how to implement DDNS server on centos 6.4 with bind 9

> Does this setup require 2 different servers

The public domain does, most registrars insist on a minimum of two (ideally geographically dispersed). In my case, I have one of my own (a VPS) and several slaves provided by my VPS host.

> Does the server need public ip or can they be private

It depends what you mean here.

The server itself does not need a public IP, but if it is serving a public zone it must be reachable on a public IP (and any A records used with NS records within the zone must reference that public IP). For small-scale DNS services I'd expect to find behind NAT.

If the domain (and / or sub-domain) is purely private it does not need to have any public addressing at all.

That may look like this:


In BIND that may look something like this:

; domain.com zone file
@        IN SOA ns1 nsadmin ( 2013101601 3600 3600 2419200 28800 )
         IN NS ns1
         IN NS ns2

ns1      IN A 1.2.3.4
ns2      IN A ??

sub      IN NS ns1.sub
; Glue, it might complain this is out-of-zone. I forget... but we need it.
ns1.sub  IN A 10.0.0.10

Select allOpen in new window

If sub-domain must be publicly accessible then you'll need public IP addressing for all pertinent records.

Okay, so looping back to the other thread you have this comment:

> 2- Considering that my router’s public ip is dynamic

You cannot run a public-facing DNS service for domain.com in this scenario. You can run sub.domain.com; provided you understand that resolution will break if the external IP changes.

Can you scribble down how you'd lay it out? I haven't read all of the threads you've attached so I may have missed it.

Cheers,

Chris

Hi Chris,

Thank you very much for the help.

Ok yes: (relating your statements)
About the public ip being dynamic I think that by implementing this RFC2136 Server Setup How-to I can accomplish it, am I wrong? (I will probably need pfsense then)

Since my subdomain is part of an aleady published domain do I still need to go through a registrar

Here is my tentative layout:

Now I've noticed that in your layout you have 2 different privater lan subnet, why?

Does this imply a DMZ or just VLAN

Now refering to RFC2136 Server Setup How-to

My named.conf (should look somewhat like this)

include "/etc/namedb/dns.keys.conf<wbr ></wbr><wbr ></wbr>";
zone "int.mydomain.com" {
	type master;
	file "dynamic/int.mydomain.com"<wbr ></wbr>;<wbr ></wbr>
	update-policy { grant *.int.mydomain.com. self int.mydomain.com. A AAAA; };
};

Select allOpen in new window

Then my int.mydomain.com (would be )

$ORIGIN	.
$TTL 30	; 30 seconds
int.mydomain.com		IN SOA	ns.int.mydomain.com. myemail.mydomain.com. (
				20131016303 ; serial
				3600	   ; refresh (1 hour)
				600	   ; retry (10 minutes)
				2600	   ; expire (43 minutes	20 seconds)
				30	   ; minimum (30 seconds)
				)
			NS	ns.int.mydomain.com.
;			NS	ns2.int.mydomain.com.   // not required

Select allOpen in new window

Once this is validated I will need help for those specific files

Where are the problems

Thanks again
Regards

Franck

Hey Franck,

RFC 2136 is just fine provided the server hosting mydomain.com supports it. The TLD owner (almost certainly) will not, so whatever hosts mydomain.com needs to be on a fixed IP. int.mydomain.com is flexible and not their problem (only yours :)).

> Since my subdomain is part of an aleady published domain do I still need to go through a registrar

No, not at all. You own mydomain.com, you have free reign over anything beneath that name.

> Now I've noticed that in your layout you have 2 different privater lan subnet, why?
> 
> Does this imply a DMZ or just VLAN

Damage / exposure limitation, or just good security practice. If you share a network (VLAN, or however you choose to describe it) with your internal services (AD, etc) you risk those should someone manage to compromise the web server.

Given the development usage you're proposing I'd recommend you isolate that (DMZ is a good enough term) from what needs to run to service the needs of your business. To make that effective you would also need to restrict traffic flow from the web environment to the rest.

Can I ask why you're splitting the int domain? Given that you have free reign it seems like an unnecessary complication which introduces name resolution limitations for anyone using the AD DNS servers. Instead I'd suggest a second sub-domain, using a second arbitrary label so you retain flexibility.

