A detailed explanation of dynamic DNS service configuration method under Linux

Source: Internet
Author: User
Tags bind hmac md5 dnssec linux

In network management, the management of DNS services is a fundamental task. With the expansion of the user scale, it is not easy to manually modify the DNS zone database files frequently. The research on Dynamic DNS (DDNS) has gradually aroused people's concern, and different platforms have introduced their own solutions. This article will detail the solution for DDNS in the Linux environment, BIND-DNS and DHCP (Dynamic Host Configure Protocol, developed by Internet Software Consortium (ISC). Dynamic Host Configuration Protocol) work together to realize the Ddns method.

Implementing dynamic DNS under Linux requires more than 8 DNS software, as well as a DHCP Server v3.0 version, because only 3.0 of the versions are fully implemented to support DDNS. Therefore, the implementation environment of this article uses Slackware Linux 9.0 as the DDNS server, which runs both DNS and DHCP services, where DNS server uses the BIND 9.2.2,DHCP server for DHCP server V3.0PL2.

The following is a detailed introduction to the implementation of secure, dynamic DNS in Linux environments.

Create key

To realize the dynamic update of DNS, the first thing to consider is how to ensure the implementation of DDNS safely. The approach given by ISC is to create a key that is dynamically updated and validated by the key when it is updated. To achieve this, you need to run the following command as root:

root@slack9:/etc# dnssec-keygen-a hmac-md5-b 128-n USER Myddns

kmyddns.+157+37662

The function of the above Dnssec-keygen command is to generate an update key, where the parameter-a hmac-md5 refers to the key generation algorithm using HMAC-MD5; parameter-B 128 refers to the number of digits of the key as 128 bits; parameter-n USER Myddns refers to the user of the key as Myddns.

The command generates a pair of key files as follows:

-RW-------1 root 18:26 kmyddns.+157+37662.key

-RW-------1 root root of Bayi 18:26 kmyddns.+157+37662.private

You can view the contents of the key file that you just generated:

Root@slack9:/etc# Cat Kmyddns.+157+37662.key

Myddns. INKEY02157 4gef1mkmn5hrlwyuegjv3g==

Root@slack9:/etc# Cat Kmyddns.+157+37662.private

private-key-format:v1.2

algorithm:157 (HMAC_MD5)

key:4gef1mkmn5hrlwyuegjv3g==

By reading the key file, you will find that these two files contain the same key, which is the credential of DHCP for secure dynamic update of DNS. You will need to add the key separately to the DNS and DHCP configuration files later.

To modify the primary configuration file for DNS

The key is to start editing the/etc/named.conf file after it is generated, primarily to add the key information to the DNS primary configuration file. This article gives an example of a modified/etc/named.conf:

Options {
Directory "/var/named";
file://the storage directory for the specified zone database file
};
Zone "." in {
Type hint;
File "caching-example/named.ca";
};
Zone "localhost" in {
Type master;
File "Caching-example/localhost.zone";
allow-update {none;};
};
Zone "0.0.127.in-addr.arpa" in {
Type master;
File "Caching-example/named.local";
allow-update {none;};
};
Key Myddns {
Algorithm HMAC-MD5. Sig-alg. Reg.int;
FILE://indicates the algorithm for generating the key
Secret 4gef1mkmn5hrlwyuegjv3g==;
file://indicate key
};
Zone "tcbuu.cn" in {
Type master;
File "tcbuu.cn";
FILE://is tcbuu.cn to the zone file name, and the file will be used in the following text
allow-update {key myddns;};
FILE://indicates that a user using key Myddns as a key can dynamically update the area "tcbuu.cn"
};
Zone "1.22.10.in-addr.arpa" in {
Type master;
File "Tcbuu.cn.arpa";//reverse zone filename tcbuu.cn
allow-update {key myddns;};
FILE://indicates that a user using key Myddns as a key can dynamically update the area "1.22.10.in-addr.arpa"
};

Multiple zones can be defined in/etc/named.conf, as long as the allow-update {key Myddns is added to the zone that allows dynamic updates.} Directive, dynamic updates can be implemented, and only a key Myddns entity (a DHCP server that has the same key in the implementation of this article) can implement a secure dynamic update of the zone. This method is much more secure than the original method of limiting IP addresses.

This completes the configuration of the DNS server, and you can perform #named to run the DNS service.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.