A DDNS Server Using BIND and Nsupdate

If you have your own UNIX machine with a static IP somewhere on the public

internet, it's possible to roll your own secure DDNS server using BIND 8 (or

greater) and its nsupdate tool on your dynamic UNIX client.

Let's assume that you have a machine on the internet called

my.inet.server and a dynamically assigned address on your home

machine, my.cable.machine, attached to the net by a cable modem. You

own the domain my.home.domain and want to use that name space to

statically refer to your cable modem.

On the client side (my.cable.machine), you'll need to:

• Install BIND 8 or

  greater

• Generate a TSIG ID key (needed for security)

• Set up a script that will notify

  my.inet.server via nsupdate when your IP changes

On the master nameserver, my.inet.server, you'll need to:

• Create a zone for your home network (or you can

  add to an existing zone)

• Create a key entry in

  /etc/named.conf

• Add an allow-update entry for your zone in

• Make sure that the timeout in your zone file for

  your dynamically addressed hosts is very low

To create the TSIG key on my.cable.machine, you

can run the following command (as root), substituting whatever name you want

for keyname:

dnskeygen -H 128 -h -n keyname
      

This creates two files, Kkeyname.+157+00000.key

and Kkeyname.+157+00000.private. The base64 encoded

key included in these files is what you'll later want to put in the key

directive in /etc/named.conf on your my.inet.server. I'd

suggest putting these two files in with your zone records on

my.cable.machine, making sure that they are

unreadable/unwritable/unexecutable by normal users.

For our example, we'll say that the files are called

/etc/namedb/tsig/Kbob.+157+00000.key, which has the following

contents:

bob. IN KEY 513 3 157 hrCDCUNBtlY3sgF8NPnJrg==
      

And /etc/namedb/tsig/Kbob.+157+00000.private, which

contains:

Private-key-format: v1.2
Algorithm: 157 (HMAC)
Key: hrCDCUNBtlY3sgF8NPnJrg==
      

Use an existing zone entry for your domain, or create

a new one. It should look something like the following, though there are

other options and keywords that you may want to include:

zone "my.home.domain" {
    type master;
    allow-transfer {
        10.0.0.0; // put your slave servers here
    };
    file "my.home.domain.zone";
};
      

Be sure that the domain name is registered with the correct nameserver

information and that you populate the initial zone file with the proper

records (NS, A, CNAME, MX, whatever is required). If you don't know how to do

this, invest some time reading the documentation at ISC's BIND site.

On my.inet.server you need to make the following entry in /etc/named.conf:

key bob {
    algorithm HMAC-MD5.SIG-ALG.REG.INT;
    secret hrCDCUNBtlY3sgF8NPnJrg==;
};
      

And then add the allow-update directive to

my.home.domain:

zone "my.home.domain" {
    type master;
    allow-transfer {
        10.0.0.0; // replace this with your real slave servers
    };
    allow-update {
        key bob;
    };
    file "my.home.domain.zone";
};
      

Be sure to HUP named on my.inet.server after making the changes to

/etc/named.conf.

my.inet.server is now ready to accept dynamic updates from

my.cable.machine. To send an update, you need to use the nsupdate

command on my.cable.machine.

There are lots of DDNS client scripts out there

writtin in shell, perl, and even C that will allow you to automatically use

nsupdate to change the information on my.inet.server. Do a web or a

news search for something that will fit your specific platform and versions of

DHCP and DNS.

If you wanted to do an interactive update, instead of an automated one,

you'd do:

nsupdate -k /etc/namedb/tsig:bob.
      

This will bring you to a > prompt. Let's say, for example, that you

wanted to add an record for mail.my.home.domain to be the IP of

my.cable.machine with a TTL of 10 minutes (600

seconds). You want to keep your timeout low so that changes will propagate

rapidly in the event of an IP change. I'll use the loopback address of

127.0.0.1 as an example, but be sure to put the correct address in when you're

making your actual changes. You'd do the following:

update add mail.my.home.domain. 600 IN A 127.0.0.1
      

Then hit return again so that nsupdate executes the command you typed in on

the previous line. You can do multiple lines of changes destined for the same

zone file before you hit return the second time, but if you want to make

changes to two different zone files, you need to make the changes in two

blocks.

Once you hit return a second time, a lookup is performed on

my.home.domain to extract the nameserver information, and then that

nameserver (my.inet.server) is contacted and they key authentication

takes place. On my.inet.server, you should now see a log file appear

wherever you keep your zone file. The log file will be called

my.home.domain.zone.log, and it contains the directives to make the

changes you specified with the nsupdate command. Eventually, these changes

will be rolled into the actual zone file and the log file will be removed.

For the time being, though, these entries are merely in named's cache.

Take a look at the nsupdate man page for more information on the nsupdate

syntax and usage for your particular version of BIND.