Dynamic DNS (DDNS)

rndc: Name Daemon Control

1. If you run your DNS daemon in foreground, or inspect the log file "/var/named/data/named.run-20140525", you may notice an error message

   
   none:0: open: /etc/rndc.key: file not found
   couldn't add command channel ::1#953: file not found
   
   

2. rndc is a very convenient name server control utility. It allows you to quickly reload a single zone file or the configuration file, without restarting the whole DNS daemon. This is quite efficient. Imagine that you are managing more than 10 zones. Certainly you don't want to restart (which implies to stop, and then to start) your DNS server as a whole which will significantly disturb the quality of service.
3. Run "rndc-confgen -a -u named" as root to generate the file "/etc/rndc.key". This step takes about 1 or 2 minutes. Please be patient. If you want to speed up the process, try to randomly press some keys to provide the entropy.
4. Now when you start the name daemon in foreground (by the command "named -u named -g", you see the message

   
   command channel listening on 127.0.0.1#953
   command channel listening on ::1#953
   
   

   which indicates that the rndc.key can be read successfully.
5. Open a new window and change your working directory to "/var/named/data". Modify the zone file "utopia.ncnu.org" and add some entries. After checking the zone file by "named-checkzone utopia.ncnu.org utopia.ncnu.org", issue the command "rndc reload utopia.ncnu.org" to reload the zone file. You'll see a message "zone reload queued" which indicates the zone file is quickly reloaded.
6. Meanwhile, in the window running the DNS daemon in foreground, you see two lines

   
   25-May-2014 10:35:47.302 received control channel command 'reload utopia.ncnu.org'
   25-May-2014 10:35:47.303 zone utopia.ncnu.org/IN: loaded serial 2014052400
   
   

7. If you have modified the configuration file "/etc/named.conf", you should issue the command "rndc reload" to reload the configuration file (and all zone files), instead of only a specific zone.

Dynamic DNS (DDNS)

1. Generate an authentication key
   1. On a client, make sure the command "nsupdate" exists by the command "type nsupdate".
   2. Issue the command "dnssec-keygen -a HMAC-MD5 -b 128 -n USER diana" You will see a response like "Kutopia.ncnu.org.+157+18040". This creates two files in current working directory:
      1. Kdiana.+157+30155.key - your public key. Send this file to your DNS Administrator.
      2. Kdiana.+157+30155.private - your private key. You should keep it in a safe place.
      If you inspect the contents of these two files, you will notice that in the HMAC-MD5 algorithm, your public key is the same as your private key.
2. Create a key file on the DNS server
   1. On your DNS server, create a file "/var/named/keys.conf":

      
      key "diana" {
          algorithm HMAC-MD5;
          secret "BRy5u4ez+gFltrM/+UAdyg==";
      };
      
      

   2. Modify "/etc/named.conf" and add a line

      
      include "/var/named/keys.conf";
      
      

      before the "options" statement.
3. Authorize the key owner to modify a zone
   • Modify the zone statement in /etc/named.conf and add an "allow-update" statement as below:

     
     zone  "utopia.ncnu.org" {
             type master;
             file  "utopia.ncnu.org";
             allow-update { key "diana"; };
     };
     
     

   • You may define two keys in "keys.conf" and authorize two persons to dynamically update your zone:

     
     zone  "utopia.ncnu.org" {
             type master;
             file  "utopia.ncnu.org";
     	allow-update { key "diana"; 
     		       key "apollo";
     		     }; 
     };
     
     

   • Verify your configuration file by "named-checkconf /etc/named.conf".
   • It is also possible to have a fine-granular policy on what can be updated by a key. Please refer to the article Painless DDNS part 2: the server for more details.
4. Verify the directory permission
   • Run the command "ls -ld /var/named/data" to make sure the user "named" has the write permission to the directory "/var/named/data".
   • If not, "chown named /var/named/data".
5. Adjust your firewall rules:
   • Accept communications through port 53 (both UDP and TCP).
6. Restart the DNS daemon
   • Issue the command "rndc reload".
   • If you are running the DNS daemon in foreground, you may see a message "generating session key for dynamic DNS".
   • Keep the daemon running in foreground (named -u named -g), so that you can observe the following dynamic updates.
7. Issue the command to update DNS entries
   1. On your client, type the command " nsupdate -k Kdiana.+157+30155.private -v".
   2. The option "-v" will send the update command in TCP. When you have a batch of update requests, this is preferred to prevent the requrests from being too large to fit in a UDP request.
   3. If nsupdate successfully establishes a connection with the DNS daemon, it shows a prompt ">". You may start typing commands now.
   4. You may type "help" to list available commands in nsupdate.
   5. The following is an example to add an AAAA record for a host.

      
      server ns1.utopia.ncnu.org
      zone utopia.ncnu.org.
      update delete A.utopia.ncnu.org. 
      update add A.utopia.ncnu.org. 86400 AAAA 2001::1
      send
      
      

   6. Stay inside the nsupdate utility (make sure the prompt is still "> "). Type the following two commands:

      
      update add A.utopia.ncnu.org. 86400 A 10.0.0.1
      send
      
      

