- \n
- root SSH access<\/li>\n
- BIND installed<\/li>\n
- a domain already set up and working with BIND<\/li>\n<\/ul>\n<\/li>\n
- An OpenWrt router at home to send updates<\/li>\n<\/ol>\n
The OpenWrt router isn’t strictly necessary.\u00a0 You could, of course do the dynamic DNS updates with a cheap Linux firewall, but I’ll cover the configuration for OpenWrt.<\/p>\n
<\/p>\n
DNS Server Configuration<\/h2>\n
The file naming conventions used here are for a BIND installation on Debian. Your distribution may use a different naming convention, however, the concepts should be the same.<\/p>\n
On the DNS server (as root):<\/p>\n
# dnssec-keygen -C -a HMAC-MD5 -b 512 -n HOST sub.domain.com.<\/pre>\n
You can use your domain name (or subdomain) as the key name if you’d like. That’s what I did in this example – it helps me keep things straight. The
-C<\/code> switch is for compatibility mode since it’s likely thensupdate<\/code> binary on OpenWrt will be older than the BIND installation on your DNS server. The contents of the key file will look something like this:<\/p>\n# cat Ksub.domain.com.+157+54658.key\r\nsub.domain.com. IN KEY 512 3 157 GWruXog5QO20QSB2YvLJp60DwlfJhq0hQ9KiAXFRNDHlrhSSjGBtGlM8 wSJpWNlUbhdkBnV3Or41s1iedLoDwg==<\/pre>\n
I like to keep BIND’s key configuration in a separate file to make sure it doesn’t get overwritten with software upgrades, so I created a file called
\/etc\/bind\/keys.conf<\/code>. Using the MD5 from the key file (the cryptic string(s) that ends in ‘==’, after the sets of numbers), create akeys.conf<\/code> file:<\/p>\nkey sub.domain.com.\r\n{\r\n\talgorithm HMAC-MD5;\r\n\tsecret \"GWruXog5QO20QSB2YvLJp60DwlfJhq0hQ9KiAXFRNDHlrhSSjGBtGlM8 wSJpWNlUbhdkBnV3Or41s1iedLoDwg==\";\r\n};<\/pre>\nThen in
\/etc\/bind\/named.conf<\/code>, add this at the top:<\/p>\ninclude \"\/etc\/bind\/keys.conf\";<\/pre>\n
In my
\/etc\/bind\/named.conf.local<\/code> (which has all of the zones actually hosted on the server), the zone for the domain I want to make dynamic has the following:<\/p>\nzone \"domain.com\" IN {\r\n type master;\r\n file \"\/etc\/bind\/db.domain\";\r\n update-policy {\r\n grant sub.domain.com. name sub.domain.com. A TXT;\r\n };\r\n notify no;\r\n};<\/pre>\nYou would substitute your domain for “domain.com” and “sub.domain.com,” and have your own zone file in a different file named after your domain (
\/etc\/bind\/db.yourdomainname<\/code>).<\/p>\nThe “update-policy” section is the part that is added.\u00a0 The first parameter to the “grant” statement is the name of the key, and the “name” parameter is the domain name – which I’ve made the same in this case. There’s nothing different about
\/etc\/bind\/db.domain<\/code> than any of my other zone db files, except it’s owned by the “bind” user & group — that way when it receives a DNS update, it can change the file (dynamically!).<\/p>\nAlso the
\/etc\/bind<\/code> directory should be owned by group “bind” so that it can create\/etc\/bind\/db.domain.jnl<\/code> — a journal file BIND will use.<\/p>\nOpenWrt Configuration<\/h2>\n
Install the “bind-client” package on your OpenWrt router. \u00a0I like to use the LuCI web interface. \u00a0In LuCI you can find it by searching under the software administration menu.<\/p>\n
SCP the private & key files you created on your DNS server to your OpenWrt router. \u00a0I keep my DNS files in root’s home directory:
\/root<\/code>.<\/p>\nCreate a hotplug file to update the DNS when the WAN interface obtains an address. Put it in\u00a0
\/etc\/hotplug.d\/iface\/30-nsupdate<\/code>:<\/p>\n[ \"$INTERFACE\" != \"wan\" ] && ( [ \"$ACTION\" != \"ifup\" ] || [ \"$ACTION\" != \"update\" ] ) && exit 0\r\n\r\nrdate -s time.nist.gov\r\ninclude \/lib\/network\r\nscan_interfaces\r\nconfig_get ipaddr wan ipaddr\r\n\r\necho \"server your.bindserver.com\r\nzone domain.com\r\nupdate delete sub.domain.com A\r\nupdate add sub.domain.com. 86400 A $ipaddr\r\nshow\r\nsend\" | nsupdate -k \/root\/Ksub.domain.com.+157+54658.key -v<\/pre>\n
Again, Replace “domain.com” with the name of your zone, and “sub.domain.com” with the name of your dynamic domain (they could be named the same).\u00a0 Replace “your.bindserver.com” with the name or IP of your DNS server.\u00a0 The
rdate<\/code> command is in there to make sure your time is set correctly before runningnsupdate<\/code>.\u00a0 BIND will complain if the time difference between the client & server differs too much.\u00a0 While only the key file is referenced in the script, both files need to be present (usually in the same directory as each other) fornsupdate<\/code> to make a valid request.<\/p>\nYou can (and should) test the script without disrupting your network connection by SSHing into your OpenWrt router and running the following command:<\/p>\n
# ACTION=update INTERFACE=wan \/sbin\/hotplug-call iface<\/pre>\n
Often BIND will complain about time, permissions, auth keys, etc. Running the test above is the best way to find out what’s going on. If there’s no output, the update probably went through. Try to ping your dynamic domain name and see if all is well.<\/p>\n
![](\"https:\/\/www.foell.org\/justin\/wp-content\/plugins\/send-to-kindle\/media\/white-15.png\")
Send to Kindle<\/span><\/div>","protected":false},"excerpt":{"rendered":"This article assumes you fave a few things: A Linux server with: root SSH access BIND installed a domain already set up and working with BIND An OpenWrt router at home to send updates The OpenWrt router isn’t strictly necessary.\u00a0 You could, of course do the dynamic DNS updates with a cheap Linux firewall, but… Continue reading