dynDNS for Amazon EC2 or how to automate IP auto-update on hosting with dynamic public IP

Recently there was a task to deploy a virtual server Ubuntu 12.04 on Amazon EC2 for a certain service and assign it a domain name in the existing domain zone, but as you know, Amazon changes its public and local addresses after rebooting or shutting down the machine, so it was decided to use bash (for * nix) and bat (for Windows) to automate the update of a dynamic address for hosting.


Such a bash script already exists Marius Ducea Jun 1st, 2009 . It was a bit irrelevant in terms of which API commands from Amazon, but for the most part remained almost unchanged.
Still, I’ll repeat how to set up a working BIND to get the command for synchronization, although there are already a few articles on Habré describing this method:
habrahabr.ru/post/101380
habrahabr.ru/post/45921
and many others.

I just fixed some commands, put it into autoload with the system and made a similar bat-script for Windows, using cURL and some files from BIND.
')
I suffered for a long time why it is impossible to update the zone (master and slave were on another hosting running on Ubuntu 10.04 with BIND installed), I had to enable logging on it:

In the /etc/bind/named.conf file I wrote the rules for creating logs, which will be recorded in a folder in / var / log / named /

logging { channel bind_log { file "/var/log/named/named.log"; print-time yes; print-category yes; print-severity yes; }; channel update_debug { file "/var/log/named/update-debug.log"; severity debug 3; print-time yes; print-category yes; print-severity yes; }; channel security_info { file "/var/log/named/security-info.log"; severity info; print-time yes; print-category yes; print-severity yes; }; category default { bind_log;}; category xfer-in { bind_log;}; category xfer-out { bind_log;}; category update { update_debug;}; category security { security_info;}; }; 

After

 /etc/init.d/bind9 restart 

logs appeared and it was possible to try to update the zone with a script that was slightly modified, but first it was necessary to create the keys, I used 512 bits:

 dnssec-keygen -a HMAC-MD5 -b 512 -r /dev/urandom -n USER example.com 

Received 2 files:

 Kexample.com.+157+10000.key Kexample.com.+157+10000.private 

In the script, you must specify the path to the received private key:

 #!/bin/bash #     DNS_KEY="/etc/bind/key/Kexample.com.+157+10000.private" #  DOMAIN=example.com #   HOSTNAME=site1 #  2 ,      (      DNS) #USER_DATA=`/usr/bin/curl -s http://169.254.169.254/latest/meta-data/local-hostname` #HOSTNAME=`echo $USER_DATA` #     hostname $HOSTNAME.$DOMAIN echo   : $HOSTNAME.$DOMAIN PUBIP=`/usr/bin/curl -s http://169.254.169.254/latest/meta-data/public-ipv4` echo  : $PUBIP cat<<EOF | /usr/bin/nsupdate -k $DNS_KEY -v server ns1.$DOMAIN zone $DOMAIN update delete $HOSTNAME.$DOMAIN A update add $HOSTNAME.$DOMAIN 60 A $PUBIP send EOF LOCIP=`/usr/bin/curl -s http://169.254.169.254/latest/meta-data/local-ipv4` echo  : $LOCIP cat<<EOF | /usr/bin/nsupdate -k $DNS_KEY -v server ns1.$DOMAIN zone $DOMAIN update delete local.$HOSTNAME.$DOMAIN A update add local.$HOSTNAME.$DOMAIN 60 A $LOCIP send EOF 

, and in the DNS server, specify the contents of the public key in the loadable zones file (I have this named.conf.local):

 key example.com. { algorithm HMAC-MD5; secret "ynl7o+JFPekH4iUaptw7z12xLhkUBJTmqbmTYa1xe+Gpt26HVaff+qQW hlmWcvAUeYdg19B+M4YeFrfhAvlcLQ=="; }; zone "example.com" { type master; file "/etc/bind/master/example.com"; allow-update { key example.com.; }; allow-query { any; }; }; 

Public Key Content:

 example.com. IN KEY 0 3 157 ynl7o+JFPekH4iUaptw7z12xLhkUBJTmqbmTYa1xe+Gpt26HVaff+qQW hlmWcvAUeYdg19B+M4YeFrfhAvlcLQ== 

Reboot on hosting with master / slave – write DNS server and watch logs when trying to update a zone with a received script on Amazon hosting.

