how to implement DDNS server on centos 6.4 with bind 9

Hello Experts,
After seeing the attention my previous question was getting I am rethinking my approach to the problem.

Needing help to setup an internal domain tha is a subdomain of a public domain.
I would like the DNS to Dynamic.
I am puzzled  by the implementation of the "ns1 / ns2" nameserver.

Does this setup require 2 different servers
Does the server need public ip or can they be private

I am stumped I need these requirements to be met very soon.
See my original post
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:
> Does this setup require 2 different servers

The public domain does, most registrars insist on a minimum of two (ideally geographically dispersed). In my case, I have one of my own (a VPS) and several slaves provided by my VPS host.

> Does the server need public ip or can they be private

It depends what you mean here.

The server itself does not need a public IP, but if it is serving a public zone it must be reachable on a public IP (and any A records used with NS records within the zone must reference that public IP). For small-scale DNS services I'd expect to find behind NAT.

If the domain (and / or sub-domain) is purely private it does not need to have any public addressing at all.

That may look like this:

Simple network diagram
In BIND that may look something like this:
; zone file
@        IN SOA ns1 nsadmin ( 2013101601 3600 3600 2419200 28800 )
         IN NS ns1
         IN NS ns2

ns1      IN A
ns2      IN A ??

sub      IN NS ns1.sub
; Glue, it might complain this is out-of-zone. I forget... but we need it.
ns1.sub  IN A

Open in new window

If sub-domain must be publicly accessible then you'll need public IP addressing for all pertinent records.

Okay, so looping back to the other thread you have this comment:

> 2- Considering that my router’s public ip is dynamic

You cannot run a public-facing DNS service for in this scenario. You can run; provided you understand that resolution will break if the external IP changes.

Can you scribble down how you'd lay it out? I haven't read all of the threads you've attached so I may have missed it.


Franck63Author Commented:
Hi Chris,

Thank you very much for the help.

Ok yes: (relating your statements)
I don't need two server as NS
the server needs to be accessible publicly, of course.
yes my subdomain has to be public (Then, can I have those pertinent records on my DDNS server)
About the public ip being dynamic I think that by implementing this RFC2136 Server Setup How-to I can accomplish it, am I wrong? (I will probably need pfsense then)

Since my subdomain is part of an aleady published domain do I still need to go through a registrar

Here is my tentative layout:
Tentative Layout
Now I've noticed that in your layout you have 2 different privater lan subnet, why?

Does this imply a DMZ or just VLAN

Now refering to RFC2136 Server Setup How-to

My named.conf (should look somewhat like this)
include "/etc/namedb/dns.keys.conf<wbr ></wbr><wbr ></wbr>";
zone "" {
	type master;
	file "dynamic/"<wbr ></wbr>;<wbr ></wbr>
	update-policy { grant * self A AAAA; };

Open in new window

Then my (would be )
$TTL 30	; 30 seconds		IN SOA (
				20131016303 ; serial
				3600	   ; refresh (1 hour)
				600	   ; retry (10 minutes)
				2600	   ; expire (43 minutes	20 seconds)
				30	   ; minimum (30 seconds)
;			NS   // not required

Open in new window

Once this is validated I will need help for those specific files

Where are the problems

Thanks again

Chris DentPowerShell DeveloperCommented:
Hey Franck,

RFC 2136 is just fine provided the server hosting supports it. The TLD owner (almost certainly) will not, so whatever hosts needs to be on a fixed IP. is flexible and not their problem (only yours :)).

> Since my subdomain is part of an aleady published domain do I still need to go through a registrar

No, not at all. You own, you have free reign over anything beneath that name.

> Now I've noticed that in your layout you have 2 different privater lan subnet, why?

> Does this imply a DMZ or just VLAN

Damage / exposure limitation, or just good security practice. If you share a network (VLAN, or however you choose to describe it) with your internal services (AD, etc) you risk those should someone manage to compromise the web server.

Given the development usage you're proposing I'd recommend you isolate that (DMZ is a good enough term) from what needs to run to service the needs of your business. To make that effective you would also need to restrict traffic flow from the web environment to the rest.

Can I ask why you're splitting the int domain? Given that you have free reign it seems like an unnecessary complication which introduces name resolution limitations for anyone using the AD DNS servers. Instead I'd suggest a second sub-domain, using a second arbitrary label so you retain flexibility.