      From the window of DNS daemon running in foreground, you can see that the DNS daemon will receive the update request when you type the "send" command. This implies that it is more efficient to aggregate multiple updating commands in a request and send them out altogether.
   7. After a resource record is added to the zone, you may try to query it by "host A.utopia.ncnu.org" or "dig A.utopia.ncnu.org".
   8. If you inspect the zone file in "/var/named/data", you may surprisingly find that the contents of the zone file "utopia.ncnu.org" is not changed. Dynamic updates are stored in "utopia.ncnu.org.jnl", and will be merged into the zone file "utopia.ncnu.org" when the DNS daemon is shutdown (rndc stop -p).
   9. After enabling dynamic updates, the DNS daemon will update the zone file automatically (and increase the serial number, too). Therefore, you should not manually edit the zone file. If you did so, your modification will be overwritten by the next dynamic update.
   10. If you insist on manually edit the zone file, you must suspend updates to the zone with "rndc freeze utopia.ncnu.org". After your editing is finished, increment the SOA serial number, verify your zone file with "named-checkzone", and resume dynamic updates by "rndc thaw utopia.ncnu.org".
   11. The nsupdate(1) command also allows you to save the update commands in a text file and it reads input from the file instead of standard input. This is very useful when you are testing the commands at the beginning. For example, you may create a file "my-nsupdate.txt":

       
       server ns1.utopia.ncnu.org
       zone utopia.ncnu.org.
       update add L.utopia.ncnu.org. 300 A 10.10.10.12
       send
       
       

       and run the command "nsupdate -k Kdiana.+157+30155.private -v my-nsupdate.txt".
   12. If you are familiar with shell script programming, this allows you to easily integrate "nsupdate" in a cron job or a start-up script to send your current IP address(es) to the DNS server.
8. Dynamically add/delete resource records
   1. Find a host whose default DNS server is 163.22.3.30, as assigned by the NCNU DHCP server. Run the command "host A.utopia.ncnu.org". You see that "A.utopia.ncnu.org." only has an IPv4 address now.
   2. Using nsupdate, add a resource record "A.utopia.ncnu.org 300 AAAA 2001:e10:6840::1".
   3. Run the command "host -t AAAA A.utopia.ncnu.org". You may surprisinly get a message "A.utopia.ncnu.org has no AAAA record"!
   4. On the same host, if you run "host -t AAAA A.utopia.ncnu.org ns1.utopia.ncnu.org" to query the DNS server "ns1.utopia.ncnu.org" directly, you can receive the IPv6 address of A.utopia.ncnu.org.
   5. This is due to the fact that NCNU DNS server (163.22.3.30) will cache the result of previous queries. Run "dig A.utopia.ncnu.org AAAA" to see the TTL. Before the TTL decrements to 0, this cache entry will exist in the memory of the NCNU DNS server.
   6. For example, if the "dig" command shows that the current TTL value is 170 seconds, you may wait for 3 minutes, and run the command "host -t AAAA A.utopia.ncnu.org" or "dig A.utopia.ncnu.org AAAA" again. This time you will see the IPv6 address to be replied.
   7. Try again to add another resource record "A.utopia.ncnu.org 300 AAAA 2001:e10:6840::11". Now the query "host -t AAAA A.utopia.ncnu.org" still only reply an address "2001:e10:6840::1". Wait for 5 mintues and query again. You will see both the addresses.
   8. FAQ: How can I force an entry in DNS cache to expire before its TTL decrements to 0?
      Answer: You must restart the DNS server which is caching the entry. In this case, unless you are the manager of the NCNU DNS server, it is quite possible that you must wait for 86400 seconds (1 day) for it to expire. That's why we always advise administrators to specify a lower value of TTL which you are testing your DNS servers.
   9. Try to run the following commands in "nsupdate":

      
      update delete A.utopia.ncnu.org AAAA 2001:e10:6840::11
      send
      
      

      Now query the ns1.utopia.ncnu.org DNS server directly by "host -t AAAA A.utopia.ncnu.org ns1.utopia.ncnu.org", you see only an IPv6 address is left. If you want to remove all resource record corresponding to the AAAA record type, you may simply give the command in nsupdate:

      
      update delete A.utopia.ncnu.org AAAA 
      send
      
      

9. Capture the packets for dynamic updates

master/slave

1. Find a DNS server which is willing to be your slave server. The server must already have a DNS daemon running, and can be identified with a domain name (e.g. ns1.utopia.ncnu.org.).
2. Add the following lines to the /etc/named.conf of the slave server:

   
   masters "claudia-master" {
           2001:e10:6840:20:208:a1ff:fe4e:3f00;	// IP addr of master server
           163.22.20.101;
           };
   zone "ncnu.org" {
           type slave;
           file "data/ncnu.org";
           masters { claudia-master; };
           allow-query     { any; };
           };
   
   

3. On the slave server, stop its DNS daemon, and run it in foreground "named -u named -g". You will see that it automatically creates the file "data/ncnu.org".
4. On your master DNS server, try to modify the zone file, and add an entry after the SOA record:

   
   NS      ns1.utopia.ncnu.org.
   
   

   This will allow the master DNS server to know which slave DNS servers to notify whenever the zone file is updated.
5. Increment the serial number. Save the zone file. Run "rndc reload ncnu.org".
6. On the slave server you see the following updates:

   
   28-May-2014 18:53:59.036 zone ncnu.org/IN: transferred serial 2014052801
   28-May-2014 18:53:59.036 transfer of 'ncnu.org/IN' from 2001:e10:6840:20:208:a1ff:fe4e:3f00#53: Transfer completed: 1 messages, 59 records, 1496 bytes, 0.106 secs (14113 bytes/sec)
   28-May-2014 18:53:59.036 zone ncnu.org/IN: sending notifies (serial 2014052801)