The zone file is fine, but a bit confusing. I would do this:

$TTL 30	; 30 seconds
@    IN SOA  ns1 myemail.mydomain.com. (
                                20131016303 ; serial
                                3600        ; refresh (1 hour)
                                600         ; retry (10 minutes)
                                2419200     ; expire (4 weeks)
                                30          ; minimum (30 seconds)
				)
     IN NS   ns1

Select allOpen in new window

I'm using ns1 because NS is a record type and it just looks confusing to use that as both. That said, it is not illegal so feel free to change back. I've also squashed the Origin statement. The Origin will be inherited from name.conf, the zone name will be appended unless you terminate a name with a period (as you've done with myemail.mydomain.com.). You can override that with an ORIGIN statement later on if appropriate, but it shouldn't be a requirement. @ is shorthand for the origin.

If this DNS server is to be publicly accessible you need to update both the int.mydomain.com and mydomain.com (Glue) with an A record for the name server.

So when looking at the Setup How-To this entry needs to reference a public IP:

> Server: 192.0.2.5  (Or whatever the new IP is!)

Otherwise no one outside will be able to get at your server.

This also means that you should port forward TCP and UDP 53. TCP is used for zone transfers and if we hit a truncation limit on a normal UDP response, as such, allowing it is quite acceptable.

How are we getting on?

Chris

Before I forget, while dynamic update may work well for an update for mydomain.com it is likely to fail for int.mydomain.com.

Dynamic update requests are sent to the server advertised in the SOA record. As the address will be invalidated by the process (and therefore unable to receive any kind of dynamic update) you may find you actually want a simple text modification and zone reload to cope with the update to the local zone (int.mydomain.com).

Any use of NAT also complicates a dynamic update request for the int.mydomain.com zone, the SOA will advertise the firewall as the destination, but attempting a loop through the firewall like that will break IP communication.

You can, perhaps, circumvent this problem if the name and internal address for the SOA (int.mydomain.com) is added to the hosts file on the system sending the update. This applies even if that update is going to itself.

Chris

Hi Chris,

Thanks again for taking the time to help it is greatly appreciated.

I think were on the right track. (even though I have more question)

(Relating to your post)(Please correct me If I'm wrong)

(Relating to your following post)

So while this solution is progressing I will try to implement a solution !
I will report back my progress and questions

P.S. what is the most comprehensive tool for DNS testing and proffing?

Looking forward to your explanations. Thank's again

Best Regards
Franck

> In paragraph 1 if I paraphrase, you are telling me it will work since my subdomain
> is already part of a TLD.

The Top Level Domain is .com, so if you needed to continually change the IP addresses associated with ns1.mydomain.com (as opposed to the sub-domain) you would need a TLD that supported Dynamic Update. I don't know of any that will.

However, that's not a problem if mydomain.com is quite happily working somewhere.

> In p3-4, (unless I misunderstand It is not my intention to have any computer on DMZ I
> would rather keep everything isolated and port forward what I need.

No problem. I would always isolate one from the other because it is entirely possible to compromise a server through a bug in a web-application (let's, for the sake of argument, say a site is open to SQL injection). Once inside, techniques like DNS tunnelling can be used to create a path back out to allow either data to leave, or a trojan horse to enter.

There's no reason that must happen, but there are risks associated with exposing anything and as long as your comfortable with those all is well. You'd have to go to quite extreme lengths to avoid any kind of risk (in the region of just turning the server off :)).

> cust1.mydomain.com and so on, while

If you're doing it this way you must create a new delegation for each new sub-domain on the parent server (mydomain.com).

An alternative would be to add another label such that you have:

Main public domain: mydomain.com
Delegated sub-domain: dev.mydomain.com
Customer specific name: cust1.dev.mydomain.com

This way you add one delegation for int.mydomain.com (whether you end up using that or another sub-domain). Everything else is done on your internal DNS server, the server hosting int.mydomain.com.

Alternatively CNAME records may be used:

cust1.mydomain.com. IN CNAME dev1.int.mydomain.com.

You'd be visiting mydomain.com to create each CNAME, but you only have one record to maintain beyond initial set-up.

Hopefully those options make sense.

Okay, let's take a deeper look at our DNS update requirements. We have two domains which need a record update. We'll address those by following the hierarchy:

mydomain.com

pfsense can send an update here as long as mydomain.com supports that. However, we need to change *something* here to have a delegation from this zone to a DNS server on a dynamic range.

