{"id":552,"date":"2018-07-01T05:30:46","date_gmt":"2018-07-01T04:30:46","guid":{"rendered":"https:\/\/tollana.d-tor.org\/notes-to-self\/?p=552"},"modified":"2018-07-01T05:30:46","modified_gmt":"2018-07-01T04:30:46","slug":"ddns-with-bind-and-perl","status":"publish","type":"post","link":"https:\/\/tollana.d-tor.org\/notes-to-self\/?p=552","title":{"rendered":"DDNS with bind and perl"},"content":{"rendered":"

Problem<\/h3>\n

You have a crappy internet provider who hands out dynamic IPv4 addresses and IPv6 prefixes, but you can’t remember all those numbers and want to use DNS as intended. Actually, I have 2 internet providers, Vodafone and Telekom, each with its own problems . Vodafone’s IPv6 prefix seems to be static for now, but they blessed me with DS-Lite after the update to 400 Mbit<\/a>. Telekom has a dual stack, but the public IPv4 address and the delegated IPv6 prefixes are highly dynamic.<\/p>\n

What you need<\/h3>\n
    \n
  1. A DNS zone and control over the zone file, so you can delegate a subdomain to another name server<\/li>\n
  2. The “another name server” with a static<\/strong> IP. If you don’t have that, stop reading!<\/li>\n
  3. a script for the dynamic updates<\/li>\n<\/ol>\n

    I have a root server and a DNS zone at Hetzner. The root Server has a static IPv4 address and IPv6 prefix. Also, they let you edit the pure bind zone file via a text box, not<\/em> a form! Since I’m a perl guy, I did the script in my favorite perfect and easy readable language.<\/p>\n

    Configure your “another name server”<\/h3>\n

    Install bind on your box with the static IP. Then generate a key for dynamic updates. Do not<\/strong> use dnssec-keygen as described in various tutorials. You will fail! Use ddns-confgen instead and follow the instructions in the comment. Your zone file should look something like this:<\/p>\n

    ...\r\n\/\/ THE key\r\nkey \"ddns-key.dyn.d-tor.org\" { \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0algorithm hmac-sha256; \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0secret \"base64stufffromddns-confgen=\"; \r\n};\r\n\/\/ THE dynamic zone\r\nzone \"dyn.d-tor.org.\" { \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0update-policy { grant ddns-key.dyn.d-tor.org zonesub ANY; }; \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type master; \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0file \"dyn.d-tor.org.hosts\"; \r\n};\r\n...<\/pre>\n
    The above snippet configures the zone dyn.d-tor.org and allows updates to anyone who has THE key. Next, create the initial zone file in the directory specified by the “directory” directive in named.conf (on ArchLinux it’s the default \/var\/named, thus \/var\/name\/dyn.d-tor.org.hosts):<\/p>\n
    $ORIGIN . \r\n$TTL 600 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0; 10 minutes \r\ndyn.d-tor.org \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0IN SOA \u00a0valhalla.d-tor.org. me.d-tor.org. ( \r\n  1 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0; serial \r\n\u00a0\u00a0500 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0; refresh (8 minutes 20 seconds) \r\n\u00a0\u00a0500 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0; retry (8 minutes 20 seconds) \r\n\u00a0\u00a086400 \u00a0\u00a0\u00a0\u00a0\u00a0; expire (1 day) \r\n\u00a0\u00a0500 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0; minimum (8 minutes 20 seconds) \r\n) \r\n\u00a0\u00a0NS \u00a0\u00a0\u00a0\u00a0\u00a0valhalla.d-tor.org.<\/pre>\n
    Then restart\/reconfigure bind and check for errors:<\/p>\n
    # systemctl restart named\r\n# journalctl -u named<\/pre>\n
    If you have ip(6)tables running, allow access to port 53 UDP and TCP for good measure:<\/p>\n
    # iptables -I INPUT 2 -p udp --dport 53 -j ACCEPT\r\n# iptables -I INPUT 2 -p tcp --dport 53 -j ACCEPT\r\n# iptables -I INPUT 2 -p udp --dport 53 -j ACCEPT\r\n# iptables -I INPUT 2 -p tcp --dport 53 -j ACCEPT<\/pre>\n
    Copy the key to the box where you want to update from, e.g. \/etc\/ddns.key and set permissions to 600. It should contain only the key section:<\/p>\n
    key \"ddns-key.dyn.d-tor.org\" { \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0algorithm hmac-sha256; \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0secret \"base64stufffromddns-confgen=\"; \r\n};<\/pre>\n
    Now test it:<\/p>\n
    # nsupdate -k \/etc\/ddns.key <<EOF\r\n> server 2a02:4f8:2a:254e::2\r\n> update delete blub.dyn.d-tor.org A\r\n> update add blub.dyn.d-tor.org 200 A 191.139.50.71\r\n> send\r\n> EOF<\/pre>\n
    If you’ve done everything right:<\/p>\n
    # host blub.dyn.d-tor.org 2a02:4f8:2a:254e::2\r\nblub.dyn.d-tor.org has address 191.139.50.71<\/pre>\n
    Delegate the Zone<\/h3>\n
    Now we need to delegate dyn.d-tor.org to\u00a02a02:4f8:2a:254e::2. Add this to the zone file on your authoritative name server (in my case, Hetzner):<\/p>\n
    ...\r\ndyn IN NS dyndns ; delegation to dyndns.d-tor.org\r\ndyndns IN AAAA 2a02:4f8:2a:254e::2 ; IPv6 glue record for dyndns.d-tor.org\r\ndyndns IN A <IPv4.address.of.dyndns> ; IPv4 glue record\r\n...<\/pre>\n
    Wait for the information to spread. Check with dnstracer:<\/p>\n
    # dnstracer -s . dyn.d-tor.org<\/pre>\n
    If you get a result, we can continue \ud83d\ude42<\/p>\n
    THE script<\/h3>\n
    Write a script that extracts the IP addresses from your interfaces and uses nsupdate to update the records. It shouldn’t be that hard. Sorry, I can’t provide mine, because it is very specific to my setup.<\/p>\n","protected":false},"excerpt":{"rendered":"
    Problem You have a crappy internet provider who hands out dynamic IPv4 addresses and IPv6 prefixes, but you can’t remember all those numbers and want to use DNS as intended. Actually, I have 2 internet providers, Vodafone and Telekom, each with its own problems . Vodafone’s IPv6 prefix seems to be static for now, but … Continue reading DDNS with bind and perl<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19,36,76],"tags":[133,132,70],"class_list":["post-552","post","type-post","status-publish","format-standard","hentry","category-arch-linux","category-hetzner","category-network","tag-bind","tag-ddns","tag-ipv6"],"_links":{"self":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts\/552","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=552"}],"version-history":[{"count":1,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts\/552\/revisions"}],"predecessor-version":[{"id":553,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts\/552\/revisions\/553"}],"wp:attachment":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=552"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=552"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}