External ddns server setup

karelvdm · 01-11-2007, 09:39 AM

Hi Guys,

I need some help AGAIN

I need to setup an external ddns server.
Where do I start and what do I need?

Got a registered domain my-company.net
Using SLES 10.

Thanx in advance

nirmaltom · 01-11-2007, 03:11 PM

hi,

i didnt get it correct,but to my knowledege we need a software like ddclient to update ip information in the server
dyndns.com have a reference page of using this perl package
regards
Tom.

karelvdm · 01-12-2007, 07:05 AM

Hi Nirmaltom,

Thanx!!! It worked for now. That is a temporary solution to my problem.

Let me be more descriptive:

I've got several FreeBSD vpn boxes at clients.
All of them connect to the internet via adsl.
The isp assigns random ip's to the FreeBSD pc's (41.241.11.119 - not actual ip)
I created a user account for each of the FreeBSD pc's.
They login to the mail server with cron jobs and fetchmail on a regular basis. So if one of the FreeBSD pc's gets a new ip assigned to them I'm able to check the log file on the mail server to see from wich ip that specific Freebsd pc logged in from.

I want to set up my own server to assign ip's to my several FreeBSD pc's. I assume a ddns server is the way to go.

If anyone has some pointers for me, it will be greatly appreciated!

Ps: I'll be out of the office for a week.

Thanx guys!!!

karelvdm · 01-24-2007, 09:28 AM

I'm back,

I've got a registered domain,
Would a dns server with a static ip and dhcp be the why to go?

JimBass · 01-24-2007, 10:26 AM

I feel you are not describing what the problem is here. So you have a mail server, and you have freeBSD boxes that connect to it. The address of these servers change, but so what? They're connected to the net, and can reach your mail server, then what is the problem?

If you always need to know the IP of these remote boxes, why not use the aforementioned cron to have them sign into the mail server every 5 minutes? That way you always have their IP address, and you should be able to connect to them.

DHCP wouldn't server any purpose. You could assign an address to the VPN clients, but don't they already have a LAN address through the VPN?

I'm not making much sense out of what you're trying to accomplish here. Where does ddns even factor in?

Please write back and explain what you need to have happen.

Peace,
JimBass

karelvdm · 01-25-2007, 07:18 AM

JimBass,

I've had it all wrong!

Last time I posted I had holiday fever!

I've got a registered domain mycompany.net with a static ip.
The FreeBSD boxes get random ip's from my isp.
What I want to do is create subdomains for each FreeBSD box:
clientsite1.ddns.mycompany.net, clientsite2.ddns.mycompany.net,
clientsite3.ddns.mycompany.net....

Mainly I don't want to use dyndns.com, but want my own DDNS server.

I want to ssh to my FreeBSD box on clientsite1.ddns.mycompany.net and not the wan ip 41.242.3.66.

The FreeBSD boxes are used as vpn/firewall/routers.
There are several windows based pc's on site where other companies do support for the sales software and they use PcAnywhere.
Now every time these guys want to do support they first phone me for the ip of the FreeBSD box. I want them to use clientsite1.ddns.mycompany.net instead of the ip too.

What would the best route be for taking on this task?
Setting up a new DNS Server?
How?

Thanx in advance!

JimBass · 01-25-2007, 09:48 AM

Ok, makes much more sense now!

Yes, you'll want to run your own ddns server, which is just a BIND dns server with a ton of keys for the remote hosts, allowing them to update just their specific subzone. As a partial example, clientsite1.ddns.mycompany.net would get one key, that allows it to update just the clientsite1.ddns.mycompany.net zone file. The main tools needed are the dnssec-keygen tool, which is a standard part of the BIND installation and also client install, and you'll need the nsupdate tool, so the clients can puch their changes to the nameserver. I googled (how to setup ddns server) and the most promising results were found here:

http://linux.yyz.us/nsupdate/
The server side setup is the next page, http://linux.yyz.us/dns/ddns-server.html.

You'll have to cron the updating I would think. and you'll also have to use the dnssec-keygen key to allow the clients to refresh the zone once they edit it. You'll have some permissions to mess with, and be certain BIND on the static box is running as user named or bind, not root, or you'll be exploit heaven.

Peace,
JimBass

karelvdm · 01-25-2007, 01:20 PM

Thanx!

Now I know where to start.
I'll let U know how it goes.

Just a matter of interest:
I want to use SLES10 but my boss wants me to use FreeBSD V6.
What do U prefer?
I'll end up using the FreeBSD anyway but I'll try SLES on the side to.