The zone file is fine, but a bit confusing. I would do this:
$TTL 30	; 30 seconds
@    IN SOA  ns1 (
                                20131016303 ; serial
                                3600        ; refresh (1 hour)
                                600         ; retry (10 minutes)
                                2419200     ; expire (4 weeks)
                                30          ; minimum (30 seconds)
     IN NS   ns1

Open in new window

I'm using ns1 because NS is a record type and it just looks confusing to use that as both. That said, it is not illegal so feel free to change back. I've also squashed the Origin statement. The Origin will be inherited from name.conf, the zone name will be appended unless you terminate a name with a period (as you've done with You can override that with an ORIGIN statement later on if appropriate, but it shouldn't be a requirement. @ is shorthand for the origin.

If this DNS server is to be publicly accessible you need to update both the and (Glue) with an A record for the name server.

So when looking at the Setup How-To this entry needs to reference a public IP:

> Server:  (Or whatever the new IP is!)

Otherwise no one outside will be able to get at your server.

This also means that you should port forward TCP and UDP 53. TCP is used for zone transfers and if we hit a truncation limit on a normal UDP response, as such, allowing it is quite acceptable.

How are we getting on?

OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

Chris DentPowerShell DeveloperCommented:
Before I forget, while dynamic update may work well for an update for it is likely to fail for

Dynamic update requests are sent to the server advertised in the SOA record. As the address will be invalidated by the process (and therefore unable to receive any kind of dynamic update) you may find you actually want a simple text modification and zone reload to cope with the update to the local zone (

Any use of NAT also complicates a dynamic update request for the zone, the SOA will advertise the firewall as the destination, but attempting a loop through the firewall like that will break IP communication.

You can, perhaps, circumvent this problem if the name and internal address for the SOA ( is added to the hosts file on the system sending the update. This applies even if that update is going to itself.

Franck63Author Commented:
Hi Chris,

Thanks again for taking the time to help it is greatly appreciated.

I think were on the right track. (even though I have more question)

(Relating to your post)(Please correct me If I'm wrong)
In paragraph 1 if I paraphrase, you are telling me it will work since my subdomain is already part of a TLD.
In p2, great I was hoping for this answer.

In p3-4, (unless I misunderstand It is not my intention to have any computer on DMZ I would rather keep everything isolated and port forward what I need.

In p5, To answer your question.  I will be providing rdp from AD and other services  (but  then again they might be through VPN (which would probably make even more sense in regards to your proposition)

In p5 again would your proposition allow me to implement such sub domains as and so on, while keeping DNS management to its minumum.

In p6, "ns1" I agree (I also prefer clarity and readability). Ok about the ORIGIN statement.

In p7, your statement raises again my minimal management issue! How much will I need to create and maintain DNS records at my public host. I would rather just ad one single  A (glue) record.

In p8, about the ip and port forward yes i understand.

(Relating to your following post)
Now here I'm a little confused
As to dynamic updates, since my aim is to implement this solution. am I not correct to assume pfsense will be able to update or am I misunderstanding something?

In the pfsense solution both the DNS and RFC2136 client is running on pfsene.
In my setup I would prefer to run the DNS in my linux webserver and adjust the pfsense
RFC2136 client to use the linux DNS.  (Does this make sense?

So while this solution is progressing I will try to implement a solution !
I will report back my progress and questions

P.S. what is the most comprehensive tool for DNS testing and proffing?

Looking forward to your explanations. Thank's again

Best Regards
Chris DentPowerShell DeveloperCommented:
> In paragraph 1 if I paraphrase, you are telling me it will work since my subdomain
> is already part of a TLD.

The Top Level Domain is .com, so if you needed to continually change the IP addresses associated with (as opposed to the sub-domain) you would need a TLD that supported Dynamic Update. I don't know of any that will.

However, that's not a problem if is quite happily working somewhere.

> In p3-4, (unless I misunderstand It is not my intention to have any computer on DMZ I
> would rather keep everything isolated and port forward what I need.

No problem. I would always isolate one from the other because it is entirely possible to compromise a server through a bug in a web-application (let's, for the sake of argument, say a site is open to SQL injection). Once inside, techniques like DNS tunnelling can be used to create a path back out to allow either data to leave, or a trojan horse to enter.

There's no reason that must happen, but there are risks associated with exposing anything and as long as your comfortable with those all is well. You'd have to go to quite extreme lengths to avoid any kind of risk (in the region of just turning the server off :)).