; An SOA with some fabricated unrealistic values.
@   IN SOA  ns1 email ( 2013101701 1 1 1 1 )
    IN NS   ns1
    IN NS   ns2

ns1 IN A    1.2.3.4
ns2 IN A    1.2.3.5

; Let's simplify conversations about Glue and give
; the name server we delegate "int" to a name here.
; I recommend you use a name like this (feel free to 
; change the label name).
;
; We need a low TTL here to cope with changes. I've gone with 5 minutes.
ns3 300 IN A    7.6.5.4
; And now create the delegation
int IN NS   ns3

; The name ns3 is arbitrary, so we could do this instead:
devsvr IN A    7.6.5.4
; And now create the delegation
int    IN NS   devsvr

Select allOpen in new window

The IP for the server we're delegating to changes, therefore we need to be able to send a dynamic update to this zone to change that. This really is the critical one, once we're inside and have absolute control of a server life is easier.

Now we have the int zone, as a sub-domain of mydomain.com:

; An SOA with some fabricated unrealistic values.
@       IN SOA     ns3.mydomain.com. email.mydomain.com. ( 2013101701 1 1 1 1 )
        IN NS      ns3

; We need to be able to change this too
devsvr  IN A       7.6.5.4

; Alternatively we could CNAME it (just not at the same time as the record above)
devsvr  IN CNAME   ns3.mydomain.com.

; But we can do what we please with these
cust1   IN CNAME   devsvr
cust2   IN CNAME   devsvr
cust3   IN CNAME   devsvr
cust4   IN CNAME   devsvr

; Or we could use ns3 directly here
cust5   IN CNAME   ns3.mydomain.com.
cust6   IN CNAME   ns3.mydomain.com.

; We cannot do this however, it's out of zone data:
cust6.mydomain.com.  IN A  7.6.5.4

Select allOpen in new window

So the critical part is getting that dynamic update back to the name server for mydomain.com. Once you've done that you can drag requests back to your main name server and do whatever you need.

pfsense will have trouble updating the int zone. But we don't necessarily need to do anything there anyway if we use CNAME records referencing the A record in the parent zone.

Hopefully I haven't managed to contradict myself :)

Cheers,

Chris

Hey Chris,

I'm still on it!
I understand what your saying but if you could be a little more specific It would help,
I must say though this is my first dns attempt and I find it very difficult.

I have more questions If you don't mind.

What are the names of those files? are they both "named.conf" one for pfsense and one for my devserver?
I would prefer not have any DNS services other than the rfc-2136 (dns updater) on the pfsense machine.

Am I making any sense?

I have yet to get my DNS server, on ISPconfig, working!

I don't understand the part where I need to dynamic update the mydomain.com
Could I not pass this update to my ISP instead of the mydomain host.

From this reading I was hoping this thing would not be that encompassing.

I understand I am also a bit high level with my communication.

Is there any way we could tackle this differently and still get your points value and then some?

Your help is very much appreciated and I'm looking forward to your answer

Best regards
Franck

Good morning Franck,

I have a new diagram for you first. I'm hoping this helps clarify a little, perhaps I've misunderstood something in your intent so yell if any of the diagram is significantly wrong.


I've included the file names in those so you can link those up to anything you have already (named.conf does not include the keys configuration, that's assumed to be present). The examples I've used to date have been zone files.

Presumably your ISP is hosting the mydomain.com / domain.com system for you? If so, that's where the update needs to go from PFSense. In that sense, we may simply be talking cross purposes.

Adding the PFSense configuration to that we "should" have something like this:

Services > Dynamic DNS, RFC 2136 tab
Enable: Checked
Interface: WAN
Hostname: ns3.domain.com
TTL: 30
Key Name: ns3.domain.com
Key Type: Host
Key: Secret key from above 
Server: ns1.domain.com
Protocol: Unchecked
Description: My DynDNS Entry

Select allOpen in new window

The ns3 name is arbitrary, you could make that anything you like.

The Server entry may need to be an IP address. The goal is to get the dynamic update to a willing server so we can change the record on ns1.domain.com (the ISP). Normally updates would be sent to the server listed in the SOA record, it holds the only writeable copy of a zone.

Finally, when reviewing this configuration it's important to understand how names in sub.domain.com will be resolved. The following process is used by a resolver:

1. Client requests record.sub.domain.com from it's local resolver.
2. Local resolver queries root hints (responsible for ".").
3. Root hints respond with "ask the TLD (Top Level Domain) holder, .com".
4. Local resolver queries servers responsible for .com.
5. .com servers respond with "ask ns1 or ns2.domain.com".
6. Local resolver queries ns1 or ns2.domain.com
7. ns1 or ns2 respond with "ask ns3.domain.com" (for record.sub.domain.com).
8. Local resolver queries ns3.domain.com
9. ns3.domain.com (hopefully) returns a valid answer for record.sub.domain.com.

