HomeBlogschris's blog

Converting existing bind9 and dhcpd to dynamic dns

Sun, 2008-06-08 12:54 — chris

I have a working dns (bind9) and dhcpd running on my home lan. This adds dynamic dns updates from dhcpd to bind9.

The following is mostly based on http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/. Kudos til Trygve Laugstøl for assistance too :)

Key

First - generate a key to use:

dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpupdate

This generates two files - you want the key from the *.key file - the last string on the line - will look like an md5.

Bind9

Now - update bind. I use debian's basic setup - so my edits are in /etc/bind/named.conf.local

Add to the file

key dhcpupdate {
  algorithm hmac-md5;
  secret "your key - keep the quotes here";
};

Then to each of the zone statements add allow-update { key dhcpupdate; };.

Here are my two zones updated:

zone "home.chrissearle.org" {
        type master;
        file "/etc/bind/home.chrissearle.org";
        allow-update { key dhcpupdate; };
};

zone "1.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/1.168.192.in-addr.arpa";
        allow-update { key dhcpupdate; };
};

Make sure that the bind process can write to the location on disk where the zone files are - it will need to write the journal files there. In my case chmod g+w /etc/bind was needed.

Testing bind9

Restart bind and then use the nsupdate command

This is based on my setup - home.chrissearle.org/192.168.1.x

# nsupdate
> server localhost
> key dhcpupdate thekeygoesherenoquotes
> update add 50.1.168.192.in-addr.arpa 600 IN PTR testnode.home.chrissearle.org.
> send
> update add testnode.home.chrissearle.org. 600 IN A 192.168.1.50
> send

The site linked above has more info on what errors you can get and what they often mean.

dhcpd

NOTE - I am running debian stable (etch). And I was using the dhcp package - this is 2.0 - way too old. Install dhcp3-server and purge dhcp or this simply won't work.

To the top of my dhcpd.conf file I added the following (note that the authoritative line is due to upgrading dhcp from v2 to v3):

ddns-update-style interim;

update-static-leases on;

authoritative;

key dhcpupdate {
  algorithm hmac-md5;
  secret the-key-goes-here-no-quotes-this-time;
}

zone 1.168.192.in-addr.arpa {
  primary localhost;
  key dhcpupdate;
}

zone home.chrissearle.org {
  primary localhost;
  key dhcpupdate;
}

I have my home domain in a group:

group {
        option subnet-mask      255.255.255.0;
        option routers  192.168.1.2;
        option domain-name-servers      192.168.1.2;
        option domain-name      "home.chrissearle.org";
        ddns-domainname "home.chrissearle.org";

All that has changed here is the added ddns-domainname line.

And for each host where I allocate fixed IP based on mac - add a ddns-hostname. For example:

host slippen {
      hardware ethernet 00:16:CB:B9:F5:B6;
      fixed-address 192.168.1.6;
      ddns-hostname "slippen";
}

Finally - for the dhcp range for non-fast IP addresses:

                ddns-hostname = binary-to-ascii(10, 8, "-", leased-address);
                ddns-domainname = "home.chrissearle.org";

The full config files are found:

https://dev.chrissearle.net/mercurial/config/file/tip/nornour/config/etc...
https://dev.chrissearle.net/mercurial/config/file/tip/nornour/config/etc...

Hint - if your bind9 process listens to the internet then you must look at protecting ddns updates - probably with bind's controls{} syntax.

Technorati Tags:Technorati Tags:
  • chris's blog

Comments

Sun, 2008-06-08 15:24 — chris
chris's picture

Moving to /var/bind

Just realised that since this is on a CF card I want any updating files on tmpfs (all other processes are set for this at the minute).

So - I added:

tmpfs   /var/bind       tmpfs   defaults,noatime        0       0

to /etc/fstab.

Then I edited /etc/init.d/bind9

case "$1" in
    start)
        log_daemon_msg "Starting domain name service..." "bind"

        modprobe capability >/dev/null 2>&1 || true

        # dirs under /var/run can go away on reboots.
        mkdir -p /var/run/bind/run
        chmod 775 /var/run/bind/run
        chown root:bind /var/run/bind/run >/dev/null 2>&1 || true

        chmod 775 /var/bind
        chgrp bind /var/bind
        cp /etc/bind/home.chrissearle.org /var/bind
        cp /etc/bind/1.168.192.in-addr.arpa /var/bind

        if [ ! -x /usr/sbin/named ]; then
            log_action_msg "named binary missing - not starting"
            log_end_msg 1
            exit 1
        fi

by adding the bold lines.

Lastly - I changed the zone paths in named.conf.local from /etc/bind to /var/bind.

This means that at boot it will make sure that the permissions on /var/bind are correct, copy over the zone files (basic fixed data only) and only then start bind up.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <embed> <object> <strike> <caption>
  • Lines and paragraphs break automatically.
  • Replace [debbug:xxxxx] with a link to the relevant debian bug.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Insert Flickr images: [flickr-photo:id=230452326,size=s] or [flickr-photoset:id=72157594262419167,size=m].
  • You may link to Gallery2 items on this site using a special syntax.
  • Insert Google Map macro.
  • Images can be added to this post.
  • You can link nodes to other nodes using the following syntax:
    [node:node_id,param_1="val1",param_2="val2"]

More information about formatting options