> and so on, while

If you're doing it this way you must create a new delegation for each new sub-domain on the parent server (

An alternative would be to add another label such that you have:

Main public domain:
Delegated sub-domain:
Customer specific name:

This way you add one delegation for (whether you end up using that or another sub-domain). Everything else is done on your internal DNS server, the server hosting

Alternatively CNAME records may be used: IN CNAME

You'd be visiting to create each CNAME, but you only have one record to maintain beyond initial set-up.

Hopefully those options make sense.

Okay, let's take a deeper look at our DNS update requirements. We have two domains which need a record update. We'll address those by following the hierarchy:

pfsense can send an update here as long as supports that. However, we need to change *something* here to have a delegation from this zone to a DNS server on a dynamic range.
; An SOA with some fabricated unrealistic values.
@   IN SOA  ns1 email ( 2013101701 1 1 1 1 )
    IN NS   ns1
    IN NS   ns2

ns1 IN A
ns2 IN A

; Let's simplify conversations about Glue and give
; the name server we delegate "int" to a name here.
; I recommend you use a name like this (feel free to 
; change the label name).
; We need a low TTL here to cope with changes. I've gone with 5 minutes.
ns3 300 IN A
; And now create the delegation
int IN NS   ns3

; The name ns3 is arbitrary, so we could do this instead:
devsvr IN A
; And now create the delegation
int    IN NS   devsvr

Open in new window

The IP for the server we're delegating to changes, therefore we need to be able to send a dynamic update to this zone to change that. This really is the critical one, once we're inside and have absolute control of a server life is easier.

Now we have the int zone, as a sub-domain of
; An SOA with some fabricated unrealistic values.
@       IN SOA ( 2013101701 1 1 1 1 )
        IN NS      ns3

; We need to be able to change this too
devsvr  IN A

; Alternatively we could CNAME it (just not at the same time as the record above)
devsvr  IN CNAME

; But we can do what we please with these
cust1   IN CNAME   devsvr
cust2   IN CNAME   devsvr
cust3   IN CNAME   devsvr
cust4   IN CNAME   devsvr

; Or we could use ns3 directly here
cust5   IN CNAME
cust6   IN CNAME

; We cannot do this however, it's out of zone data:  IN A

Open in new window

So the critical part is getting that dynamic update back to the name server for Once you've done that you can drag requests back to your main name server and do whatever you need.

pfsense will have trouble updating the int zone. But we don't necessarily need to do anything there anyway if we use CNAME records referencing the A record in the parent zone.

Hopefully I haven't managed to contradict myself :)


Franck63Author Commented:
Hey Chris,

I'm still on it!
I understand what your saying but if you could be a little more specific It would help,
I must say though this is my first dns attempt and I find it very difficult.

I have more questions If you don't mind.

What are the names of those files? are they both "named.conf" one for pfsense and one for my devserver?
I would prefer not have any DNS services other than the rfc-2136 (dns updater) on the pfsense machine.

Am I making any sense?

I have yet to get my DNS server, on ISPconfig, working!

I don't understand the part where I need to dynamic update the
Could I not pass this update to my ISP instead of the mydomain host.

From this reading I was hoping this thing would not be that encompassing.

I understand I am also a bit high level with my communication.

Is there any way we could tackle this differently and still get your points value and then some?

Your help is very much appreciated and I'm looking forward to your answer

Best regards
Chris DentPowerShell DeveloperCommented:
Good morning Franck,

I have a new diagram for you first. I'm hoping this helps clarify a little, perhaps I've misunderstood something in your intent so yell if any of the diagram is significantly wrong.

Topology and flow
I've included the file names in those so you can link those up to anything you have already (named.conf does not include the keys configuration, that's assumed to be present). The examples I've used to date have been zone files.

Presumably your ISP is hosting the / system for you? If so, that's where the update needs to go from PFSense. In that sense, we may simply be talking cross purposes.

Adding the PFSense configuration to that we "should" have something like this:
Services > Dynamic DNS, RFC 2136 tab
Enable: Checked
Interface: WAN
TTL: 30
Key Name:
Key Type: Host
Key: Secret key from above 
Protocol: Unchecked
Description: My DynDNS Entry

Open in new window

The ns3 name is arbitrary, you could make that anything you like.

The Server entry may need to be an IP address. The goal is to get the dynamic update to a willing server so we can change the record on (the ISP). Normally updates would be sent to the server listed in the SOA record, it holds the only writeable copy of a zone.