Part or all of the queries above may be cached by the resolver (based on the TTL values for each). I wouldn't expect a resolver to do every single one of those steps every time.

I suspect our time zones are quite a long way out (London for me). which is adding quite a lot of latency into our conversation. I'm afraid there's not much of a way around that. Taking the conversation out of EE is against the rules, but it's unlikely to do much without being able to fix the time zone. I certainly appreciate your frustration though, it's one of those that really benefits from an hour in a meeting room with a white board to jot ideas on :)

Chris

Hey Chris, Thank's for the reply I will study carefully.

Now, I just noticed. I have a very basic problem!

I can't ping "google.com" anymore (don't know since when)
Have a look at this thread. What can I do with this ?

Thanks for the subdomain resolution clarification I get it.

How does the dynamic updates work?

Yes my time zone is  EST-5 so nothing you can do there. I am the one being slow to reply, :(

Looking forward to your reply.
Thank's again

Best Regards
Franck

You've still got name resolution so something is still flowing.

Perhaps try:

telnet www.google.com 80

It should fail (to correspond with the timeout message), but it's not guaranteed.

If it does timeout you need to head to the next hop (pfsense?). Can you try anything from there? Does it implement any firewall rules? How about network address translation?

I'm not overly familiar with pfsense so it's difficult for me to give you any targeted advice, but it's the area I'd be intent on studying if I had the problem.

Chris

Hey Chris,

I have modified my approach

I am leaving aside the Dynamic DNS for now

Here is where I stand.

I need to setup my subdomain.

I have implemented DynDNS to fix my dynamic public address issue.
I have made proper redirection with my public host with a CNAME record.
I can now ping my internal domain name.

The setup for my ISPconfig Server and DNS is like this.

Server:
DNS Zone:
DNS Zone records:
A             sub.myhosteddomain.com           192.168.1.5
A             mail                                           192.168.1.5
A             www                                          192.168.1.5
MX          sub.myhosteddomain.com           mail.sub.myhosteddomain.com.
NS           sub.myhosteddomain.com           ns2.sub.myhosteddomain.com.
NS           sub.myhosteddomain.com           ns1.sub.myhosteddomain.com.


Problems:
When I nslookup my LAN my internal domain it displays the ip of my Windows PDC. ???
When I nslookup the WAN I get
Non-authoritative answer:
 sub.myhosteddomain.com      canonical name = sub777.DynDNS.org.
 Name:      sub777.DynDNS.org
 Address: 204.12.27.11 (my router WAN ip)

So someting is working!

If I try to nslookup my webserver1.sub.myhosteddomain.com or my winpdc.sub.myhosteddomain.com
I get noting and an error: namerror.

Any sugestion or adive would help greatly.

Best Regards
Franck

> When I nslookup my LAN my internal domain it displays the ip of my Windows PDC. ???

I may be misinterpreting this, but a few posts ago I made the recommendation that you used different sub-domains for each fragment of your network. This is why :)

If the Windows DNS (or BIND, both have to do the same thing) server has a zone called sub.myhosteddomain.com it will not look elsewhere for answers about the zone. This is because it is a name server for the zone and knows the start of authority, it knows everything.

In addition to this, MS AD places some pretty heavy requirements on DNS. Records like sub.myhosteddomain.com (A) must be owned by Active Directory and cannot be changed to something else.

What Forward Lookup Zones do you have configured on the MS DNS server?

If you don't have a zone for sub.myhosteddomain.com on the server please can you run this and show me the output (sanitising where required):

nslookup -q=a -nosearch -d sub.myhosteddomain.com

> So someting is working!

That on the other hand is fantastic news :)

Chris

Hey Chris,

Sorry for my late response. I was caught up on other problems.

So many questions!

I will try to be as specific and explicit as possible, if you find anything I say to be ambiguous please yell at me :|

In response to your last post.

Yes I went with two internal domains
One the AD is called winad the other one the Bind DNS throught ISPConfig3 is called web.

Not sure I clearly understand what you mean when you speak about MS AD but maybe the fact that I'm using two zones on two different nameservers is simplifiying my setup (I hope :)

Then again I understand some of the implications of the Win AD related to my ISPConfig/Bind setup ... ... I understand that at some point I will need to have a DNS forward condition so my internal computer can access that "web" domain. Am I correct?

Also am I mistaking? If I was to forget about the fact that my router is getting a dynamic ip vs static. I should at least be able to get this working for a little while, then I could address this as a seperate issue.

Here is the state of my setup.

