP/zone
echo "update delete rpi.dyn.example.com. A" >> $DNSP/zone
echo "update add rpi.dyn.example.com. 3600  A $CURIP" >> $DNSP/zone
echo "show" >> $DNSP/zone
echo "send" >> $DNSP/zone
echo "before nsupdate"
/usr/bin/nsupdate -k $DNSP/Krpi.dyn.example.com.+157+02083.private $DNSP/zone IN external


-----------------
bind config entry

        zone “dyn.example.com" {
                type master;
                file "master/external/dyn.example.com";
                allow-update {key rpi.dyn.example.com.; };
                inline-signing yes;
                auto-dnssec maintain;
                key-directory "/keys/dyn.example.com/";



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Quick dynamic DNS?

Bind-Users forum mailing list
In reply to this post by @lbutlr
On 12/24/20 8:48 AM, @lbutlr wrote:
> That is what example.com always is, yes.

Sorry.  I'm so used to people not using documentation domains that I
double check that they aren't actually trying to literally use
documentation domains internally.

It's a refreshing change to see documentation domains / IPs / networks
used properly.

I tip my hat to you.

> As I said, it is authoritative for example.com.

ACK

> Yep.
>
> No, I just want my bind server to get updated with the external IP
> of my home connection when it changes and update the A pointer.

Okay.  IMHO that's relatively easy to do.  See Stanley's reply as it
seems quite good.

About the only thing that I'd do differently is to use update-policy {
... } "grant" statements to more granularly control what the key can
update.  E.g. allow it to /only/ update A and / or AAAA records for the
home.example.com name and nothing else.

An alternative to grant statements is to use a CNAME to yourself in a
different sub-domain where you have carte blanch access to update.  But,
seeing as how the CNAME will reference explicitly one name, you have
less of a security risk in the alias domain.  E.g. home.example.com ->
home.client1.ddns.example.com.  Then give each client the ability to
update it's client#.ddns.example.com sub-doimain.

> I just want to update the IP address in a single A record.

IMHO that makes this almost trivial once you know how to do it.

> Possibly, though that is certainly part of what I am asking.

*nod*nod*

> But the bind server doesn't know the new IP address?

SSH from rPI to bind9 and remotely run a command.  Possibly extracting
the IP from the SSH_{CLIENT,CONNECTION} environment variable.  ;-)

> As I said. The bind server is at example.com. It is authoritative
> for example.com (and several other domains as well).

*nod*nod*nod*

I expect that many on this list have such systems at their disposal.  }:-)

> At home I have a connection to an ISP and that connection MAY change
> since it is in a DHCP pool. I want to be able to updated my DNS server
> so that "home.example.com" points to my home IP address.

Typical and quintessential use case.

> I have done this in the past with various dynamic DNS services (like
> DynDNS) where their software client would automatically update a custom
> subdomain of one of their domains like homeftp.net (the have many and
> which one isn't relevant) and then on the Bind server I would have,
> for example, in example.com,
>
> home CNAME lbutlr.homeftp.net. #example name, not real dynDNS
> address)
>
> When the client updated my IP address, bind would simply relay
> connections to home.exmple.com to lbutlr.homeftp.net regardless of
> what the IP address was.
>
> What I want to do is eliminate the 3rd party service and client so
> that the bind server can simply have:
>
> home A 12.34.56.789 # obvs not a real IP
Aw ... no Test-Net IPs?  :-P

IMHO what you're wanting to do is quite doable with a little bit of
knowledge and trial and error.  See Stanley's email for more details on
said knowledge.

The only parting thoughts I'll add is that I don't know if TSIG keys are
sufficiently secure, or if there is a better option.  I've not looked in
a while.  --  I personally tend to isolate what can be changed with
grant statements and consider it good enough.  --  This is also where
remotely executing nsupdate through SSH sort of elides this issue and
makes things somewhat simpler.



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Quick dynamic DNS?

Mark Andrews
TSIG, GSS-TSIG and SIG(0) are all secure mechanisms to update DNS zones.

MacOS uses TSIG to update the DNS.

Windows uses GSS-TSIG in active directory.

