DYNAMIC DNS UPDATES WITHOUT DYNDNS
2014 May 07I have long been using the free service that DynDNS provided. But feeling that a “.homeip.net” address looks kinda unprofessional I discontinued using that site for anything important and just used it every now and then to connect to my MythTV based video recorder to schedule a recording from afar.
When DynDNS announced the full stop of their free service, I was looking for an alternative. And I found it built into the functionality of bind, the DNS server software I am already using for all my other websites. Here’s how I set it up:
The first thing to realize is that the update works by using signing similiar to how GPG works for emails. Since this is a pretty simple setup, I used HMAC-MD5 keys:
dnssec-keygen -a HMAC-MD5 -b 512 -n USER $( echo "blindcoder@crash-override.net" | sed 's,[^a-zA-Z],.,g' )This creates a public/private keypair called Kblindcoder.crash.override.net.+157+41741.key and Kblindcoder.crash.override.net.+157+41741.private. The .key file is the public and the .private (surprise!) is the private key.
[08:09:15][root@pallas:/data/home/blindcoder]# cat Kblindcoder.crash.override.net.+157+41741.key
blindcoder.crash.override.net. IN KEY 0 3 157 Hb6pTgRDIQb5WgLwKgGZS+aeKa8t6CDL3c+xulZIvsjz6ba6yQQudyeh AgM/2DsX0mZID0oXUkCHCMddmncJhg==
[08:09:17][root@pallas:/data/home/blindcoder]# cat Kblindcoder.crash.override.net.+157+41741.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: Hb6pTgRDIQb5WgLwKgGZS+aeKa8t6CDL3c+xulZIvsjz6ba6yQQudyehAgM/2DsX0mZID0oXUkCHCMddmncJhg==
Bits: AAA=
Created: 20140507180728
Publish: 20140507180728
Activate: 20140507180728
[08:09:20][root@pallas:/data/home/blindcoder]# No, you do not need to try, I created these keys purely for the sake of this blog entry.
I copied the public key to my homeserver and the Key: part of the private key got added to my named.conf file:
key blindcoder.crash.override.net {
algorithm HMAC-MD5;
secret "Hb6pTgRDIQb5WgLwKgGZS+aeKa8t6CDL3c+xulZIvsjz6ba6yQQudyehAgM/2DsX0mZID0oXUkCHCMddmncJhg==";
};
zone "crash-override.net" IN {
type master;
file "crash-override.net.zone";
allow-update { key blindcoder.crash.override.net };
};After restarting bind, this key would now be allowed to update the DNS zone of crash-override.net. And I repeat: This is NOT my live configuration. So stop trying already!
On the client side I now have a very small shellscript to update the DNS entry of “lutetia.crash-override.net” to a new IP address:
#!/bin/bash
exec >> /var/log/ddns.log 2>&1
IP="$(curl -s ifconfig.me)"
if [ -z "${IP}" ] ; then
echo "[$(date)] Could not get IP address from ifconfig.me"
exit 1;
fi
read OLDIP < /var/run/ddns/oldip
if [ "${IP}" == "${OLDIP}" ] ; then
echo "[$(date)] IP has not changed. Not updating."
exit 0
fi
tmp="$(mktemp)"
[ -z "${tmp}" ] && exit 1
trap 'rm -f "${tmp}"' EXIT
cat > "${tmp}" <<<-EOF
server ns2.crash-override.net.
zone crash-override.net
update delete lutetia.crash-override.net. A
update add lutetia.crash-override.net. 3600 A 10.10.10.1
show
send
EOF
sed -e "s,10.10.10.1,${IP},g" -i "${tmp}"
nsupdate -y blindcoder.crash.override.net:Hb6pTgRDIQb5WgLwKgGZS+aeKa8t6CDL3c+xulZIvsjz6ba6yQQudyehAgM/2DsX0mZID0oXUkCHCMddmncJhg== "${tmp}"
exit 0I run this script via a cronjob once an hour.
EOF
Category:
Tags: dyndns bind shellscript