Relating to my WinPDC installed services and configuration I have:

Relating to My ISPConfig/BIND installed services and configuration I have:

Now how does this look like to you? Any errors? Anything missing.?
Do those internal IP's make sense?

When I use  "dig -any"  on "web.mypublicsite.com"
All I get is this!!!!

web.mypublicsite.com@8.8.4.4 (Default):
web.mypublicsite.com.      1440      IN      CNAME      mypublicsite.dyndns.org.

When I use a dig (any) on "winad.mypublicsite.com" I get about the same!

So something is wong!????

I should mention that my ISPConfig/DNS is not integrated with AD
PFSense is not integrated with AD or registerd with my ISPConfig/DNS it does not have any forwarders DNS . ?????
I have no forwarders in AD.
DHCP is not relayed to anything.
I created a CNAME record at mypublicsite.com to point back to my web.mydomain.com

I'm puzzeled ! what am I missing ???

I want to get over this ASAP.

Again I thank you very much for your guidance and counseling it is well appreciated.

I appreciate you cheering me up... I guess we all have to start somewhere! I hope I am getting closer and not being a pain!

Best Regards

Franck

Morning Franck,

> One the AD is called winad the other one the Bind DNS throught ISPConfig3 is called web.

Good that immediately rules out the problem I highlighted above :)

>  I understand that at some point I will need to have a DNS forward condition so my
> internal computer can access that "web" domain. Am I correct?

Yes, especially if web and winad share the same network segment; the public delegation, if configured, would not work in that scenario (bad return path if traffic is subject to NAT).

> So something is wong!????

Check for the delegation with:

dig web.mypublicsite.com ns

If that doesn't exist then nothing on your internal server can be referenced (without the conditional forwarder on winad).

I suspect you have a wildcard record in the zone, try:

dig madeup.mypublicsite.com any

If you get the same CNAME response then you do. That'll explain resolution for anything not explicitly created.

Cheers,

Chris

Good day Chris,

>dig web.mypublicsite.com ns  gives

dig madeup.mypublicsite.com any  gives


Are those result showing proper resolution and no wildcard?

Also if on one of my internal computers I try to access web.mypublicsite.com
pfsense return and https page saying "potential DNS rebind attack" !!??

Cheers
Franck

Yep, that's all normal resolution.

But that's okay, we don't have a delegation at the moment, but you also cannot delegate to a CNAME (http://tools.ietf.org/html/rfc2181#section-10, 10.3). That is, you cannot do this:

web.mypublicsite.com.   IN NS     web.mypublicsite.com.
web.mypublicsite.com.   IN CNAME  mypublicsite.dyndns.org.

Select allOpen in new window

But you can, potentially, do this to reference your internal DNS server:

web.mypublicsite.com.   IN NS     mypublicsite.dyndns.org.

Select allOpen in new window

As long as mypublicsite.dyndns.org is an A record.

The Rebind attack is described here:

https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

It looks like pfsense is using TCP/443 as the administration port, you're trying to access pfsense using a name it doesn't recognise so it says no.

I've never used PfSense so I can't really tell you how to get it to handle the inbound traffic properly I'm afraid.

Chris

Chris,

What do you mean we do not have delegation.

We cannot delegate to a cname ! are you talking about my cname record at mypublicsite.com?

My dyndns record is an a record.

Yes I get it with the DNS_rebind from pfsense I am investigating a solution

Franck

Also do I need to register create an A record in my BIND DNS for pfsense

Apologies for the late reply, busy few days.

> We cannot delegate to a cname ! are you talking about my cname
> record at mypublicsite.com?

Yes, that's right. It only matters if you wish your web.mypublicsite.com DNS server to be accessible from outside your network.

> Also do I need to register create an A record in my BIND DNS for pfsense

I can't think of a reason you would need to so I'm inclined to say no.

How is everything at the moment? Any closer to working? :)

Chris

Hey Chris,

I was able to fix my rebind problem by adding a dns forwarder in pfsense.
Not sure if it is the best or right way to do it though.

Further more and probably related to the fact that I don't have an A or NS record redirect!

I can access my web server internaly but not from the outside!

> But you can, potentially, do this to reference your internal DNS server:
> web.mypublicsite.com.   IN NS     mypublicsite.dyndns.org.

How and what service (free if possible) could I use to do that?

Regards
Franck

Hello Chris,

Sorry for the late response.

I am very happy to say that my solution is working!

Thank you very much for your awesome help insights and counseling.

Hope to speak again.

Best Regards
Franck

Fantastic, I'm really glad to hear it.

All the best,

Chris