Tag Archives: ip

Dynamic DNS using Bind

Today, we’ll see how to configure bind to perform dynamic DNS updates according to your public IP address changes.

Prerequisites: net-dns/bind, net-dns/bind-tools, control a nameserver and a domain of course

First, we have to use a TSIG key, which will be used by server to allow someone to update a zone, and by the client to identify itself to the nameserver. To generate one, issue the following on your favorite shell prompt:

dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST yourkey

This will generate two files in the current directory named Kyourkey.+xxx+yyyy.key containing the public key and Kyourkey.+xxx+yyyy.private containing the private key, where xxx stand for the algorithm identifier (for HMAC-SHA512, 161) and yyyy is the id of the key.

Then, assuming you will name your dynamic host dyn.example.com, and the zone is then example.com, you have to edit the /etc/bind/named.conf to add first the allowed key, and then the update-policy for the zone example.com:

key yourkey {
algorithm HMACSHA512;
secret [Key: data of the .private file];
};
[..snip..]
zone example.com {
[..snip..]
updatepolicy { grant yourkey name dyn.example.com. A; };
}

Some explanations now:
– with the key statement, you give a name to the private key, to reuse it later in the zone statement
– with the update-policy statement in the zone, you allow the key named yourkey to update the A record of dyn.example.com. (note the dot at the end: this is a FQDN)

Tip: You can use this update-policy statement to update more than the A statement

Then it is time to add the name dyn.example.com to the zonefile:

rndc freeze example.com

Then edit the zonefile of example.com adding the following:

$TTL 600
dyn IN A 0.0.0.0

Do not forget to update the SOA serial record to allows bind to propage the changes to the slaves nameservers, if any.
The IP address is 0.0.0.0 by default, and will be updated later from the client. The TTL is set to 600 (10 minutes), because a dynamic IP can change at anytime, so this allows the DNS cache servers to be quickly up-to-date, but keep in mind that a too short TTL imply much requests to your nameserver…
Finally, propage changes to bind:

rndc reload example.com
rndc thaw example.com

Then it’s time to update the IP address of your client. For this we will use nsupdate. You need to have both .key and .private files to get the update working.
If you use a modem line connected directly to your computer client, get your external/public IP address from your ppp0 interface, if you are connected to a local network, get your external IP address using websites like checkip.dyndns.org . For example, we will take 1.2.3.4 as your external IP address, assuming you use dns.example.com as primary nameserver:

nsupdate -v -k Kyourkey.+xxx+yyyy.key <<EOF
server dns.example.com
zone example.com.
update delete dyn.example.com. A
update add dyn.example.com. 600 A 1.2.3.4
send
EOF

And that’s done !

You can have a look using dig to get the IP address of your host:

dig @dns.example.com dyn.example.com A