Category Archives: DNS

Dynamic DNS using Bind

Today, we’ll see how to configure bind to perform dynamic DNS updates according to your public IP address changes.

Prerequisites: net-dns/bind, net-dns/bind-tools, control a nameserver and a domain of course

First, we have to use a TSIG key, which will be used by server to allow someone to update a zone, and by the client to identify itself to the nameserver. To generate one, issue the following on your favorite shell prompt:

dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST yourkey

This will generate two files in the current directory named Kyourkey.+xxx+yyyy.key containing the public key and Kyourkey.+xxx+yyyy.private containing the private key, where xxx stand for the algorithm identifier (for HMAC-SHA512, 161) and yyyy is the id of the key.

Then, assuming you will name your dynamic host, and the zone is then, you have to edit the /etc/bind/named.conf to add first the allowed key, and then the update-policy for the zone

key yourkey {
algorithm HMACSHA512;
secret [Key: data of the .private file];
zone {
updatepolicy { grant yourkey name A; };

Some explanations now:
– with the key statement, you give a name to the private key, to reuse it later in the zone statement
– with the update-policy statement in the zone, you allow the key named yourkey to update the A record of (note the dot at the end: this is a FQDN)

Tip: You can use this update-policy statement to update more than the A statement

Then it is time to add the name to the zonefile:

rndc freeze

Then edit the zonefile of adding the following:

$TTL 600
dyn IN A

Do not forget to update the SOA serial record to allows bind to propage the changes to the slaves nameservers, if any.
The IP address is by default, and will be updated later from the client. The TTL is set to 600 (10 minutes), because a dynamic IP can change at anytime, so this allows the DNS cache servers to be quickly up-to-date, but keep in mind that a too short TTL imply much requests to your nameserver…
Finally, propage changes to bind:

rndc reload
rndc thaw

Then it’s time to update the IP address of your client. For this we will use nsupdate. You need to have both .key and .private files to get the update working.
If you use a modem line connected directly to your computer client, get your external/public IP address from your ppp0 interface, if you are connected to a local network, get your external IP address using websites like . For example, we will take as your external IP address, assuming you use as primary nameserver:

nsupdate -v -k Kyourkey.+xxx+yyyy.key <<EOF
update delete A
update add 600 A

And that’s done !

You can have a look using dig to get the IP address of your host:

dig A