[TriLUG] dynamic dns

[Aaron S. Joyner]

Matt Pusateri wrote:

>Triluger's
>
>ok, if you manage your own domain and also dns.  I would think it
>should not be too hard to roll your own dyndns.org type functionality,
>so that you could update your dynamic cable modem address to the dns
>server you run at work.
>
>Any pointers in the right direction?  With Mr. Joyner being the
>triangle's  (trilug/ncsa) resident DNS guru, I would wager he might
>have some words of wisdom to impart or then again maybe not.
>
>
>Matt Pusateri
>
>  
>
Words of wisdom... I'll see what I can do.  :)  Check out the slides 
from my December DNS presentation, which address doing remote updates 
with authenticated, signed TSIG keys.  With a little bit of imagination, 
and some scripting, you're well on your way to running a 
dyndns.org-style server of your very own.  The one lynch-pin in this 
scenario is of course the root name servers, updating those can be a 
little tricky, and will likely involve manual intervention.

Consider this scenario - you have root access to two computers, both of 
which have dynamic IP addresses that are relatively stable, but may 
change from time to time (changing less that once a week would be 
roughly the minimum requirement I'd think - certainly reasonable for DSL 
or Cable).  You purchase a domain from your favorite registrar of 
choice, and then install BIND on each of the servers.  Setup the domain 
on one server as a master, and the other server as a slave.  Setup 
dynamic updates for this zone, and allow updates via TSIG keys.  Write a 
short script that will examine the IP address of the current machine, 
compare it with the DNS record, and update the appropriate records if 
they are different.  Optionally you may want it to fire off an email to 
you as well (more on why in a bit).  You can then set this script to be 
run from cron, or from the if-up / if-down scripts for the interface, or 
by your dhcp-client if it's supported appropriately.  You might even 
find a pre-canned version of this script w/ some googling, it's a 
relatively simple process, and I know others have done it before.

This setup will allow you to not only maintain DNS normal service for 
the entire zone, but you can then easily extend the service to other 
machines.  You could have dozens, hundreds, even thousands of machines 
that update those servers, in order to keep your/their DNS zones updated 
with the proper addresses.  Now I mentioned that there were a few 
problems, I'll cover them briefly.  If your primary or secondary DNS 
server's IP address changes, you need to update not only the primary DNS 
server for your domain, but you also need to inform the registrars that 
the address has changed.  You don't have to do this right away, 
necessarily, because the DNS entry for your secondary DNS will still be 
correct so queries will continue to work.  Also, when a client's DNS 
server queries against your secondary they'll get an authoritative 
address for the primary from the secondary (as part of a glue record), 
so that'll also straighten itself out.  But you will have to change it 
before the secondary changes, or things start to get messy.  I don't 
know of any registrars that currently allow you to update the DNS in any 
naturally automated fashion, but I did once write a script for updating 
the joyner.ws domain with it's registrar via https, so I can attest to 
the fact that it's possible.  It would be dramatically more convenient 
if they allowed updates via some more natural method (DNS TSIG updates 
would be ideal, SOAP wouldn't be terrible, etc), but perhaps that's a 
business model for some enterprising TriLUG member to take up.  :)

Okay, I think I've given you the 10,000 foot view.  You can google for 
the particulars, check the slides from my DNS class for the details on 
dynamic updates and TSIG keys if you like, and as always feel free to 
ask any questions that stump you here.

Happy DNS-ing!  :)

Aaron S. Joyner
apparently nominated "resident DNS guru"