Another option for dynamic DNS on its site or how I gave up dyndns
It has long been using the service from the company dyndns, which allowed to bind the domain name to the dynamic ip-address of the computer. It is convenient to administer the client, it is convenient for the client to connect to the work computer from home. But for some time the service began to tighten the nuts.
At first, you could use the same domain name on your account for free. Later, the domain name began to be reset every month - it periodically required efforts to restore work. Other free services didn’t look good and at some point I signed up for their paid service for $ 25 a year, which gave me the opportunity to use up to 30 domain names.
There was an inconvenience — the Windows client program visualizes all the domain names of my account when it is set up, and any client may accidentally or intentionally damage the binding of someone else’s domain name. In general, it is oppressive, but tolerable. Last week it’s time to renew for a year. The price rose to $ 30, and the ruble fell to this point to 60 rubles per dollar. I felt sorry for the rubles and I decided to press the dynamic DNS on my site.
Initial data:
What you need to get:
')
Decision:
Suppose our domain is MyDomain.ru. We describe it as a master zone in /etc/namedb/named.conf:
Accordingly, in /etc/namedb/master/MyDomain.ru we write something like:
After doing:
We get a working dns-server, we check by pinging the resolution of names in addresses, if there is a firewall, do not forget to open ports 53 and 953 at the entrance. Configuring rndc - named daemon management utility.
Its output is distributed in two files:
We put in /etc/namedb/rndc.conf, and
before removing the comment, add to /etc/namedb/named.conf. If everything is correct, the following command should succeed:
You can see the status
You can read man by rndc
You need to add some rights to the user, on behalf of which the named operates:
Create the user ddns (with the home directory / home / ddns) on whose behalf the dns server write update script will run.
Create a script with the following content and place it in /home/ddns/ddns.sh, for example:
Does not forget
Call it with two parameters
should add to our zone a third level domain test.MyDomain.ru with the address 192.168.0.2.
Now it remains to somehow allow clients to access this script so that they can update their names in the zone to the actual ip-addresses. I solved this with a web server. In the configuration, Apache allowed virtual servers and created one for his own needs.
The main nuance is that access to this site is possible only with the user name and password. The credentials are stored in /usr/local/www/ddns/.htpasswd, in the same directory we place the php-script with the following content:
Unfortunately, I could not run the bash script directly from php, I suppose this is caused by the security settings of the www user, on whose behalf the web server service is running. Therefore, I use sudo on behalf of the user ddns (a regular user, in the home directory of which the script itself is located). Here is the contents of the / usr / local / etc / sudoers file for this:
Well, do not forget, in fact, fill the file with credentials:
If sudo is properly configured, there are no problems with the user access rights for the www user, then when the client accesses the resource
get an invitation to enter credentials.
Enter the login and password, we get the answer in the browser with the ip-address of the client. On the server, at the same time, the php-script updates the domain name in dns by the client’s login and ip-address. I also consider it reasonable to add the following lines to the named setting for our zone:
So that the key rndc-key can only edit the allowed domain names. It would be good to also communicate with the client and the server via https so that open passwords do not walk on the Internet.
It remains only to finish the client. Everything is simple there.
The curl utility in * nix systems should be by default, for Windows it will have to be downloaded. To issue this command in a bat-file or sh-script and place it in the task scheduler or cron, respectively, with a call interval of 5 minutes.
To connect the next client to this scheme, we invent a login (domain of the 3rd level) and a password for it. We correct client script and add credentials to .htpasswd.
At first, you could use the same domain name on your account for free. Later, the domain name began to be reset every month - it periodically required efforts to restore work. Other free services didn’t look good and at some point I signed up for their paid service for $ 25 a year, which gave me the opportunity to use up to 30 domain names.
There was an inconvenience — the Windows client program visualizes all the domain names of my account when it is set up, and any client may accidentally or intentionally damage the binding of someone else’s domain name. In general, it is oppressive, but tolerable. Last week it’s time to renew for a year. The price rose to $ 30, and the ruble fell to this point to 60 rubles per dollar. I felt sorry for the rubles and I decided to press the dynamic DNS on my site.
Initial data:
- windows and * nix machines with dynamic ip
- freebsd 9.3
- bind9
- apache 2.4
- php 5.3
- your domain
What you need to get:
- easy to use client
')
Decision:
Suppose our domain is MyDomain.ru. We describe it as a master zone in /etc/namedb/named.conf:
zone "MyDomain.ru" { type master; file "/etc/namedb/master/MyDomain.ru"; }; Accordingly, in /etc/namedb/master/MyDomain.ru we write something like:
$ORIGIN . $TTL 3600 ; 1 hour MyDomain.ru IN SOA ns1.MyDomain.ru. root.MyDomain.ru. ( 2015032014 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS ns1.MyDomain.ru. NS ns2.MyDomain.ru. A 188.120.254.163 MX 10 mail.MyDomain.ru. MX 20 mail.MyDomain.ru. $ORIGIN MyDomain.ru. mail A 192.168.0.1 ns1 A 192.168.0.1 ns2 A 192.168.0.1 smtp A 192.168.0.1 www A 192.168.0.1 After doing:
echo 'named_enable="YES" ' >> /etc/rc.conf /etc/rc.d/named start We get a working dns-server, we check by pinging the resolution of names in addresses, if there is a firewall, do not forget to open ports 53 and 953 at the entrance. Configuring rndc - named daemon management utility.