SIG(0) is in future work for home net updating records added on a first come basis.  It can also be used to update records added by other means as long as the KEY records where added at the same time.
--
Mark Andrews

> On 25 Dec 2020, at 07:46, Grant Taylor via bind-users <[hidden email]> wrote:
>
> On 12/24/20 8:48 AM, @lbutlr wrote:
>> That is what example.com always is, yes.
>
> Sorry.  I'm so used to people not using documentation domains that I double check that they aren't actually trying to literally use documentation domains internally.
>
> It's a refreshing change to see documentation domains / IPs / networks used properly.
>
> I tip my hat to you.
>
>> As I said, it is authoritative for example.com.
>
> ACK
>
>> Yep.
>> No, I just want my bind server to get updated with the external IP of my home connection when it changes and update the A pointer.
>
> Okay.  IMHO that's relatively easy to do.  See Stanley's reply as it seems quite good.
>
> About the only thing that I'd do differently is to use update-policy { ... } "grant" statements to more granularly control what the key can update.  E.g. allow it to /only/ update A and / or AAAA records for the home.example.com name and nothing else.
>
> An alternative to grant statements is to use a CNAME to yourself in a different sub-domain where you have carte blanch access to update.  But, seeing as how the CNAME will reference explicitly one name, you have less of a security risk in the alias domain.  E.g. home.example.com -> home.client1.ddns.example.com.  Then give each client the ability to update it's client#.ddns.example.com sub-doimain.
>
>> I just want to update the IP address in a single A record.
>
> IMHO that makes this almost trivial once you know how to do it.
>
>> Possibly, though that is certainly part of what I am asking.
>
> *nod*nod*
>
>> But the bind server doesn't know the new IP address?
>
> SSH from rPI to bind9 and remotely run a command.  Possibly extracting the IP from the SSH_{CLIENT,CONNECTION} environment variable.  ;-)
>
>> As I said. The bind server is at example.com. It is authoritative for example.com (and several other domains as well).
>
> *nod*nod*nod*
>
> I expect that many on this list have such systems at their disposal.  }:-)
>
>> At home I have a connection to an ISP and that connection MAY change since it is in a DHCP pool. I want to be able to updated my DNS server so that "home.example.com" points to my home IP address.
>
> Typical and quintessential use case.
>
>> I have done this in the past with various dynamic DNS services (like DynDNS) where their software client would automatically update a custom subdomain of one of their domains like homeftp.net (the have many and which one isn't relevant) and then on the Bind server I would have, for example, in example.com,
>> home    CNAME lbutlr.homeftp.net. #example name, not real dynDNS address)
>> When the client updated my IP address, bind would simply relay connections to home.exmple.com to lbutlr.homeftp.net regardless of what the IP address was.
>> What I want to do is eliminate the 3rd party service and client so that the bind server can simply have:
>> home    A    12.34.56.789 # obvs not a real IP
>
> Aw ... no Test-Net IPs?  :-P
>
> IMHO what you're wanting to do is quite doable with a little bit of knowledge and trial and error.  See Stanley's email for more details on said knowledge.
>
> The only parting thoughts I'll add is that I don't know if TSIG keys are sufficiently secure, or if there is a better option.  I've not looked in a while.  --  I personally tend to isolate what can be changed with grant statements and consider it good enough.  --  This is also where remotely executing nsupdate through SSH sort of elides this issue and makes things somewhat simpler.
>
>
>
> --
> Grant. . . .
> unix || die
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Quick dynamic DNS?

Bind-Users forum mailing list
On 12/24/20 3:05 PM, Mark Andrews wrote:
> TSIG, GSS-TSIG and SIG(0) are all secure mechanisms to update DNS
> zones.

Thank you for the follow up Mark.

It's good to know that they are secure mechanisms.

With all the churn in the TLS space, I can't keep up with it, much less
have any idea how the concepts cross pollinate to other things.

> MacOS uses TSIG to update the DNS.
>
> Windows uses GSS-TSIG in active directory.

*nod*

Jan-Piet Mens has a good article on this.

> SIG(0) is in future work for home net updating records added on a
> first come basis.  It can also be used to update records added by
> other means as long as the KEY records where added at the same time.

Would you please elaborate what you mean by "on a first come basis"?  Is
it simply the first person to put a KEY record, or someone that has
knowledge there of?

Thank you for enlightening me.



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Quick dynamic DNS?

Mark Andrews
See draft-ietf-dnssd-srp

--
Mark Andrews

> On 25 Dec 2020, at 12:22, Grant Taylor via bind-users <[hidden email]> wrote:
>
> On 12/24/20 3:05 PM, Mark Andrews wrote:
>> TSIG, GSS-TSIG and SIG(0) are all secure mechanisms to update DNS zones.
>
> Thank you for the follow up Mark.
>
> It's good to know that they are secure mechanisms.
>
> With all the churn in the TLS space, I can't keep up with it, much less have any idea how the concepts cross pollinate to other things.
>
>> MacOS uses TSIG to update the DNS.
>> Windows uses GSS-TSIG in active directory.
>
> *nod*
>
> Jan-Piet Mens has a good article on this.
>
>> SIG(0) is in future work for home net updating records added on a first come basis.  It can also be used to update records added by other means as long as the KEY records where added at the same time.
>
> Would you please elaborate what you mean by "on a first come basis"?  Is it simply the first person to put a KEY record, or someone that has knowledge there of?
>
> Thank you for enlightening me.
>
>
>
> --
> Grant. . . .
> unix || die
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users