An arc has been received:
named.log

 26-Jan-2013 22:53:27.780 update-security: info: client 192.168.254.1#58180: signer "example.com" approved 26-Jan-2013 22:53:27.782 general: error: /etc/bind/master/example.com.jnl: create: permission denied 26-Jan-2013 22:53:27.881 update-security: info: client 192.168.254.1#52062: signer "example.com" approved 26-Jan-2013 22:53:27.883 general: error: /etc/bind/master/example.com.jnl: create: permission denied 

update-debug.log

 26-Jan-2013 22:53:27.780 update: info: client 192.168.254.1#58180: updating zone 'example.com/IN': deleting rrset at 'flussonic.example.com' A 26-Jan-2013 22:53:27.781 update: info: client 192.168.254.1#58180: updating zone 'example.com/IN': adding an RR at 'flussonic.example.com' A 26-Jan-2013 22:53:27.781 update: debug 3: client 192.168.254.1#58180: updating zone 'example.com/IN': checking for NSEC3PARAM changes 26-Jan-2013 22:53:27.782 update: info: client 192.168.254.1#58180: updating zone 'example.com/IN': error: journal open failed: unexpected error 26-Jan-2013 22:53:27.882 update: info: client 192.168.254.1#52062: updating zone 'example.com/IN': deleting rrset at 'local.flussonic.example.com' A 26-Jan-2013 22:53:27.882 update: info: client 192.168.254.1#52062: updating zone 'example.com/IN': adding an RR at 'local.flussonic.example.com' A 26-Jan-2013 22:53:27.882 update: debug 3: client 192.168.254.1#52062: updating zone 'example.com/IN': checking for NSEC3PARAM changes 26-Jan-2013 22:53:27.883 update: info: client 192.168.254.1#52062: updating zone 'example.com/IN': error: journal open failed: unexpected error 

it was written in the logs that there was no permission for writing, although the files and folders contained write permission for the user and the bind group.
Searches on the Internet said that it is necessary to correct the line in /etc/apparmor.d/usr.sbin.named
c

 /etc/bind/** r, 

on

 /etc/bind/** rw, 

, but it means to reduce the security of the zones located in this directory, but as usual I rely on chance.
Next, you need to restart the permissions and BIND itself

 /etc/init.d/apparmor restart /etc/init.d/bind9 restart 

After the next service restart on the DNS hosting, the error disappeared and the zone was safely updated, but all the data commented in it was lost, because bind "put things in order" in the records and removed the extra, so you should make a copy of all the zones .

You should also make this script autorun, as after turning on the virtual machine, it is inconvenient to log in via ssh to the terrible name ec2-55-240-2-74.compute-1.amazonaws.com (constantly changing) and launch it with your hands to update the zone.
For this, I made it executable and copied to /etc/init.d/

 chmod +x ec2-hostname.sh cp ec2-hostname.sh /etc/init.d/ update-rc.d ec2-hostname.sh defaults 

Everything turned out to be much simpler for Windows:

 @echo off Setlocal enabledelayedexpansion rem      set DNS_KEY="Kexample.com.+157+10000.private" rem   set DOMAIN=example.com rem   set HOSTNAME=site1 echo   : %HOSTNAME%.%DOMAIN% for /F "Delims=" %%P In ('curl -s http://169.254.169.254/latest/meta-data/public-ipv4') Do Set PUBIP=%%~P echo  : %PUBIP% ( @echo server ns1.%DOMAIN% @echo zone %DOMAIN% @echo update delete %HOSTNAME%.%DOMAIN% A @echo update add %HOSTNAME%.%DOMAIN% 60 A %PUBIP% @echo send ) | nsupdate -k %DNS_KEY% -v for /F "Delims=" %%L In ('curl -s http://169.254.169.254/latest/meta-data/local-ipv4') Do Set LOCIP=%%~L echo  : %LOCIP% ( @echo server ns1.%DOMAIN% @echo zone %DOMAIN% @echo update delete local.%HOSTNAME%.%DOMAIN% A @echo update add local.%HOSTNAME%.%DOMAIN% 60 A %LOCIP% @echo send ) | nsupdate -k %DNS_KEY% -v :eof 

And put it in the scheduler with the launch at the start of the system.
The latest version of cURL was taken here: www.paehl.com/open_source
BIND: www.isc.org/software/bind
From BIND only files are needed:

 libisc.dll liblwres.dll libisccfg.dll libbind9.dll libeay32.dll libdns.dll libxml2.dll nsupdate.exe 

They can be put next to the script or put in% WINDIR% \ system32

Conclusion from all this:
Even though I completed this task, the DNS server security is even less, because added another vulnerability and risk of losing a properly configured zone.
Before you repeat what is written here, you should clearly understand what you need to get, make a copy of all critical and changeable objects, you must be sure that in case of any failure you can get access to the machine and correct the situation.
For the consequences, I do not answer, because he himself is not sure of its correctness.

PS
I apologize for such a confused text, and possible errors.