Thanx again!

JimBass · 01-25-2007, 03:12 PM

I would never use Suse for any reason under the sun. I think all rpm based disros are crap, and are virtually windows-lite. Since Suse cut their deal with Microsoft, most people avoid them like the plague.

I agree with your boss 100% BSD is a very secure system, and ideal for doing things like this.

Peace,
JimBass

nirmaltom · 01-26-2007, 04:06 AM

Quote:

Originally Posted by JimBass

I would never use Suse for any reason under the sun. I think all rpm based disros are crap, and are virtually windows-lite. Since Suse cut their deal with Microsoft, most people avoid them like the plague.

hi,
its true and i too accept it
regards,
Tom.

karelvdm · 02-02-2007, 12:31 AM

Hi Guys.

I'm almost done.
I've got other projects to take care of to,
but haven't given up yet.
I'll finish it over the weekend or so and when it is fully functional I'll post a Howto for all the newbies out there like me!

Thanx again for all the help.

Enjoy the rest of your day people!

karelvdm · 02-23-2007, 05:57 AM

Not getting it right!!!

I need some help AGAIN.

The client freebsd box isn't updating its ip to the dns server.

Update file(updatedns.sh)

Code:

#!/bin/sh

NAME="client.ddns.mydomain.co.za"
TTL="60"
IP=`/sbin/ifconfig | /usr/bin/grep -A1 tun0 | /usr/bin/grep inet | /usr/bin/cut -f 2 -d " "`

    /usr/bin/nsupdate -d -k /root/utils/client.ddns.mydomain.co.za.+157+61514.key <<EOF

server mydnsserver
zone ddns.mydomain.co.za
update delete $NAME
update add $NAME 60 A $IP

EOF

Dns Server

Code:

$TTL 2D
@               IN SOA   ddns.mydomain.co.za. root.ddns.cos.co.za. (
                                2007022200      ; serial
                                3H              ; refresh
                                1H              ; retry
                                1W              ; expiry
                                1D )            ; minimum

zone "ddns.mydomain.co.za" {
        type master;
        file "/var/lib/named/dyn/ddns.mydomain.co.za";
        allow-update {
                key client.ddns.mydomain.co.za;
        };
};

key "client.ddns.mydomain.co.za" {
        algorithm "HMAC-MD5";
        secret "client.ddns.mydomain.co.za. IN KEY 512 3 157 WNmmnCCJ9VvzQosdrYOspQiOp02LxtPUlNAqAUbB/l2SBzsblfkl+1q7 t1+ZYS6rbEub0kJ5ejRwGxm6CGwvFA==";
};

Zone file

Code:

client.ddns.mydomain.co.za.   60      IN      A       10.10.245.232

When I do a manual update by running the update file I get the following output:

Code:

Creating key...
Sending update to mydnsserver#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  29278
;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;ddns.mydomain.co.za.                        IN      SOA

;; UPDATE SECTION:
client.ddns.mydomain.co.za.   0       ANY     ANY
client.ddns.mydomain.co.za.   60      IN      A       47.253.168.173

;; TSIG PSEUDOSECTION:
client.ddns.mydomain.co.za.   0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1172231551 300 16 auy4U4zRmRIxlMyngdZ9Mw== 29278 NOERROR 0

; TSIG error with server: tsig indicates error

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  29278
;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; TSIG PSEUDOSECTION:
client.ddns.mydomain.co.za.   0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1172231551 300 0  29278 BADKEY 0

Am I overlooking something?

JimBass · 02-23-2007, 08:53 AM

Since it seems to be complaining about the key, I'd start there. Are the keys identical? It would also be worth it to generate a new key and try that out if an md5sum on the keys does come out to be identical.

Also, another good reason to do that is you published here what the secret key is. This string, WNmmnCCJ9VvzQosdrYOspQiOp02LxtPUlNAqAUbB/l2SBzsblfkl+1q7 t1+ZYS6rbEub0kJ5ejRwGxm6CGwvFA==, should be kept hidden. With that string you can insert false data into your DNS record, should somebody want to.

Peace,
JimBass

karelvdm · 02-26-2007, 01:57 AM

Thanx JimBass

I'll generate new keys.
Is my zone file correct?

karelvdm · 02-26-2007, 05:30 AM

Is this the right command to generate the keys;

Code:

dnssec-keygen -a HMAC-MD5 -b 512 -n HOST client.ddns.mydomain.co.za.