Finally, when reviewing this configuration it's important to understand how names in will be resolved. The following process is used by a resolver:

1. Client requests from it's local resolver.
2. Local resolver queries root hints (responsible for ".").
3. Root hints respond with "ask the TLD (Top Level Domain) holder, .com".
4. Local resolver queries servers responsible for .com.
5. .com servers respond with "ask ns1 or".
6. Local resolver queries ns1 or
7. ns1 or ns2 respond with "ask" (for
8. Local resolver queries
9. (hopefully) returns a valid answer for

Part or all of the queries above may be cached by the resolver (based on the TTL values for each). I wouldn't expect a resolver to do every single one of those steps every time.

I suspect our time zones are quite a long way out (London for me). which is adding quite a lot of latency into our conversation. I'm afraid there's not much of a way around that. Taking the conversation out of EE is against the rules, but it's unlikely to do much without being able to fix the time zone. I certainly appreciate your frustration though, it's one of those that really benefits from an hour in a meeting room with a white board to jot ideas on :)

Franck63Author Commented:
Hey Chris, Thank's for the reply I will study carefully.

Now, I just noticed. I have a very basic problem!

I can't ping "" anymore (don't know since when)
Have a look at this thread. What can I do with this ?

Thanks for the subdomain resolution clarification I get it.

How does the dynamic updates work?

Yes my time zone is  EST-5 so nothing you can do there. I am the one being slow to reply, :(

Looking forward to your reply.
Thank's again

Best Regards
Chris DentPowerShell DeveloperCommented:
You've still got name resolution so something is still flowing.

Perhaps try:

telnet 80

It should fail (to correspond with the timeout message), but it's not guaranteed.

If it does timeout you need to head to the next hop (pfsense?). Can you try anything from there? Does it implement any firewall rules? How about network address translation?

I'm not overly familiar with pfsense so it's difficult for me to give you any targeted advice, but it's the area I'd be intent on studying if I had the problem.

Franck63Author Commented:
Hey Chris,

I have modified my approach

I am leaving aside the Dynamic DNS for now

Here is where I stand.

I need to setup my subdomain.

I have implemented DynDNS to fix my dynamic public address issue.
I have made proper redirection with my public host with a CNAME record.
I can now ping my internal domain name.

The setup for my ISPconfig Server and DNS is like this.

IP: /
hostname is
DNS Zone:
DNS Zone records:
A             mail                                 
A             www                                

When I nslookup my LAN my internal domain it displays the ip of my Windows PDC. ???
When I nslookup the WAN I get
Non-authoritative answer:      canonical name =
 Address: (my router WAN ip)

So someting is working!

If I try to nslookup my or my
I get noting and an error: namerror.

Any sugestion or adive would help greatly.

Best Regards
Chris DentPowerShell DeveloperCommented:
> When I nslookup my LAN my internal domain it displays the ip of my Windows PDC. ???

I may be misinterpreting this, but a few posts ago I made the recommendation that you used different sub-domains for each fragment of your network. This is why :)

If the Windows DNS (or BIND, both have to do the same thing) server has a zone called it will not look elsewhere for answers about the zone. This is because it is a name server for the zone and knows the start of authority, it knows everything.

In addition to this, MS AD places some pretty heavy requirements on DNS. Records like (A) must be owned by Active Directory and cannot be changed to something else.

What Forward Lookup Zones do you have configured on the MS DNS server?

If you don't have a zone for on the server please can you run this and show me the output (sanitising where required):

nslookup -q=a -nosearch -d

> So someting is working!

That on the other hand is fantastic news :)

Franck63Author Commented:
Hey Chris,

Sorry for my late response. I was caught up on other problems.

So many questions!

I will try to be as specific and explicit as possible, if you find anything I say to be ambiguous please yell at me :|

In response to your last post.

Yes I went with two internal domains
One the AD is called winad the other one the Bind DNS throught ISPConfig3 is called web.

Not sure I clearly understand what you mean when you speak about MS AD but maybe the fact that I'm using two zones on two different nameservers is simplifiying my setup (I hope :)

Then again I understand some of the implications of the Win AD related to my ISPConfig/Bind setup ... ... I understand that at some point I will need to have a DNS forward condition so my internal computer can access that "web" domain. Am I correct?

Also am I mistaking? If I was to forget about the fact that my router is getting a dynamic ip vs static. I should at least be able to get this working for a little while, then I could address this as a seperate issue.

Here is the state of my setup.