rndc-confgen Its output is distributed in two files:
key "rndc-key" { algorithm hmac-md5; secret "rxeXMLrA\1py6mDLhGO7dA=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; We put in /etc/namedb/rndc.conf, and
# key "rndc-key" { # algorithm hmac-md5; # secret "rxeXMLrA\1py6mDLhGO7dA=="; # }; # # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { "rndc-key"; }; # }; before removing the comment, add to /etc/namedb/named.conf. If everything is correct, the following command should succeed:
rndc reload You can see the status
rndc status You can read man by rndc
You need to add some rights to the user, on behalf of which the named operates:
chown bind /etc/named/master Create the user ddns (with the home directory / home / ddns) on whose behalf the dns server write update script will run.
Create a script with the following content and place it in /home/ddns/ddns.sh, for example:
#!/usr/local/bin/bash TTL=120 SERVER=127.0.0.1 ZONE=MyDomain.ru. HOSTNAME=$1.$ZONE KEY="rxeXMLrA\1py6mDLhGO7dA==" new_ip_address=$2 nsupdate << EOF server $SERVER key rndc-key $KEY zone $ZONE update delete $HOSTNAME A update add $HOSTNAME $TTL A $new_ip_address send EOF Does not forget
chown ddns:ddns /home/ddns/ddns.sh chmod 700 /home/ddns/ddns.sh Call it with two parameters
/home/ddns/ddns test 192.168.0.2 should add to our zone a third level domain test.MyDomain.ru with the address 192.168.0.2.
Now it remains to somehow allow clients to access this script so that they can update their names in the zone to the actual ip-addresses. I solved this with a web server. In the configuration, Apache allowed virtual servers and created one for his own needs.
<VirtualHost *:80> ServerAdmin root@MyDomain.ru DocumentRoot "/usr/local/www/ddns" ServerName ddns.MyDomain.ru DirectoryIndex index.php ErrorLog "/var/log/apache/ddns-error.log" CustomLog "/var/log/apache/ddns-access.log" common <Directory "/usr/local/www/ddns"> AllowOverride All Order allow,deny Require valid-user Allow from all AuthName "Who are you?" AuthType Basic AuthUserFile /usr/local/www/ddns/.htpasswd </Directory> </VirtualHost> The main nuance is that access to this site is possible only with the user name and password. The credentials are stored in /usr/local/www/ddns/.htpasswd, in the same directory we place the php-script with the following content:
<?php $User = $_SERVER["REMOTE_USER"]; $IP = $_SERVER["REMOTE_ADDR"]; echo $IP; $CMD = 'sudo -u ddns /home/ddns/ddns.sh ' . $User . ' ' . $IP; exec ($CMD); ?> Unfortunately, I could not run the bash script directly from php, I suppose this is caused by the security settings of the www user, on whose behalf the web server service is running. Therefore, I use sudo on behalf of the user ddns (a regular user, in the home directory of which the script itself is located). Here is the contents of the / usr / local / etc / sudoers file for this:
www ALL=(ddns) NOPASSWD: /home/ddns/ddns.sh Well, do not forget, in fact, fill the file with credentials:
htpasswd -b /usr/local/www/ddns/.htpasswd test test-password htpasswd -b /usr/local/www/ddns/.htpasswd test1 test1-password htpasswd -b /usr/local/www/ddns/.htpasswd test2 test2-password If sudo is properly configured, there are no problems with the user access rights for the www user, then when the client accesses the resource
http://ddns.MyDomain.ru get an invitation to enter credentials.
Enter the login and password, we get the answer in the browser with the ip-address of the client. On the server, at the same time, the php-script updates the domain name in dns by the client’s login and ip-address. I also consider it reasonable to add the following lines to the named setting for our zone:
update-policy { grant rndc-key name test.MyDomain.ru. A; grant rndc-key name test1.MyDomain.ru. A; grant rndc-key name test2.MyDomain.ru. A; }; So that the key rndc-key can only edit the allowed domain names. It would be good to also communicate with the client and the server via https so that open passwords do not walk on the Internet.
It remains only to finish the client. Everything is simple there.
curl -u test:test-password http://ddns.MyDomain.ru The curl utility in * nix systems should be by default, for Windows it will have to be downloaded. To issue this command in a bat-file or sh-script and place it in the task scheduler or cron, respectively, with a call interval of 5 minutes.
To connect the next client to this scheme, we invent a login (domain of the 3rd level) and a password for it. We correct client script and add credentials to .htpasswd.
Source: https://habr.com/ru/post/253851/
All Articles