Quick dynamic DNS?

Grant Taylor gtaylor at tnetconsulting.net
Thu Dec 24 20:46:25 UTC 2020

On 12/24/20 8:48 AM, @lbutlr wrote:
> That is what example.com always is, yes.

Sorry.  I'm so used to people not using documentation domains that I 
double check that they aren't actually trying to literally use 
documentation domains internally.

It's a refreshing change to see documentation domains / IPs / networks 
used properly.

I tip my hat to you.

> As I said, it is authoritative for example.com.


> Yep.
> No, I just want my bind server to get updated with the external IP 
> of my home connection when it changes and update the A pointer.

Okay.  IMHO that's relatively easy to do.  See Stanley's reply as it 
seems quite good.

About the only thing that I'd do differently is to use update-policy { 
... } "grant" statements to more granularly control what the key can 
update.  E.g. allow it to /only/ update A and / or AAAA records for the 
home.example.com name and nothing else.

An alternative to grant statements is to use a CNAME to yourself in a 
different sub-domain where you have carte blanch access to update.  But, 
seeing as how the CNAME will reference explicitly one name, you have 
less of a security risk in the alias domain.  E.g. home.example.com -> 
home.client1.ddns.example.com.  Then give each client the ability to 
update it's client#.ddns.example.com sub-doimain.

> I just want to update the IP address in a single A record.

IMHO that makes this almost trivial once you know how to do it.

> Possibly, though that is certainly part of what I am asking.


> But the bind server doesn't know the new IP address?

SSH from rPI to bind9 and remotely run a command.  Possibly extracting 
the IP from the SSH_{CLIENT,CONNECTION} environment variable.  ;-)

> As I said. The bind server is at example.com. It is authoritative 
> for example.com (and several other domains as well).


I expect that many on this list have such systems at their disposal.  }:-)

> At home I have a connection to an ISP and that connection MAY change 
> since it is in a DHCP pool. I want to be able to updated my DNS server 
> so that "home.example.com" points to my home IP address.

Typical and quintessential use case.

> I have done this in the past with various dynamic DNS services (like 
> DynDNS) where their software client would automatically update a custom 
> subdomain of one of their domains like homeftp.net (the have many and 
> which one isn't relevant) and then on the Bind server I would have, 
> for example, in example.com,
> home	CNAME lbutlr.homeftp.net. #example name, not real dynDNS 
> address)
> When the client updated my IP address, bind would simply relay 
> connections to home.exmple.com to lbutlr.homeftp.net regardless of 
> what the IP address was.
> What I want to do is eliminate the 3rd party service and client so 
> that the bind server can simply have:
> home	A # obvs not a real IP

Aw ... no Test-Net IPs?  :-P

IMHO what you're wanting to do is quite doable with a little bit of 
knowledge and trial and error.  See Stanley's email for more details on 
said knowledge.

The only parting thoughts I'll add is that I don't know if TSIG keys are 
sufficiently secure, or if there is a better option.  I've not looked in 
a while.  --  I personally tend to isolate what can be changed with 
grant statements and consider it good enough.  --  This is also where 
remotely executing nsupdate through SSH sort of elides this issue and 
makes things somewhat simpler.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201224/132f0c40/attachment.bin>

More information about the bind-users mailing list