Relating to my WinPDC installed services and configuration I have:
My forward zones are  &
I also have the associated reverse zone.
My name server is

Relating to My ISPConfig/BIND installed services and configuration I have:
DNS / Webserver
Forward zone is / nameserver:
the zone file: (real ip's)
$TTL        3600
@       IN      SOA (
                        2013102901       ; serial, todays date + todays serial #
                        7200              ; refresh, seconds
                        540              ; retry, seconds
                        604800              ; expire, seconds
                        86400 )            ; minimum, seconds

mail 3600 A 3600 A 3600      MX    10 3600      NS 3600      NS
www 3600 A

Now how does this look like to you? Any errors? Anything missing.?
Do those internal IP's make sense?

When I use  "dig -any"  on ""
All I get is this!!!! (Default):      1440      IN      CNAME
When I use a dig (any) on "" I get about the same!

So something is wong!????

I should mention that my ISPConfig/DNS is not integrated with AD
PFSense is not integrated with AD or registerd with my ISPConfig/DNS it does not have any forwarders DNS . ?????
I have no forwarders in AD.
DHCP is not relayed to anything.
I created a CNAME record at to point back to my

I'm puzzeled ! what am I missing ???

I want to get over this ASAP.

Again I thank you very much for your guidance and counseling it is well appreciated.

I appreciate you cheering me up... I guess we all have to start somewhere! I hope I am getting closer and not being a pain!

Best Regards

Chris DentPowerShell DeveloperCommented:
Morning Franck,

> One the AD is called winad the other one the Bind DNS throught ISPConfig3 is called web.

Good that immediately rules out the problem I highlighted above :)

>  I understand that at some point I will need to have a DNS forward condition so my
> internal computer can access that "web" domain. Am I correct?

Yes, especially if web and winad share the same network segment; the public delegation, if configured, would not work in that scenario (bad return path if traffic is subject to NAT).

> So something is wong!????

Check for the delegation with:

dig ns

If that doesn't exist then nothing on your internal server can be referenced (without the conditional forwarder on winad).

I suspect you have a wildcard record in the zone, try:

dig any

If you get the same CNAME response then you do. That'll explain resolution for anything not explicitly created.


Franck63Author Commented:
Good day Chris,

>dig ns  gives

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; ANSWER SECTION:      678      IN      CNAME

dig any  gives

Are those result showing proper resolution and no wildcard?

Also if on one of my internal computers I try to access
pfsense return and https page saying "potential DNS rebind attack" !!??

Chris DentPowerShell DeveloperCommented:
Yep, that's all normal resolution.

But that's okay, we don't have a delegation at the moment, but you also cannot delegate to a CNAME (, 10.3). That is, you cannot do this:   IN NS   IN CNAME

Open in new window

But you can, potentially, do this to reference your internal DNS server:   IN NS

Open in new window

As long as is an A record.

The Rebind attack is described here:

It looks like pfsense is using TCP/443 as the administration port, you're trying to access pfsense using a name it doesn't recognise so it says no.

I've never used PfSense so I can't really tell you how to get it to handle the inbound traffic properly I'm afraid.

Franck63Author Commented:

What do you mean we do not have delegation.

We cannot delegate to a cname ! are you talking about my cname record at

My dyndns record is an a record.

Yes I get it with the DNS_rebind from pfsense I am investigating a solution

Franck63Author Commented:
Also do I need to register create an A record in my BIND DNS for pfsense
Chris DentPowerShell DeveloperCommented:
Apologies for the late reply, busy few days.

> We cannot delegate to a cname ! are you talking about my cname
> record at

Yes, that's right. It only matters if you wish your DNS server to be accessible from outside your network.

> Also do I need to register create an A record in my BIND DNS for pfsense

I can't think of a reason you would need to so I'm inclined to say no.

How is everything at the moment? Any closer to working? :)

Franck63Author Commented:
Hey Chris,

I was able to fix my rebind problem by adding a dns forwarder in pfsense.
Not sure if it is the best or right way to do it though.

Further more and probably related to the fact that I don't have an A or NS record redirect!

I can access my web server internaly but not from the outside!

> But you can, potentially, do this to reference your internal DNS server:
>   IN NS

How and what service (free if possible) could I use to do that?

Chris DentPowerShell DeveloperCommented:
Your existing provider should let you do that?

If they don't you'll need to find a more flexible DNS host. I'd be inclined to look at the likes of ZoneEdit (, or perhaps UltraDNS (

There are more, I just don't know them off the top of my head :)


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Franck63Author Commented:
Hello Chris,

Sorry for the late response.

I am very happy to say that my solution is working!

Thank you very much for your awesome help insights and counseling.

Hope to speak again.

Best Regards
Chris DentPowerShell DeveloperCommented:
Fantastic, I'm really glad to hear it.

All the best,

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.