dns

Configuring Bind RNDC

RNDC is a useful mechanism for administering DNS servers. If it is not configured, BIND complains about it.

Determine the locations where RNDC expects to find the config files.

# rndc status
  rndc: neither /etc/rndc.conf nor /etc/rndc.key was found

Create the rndc config file:

# rndc-confgen > /etc/rndc.conf

Thy rndc conf file should also have the contents that need to go to "/etc/named.conf". See sample below:

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "aitNuyDz9NkSZ0MbxeQKcQ==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };

Once the key and control section has been added to named.conf, restart named and test again with:

# rndc status

Bulk update DNS TTL for all Plesk domains

This is useful when migrating servers and you want to reduce the DNS time to live for all domains.

Change the TTL on all domains to 5 mins (300 seconds) in the psa database.

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa
mysql> UPDATE `dns_zone` SET `ttl` = '300', `ttl_unit` = '60' WHERE `id` >1;
mysql> quit

Then update the zone files via:

# mysql -Ns -uadmin -p`cat /etc/psa/.psa.shadow` -D psa -e 'select name from domains' | awk '{print "/usr/local/psa/admin/sbin/dnsmng update " $1 }' | sh

Verify with:

$ dig @nameserver domain.tld soa

Dynamic DNS Setup

Notes on setting up a dynamic dns for home with bind-9.x


  1. Generating Secure DNS Keys
  2. On the home/client machine:

    # mkdir /etc/bind/tsig
    # cd /etc/bind/tsig
    # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST host.domain.tld.
    

    Note the "." after the tld. This generates the public and the private keys.


  3. named.conf
  4. On the remote server:

    Edit "/etc/named.conf" and add the generated key to the conf. (Note the trailing dot):

    key host.domain.tld. {
            algorithm hmac-md5;
            secret "qUSfVtkYf7WLxiZaOTN3Ua==";
    };
    


  5. Grant Authority
  6. Still on the remote server:

    Edit the "/etc/bind/zone.domain.tld" file, and modify the current allow-update line to include the key.

    allow-update   { key "default_key."; key "host.domain.tld."; };
    

    This allows full authority to modify any record within the domain (Be Warned).

    Restart named and make sure nothing is broken.


  7. nsupdate
  8. Back to the client machine:

    Run nsupdate to test that the client can now make updates.

    # nsupdate -k /etc/bind/tsig/Khost.domain.tld.*.key
    > update delete host.domain.tld A
    > update add host.domain.tld. 600 A 1.2.3.4
    > send
    > quit
    

    It first deletes host.domain.tld if it already exists, then recreates it with the given TTL, type, and IP address. The TTL is the time-to-live, which is a value used by other DNS servers to determine how often they refresh the entry for this host. A smaller values means they'll refresh more often, which is what you want for a dynamic entry. "send" tells nsupdate to send the updates to the server.


  9. Automate
  10. Create a script and put it in a 10 minute cron to check for changes in the wan ip address and run nsupdate automagically.

    # cat /etc/cron.d/ddns
    SHELL=/bin/sh
    */10 * * * * root /etc/bind/ddns
    

    Below is an example script that gets the info from a Belkin wireless router within the home lan.

    #!/bin/bash
    # ddns
    
    HOSTNAME="host.domain.tld"
    KEYFILE="/etc/bind/tsig/Khost.domain.tld.*.key"
    TTL=600
    #LOG="/tmp/ddns_log"
    LOG="/dev/null"
    IP_FILE="/tmp/ddns_ip"
    
    NEW_IP=`wget -q -O - 192.168.2.1 | grep "Up.*dw" | tr "\n" " " | awk -F "'" '{print $12}'`
    
    function do_nsupdate {
            echo "New IP address (${NEW_IP}) found. Updating..." >> $LOG
            echo $NEW_IP > $IP_FILE
            nsupdate -k $KEYFILE >> $LOG << EOF
            update delete $HOSTNAME A
            update add $HOSTNAME $TTL A $NEW_IP
            send
            quit
    EOF
    }
    
    if [ ! -f $IP_FILE ]; then
            echo "Creating $IP_FILE..." >> $LOG
            do_nsupdate
    else
            OLD_IP=`cat $IP_FILE`
            if [ "$NEW_IP" = "$OLD_IP" ]; then
                    echo "new and old IPs (${OLD_IP}) are same. Exiting..." >> $LOG
                    exit 0
            else
                    do_nsupdate
            fi
    fi
    
    exit 0
    
Comment