In network management, the management of DNS services is a fundamental task. With the expansion of the user scale, it is not easy to manually modify the DNS zone database files frequently. The research on Dynamic DNS (DDNS) has gradually aroused people's concern, and different platforms have introduced their own solutions. This article will detail the solution for DDNS in the Linux environment, BIND-DNS and DHCP (Dynamic Host Configure Protocol, developed by Internet Software Consortium (ISC). Dynamic Host Configuration Protocol) work together to realize the Ddns method.
Implementing dynamic DNS under Linux requires more than 8 DNS software, as well as a DHCP Server v3.0 version, because only 3.0 of the versions are fully implemented to support DDNS. Therefore, the implementation environment of this article uses Slackware Linux 9.0 as the DDNS server, which runs both DNS and DHCP services, where DNS server uses the BIND 9.2.2,DHCP server for DHCP server V3.0PL2.
The following is a detailed introduction to the implementation of secure, dynamic DNS in Linux environments.
Create key
To realize the dynamic update of DNS, the first thing to consider is how to ensure the implementation of DDNS safely. The approach given by ISC is to create a key that is dynamically updated and validated by the key when it is updated. To achieve this, you need to run the following command as root:
root@slack9:/etc# dnssec-keygen-a hmac-md5-b 128-n USER Myddns
kmyddns.+157+37662
The function of the above Dnssec-keygen command is to generate an update key, where the parameter-a hmac-md5 refers to the key generation algorithm using HMAC-MD5; parameter-B 128 refers to the number of digits of the key as 128 bits; parameter-n USER Myddns refers to the user of the key as Myddns.
The command generates a pair of key files as follows:
-RW-------1 root 18:26 kmyddns.+157+37662.key
-RW-------1 root root of Bayi 18:26 kmyddns.+157+37662.private
You can view the contents of the key file that you just generated:
Root@slack9:/etc# Cat Kmyddns.+157+37662.key
Myddns. INKEY02157 4gef1mkmn5hrlwyuegjv3g==
Root@slack9:/etc# Cat Kmyddns.+157+37662.private
private-key-format:v1.2
algorithm:157 (HMAC_MD5)
key:4gef1mkmn5hrlwyuegjv3g==
By reading the key file, you will find that these two files contain the same key, which is the credential of DHCP for secure dynamic update of DNS. You will need to add the key separately to the DNS and DHCP configuration files later.
To modify the primary configuration file for DNS
The key is to start editing the/etc/named.conf file after it is generated, primarily to add the key information to the DNS primary configuration file. This article gives an example of a modified/etc/named.conf:
Options {
Directory "/var/named";
file://the storage directory for the specified zone database file
};
Zone "." in {
Type hint;
File "caching-example/named.ca";
};
Zone "localhost" in {
Type master;
File "Caching-example/localhost.zone";
allow-update {none;};
};
Zone "0.0.127.in-addr.arpa" in {
Type master;
File "Caching-example/named.local";
allow-update {none;};
};
Key Myddns {
Algorithm HMAC-MD5. Sig-alg. Reg.int;
FILE://indicates the algorithm for generating the key
Secret 4gef1mkmn5hrlwyuegjv3g==;
file://indicate key
};
Zone "tcbuu.cn" in {
Type master;
File "tcbuu.cn";
FILE://is tcbuu.cn to the zone file name, and the file will be used in the following text
allow-update {key myddns;};
FILE://indicates that a user using key Myddns as a key can dynamically update the area "tcbuu.cn"
};
Zone "1.22.10.in-addr.arpa" in {
Type master;
File "Tcbuu.cn.arpa";//reverse zone filename tcbuu.cn
allow-update {key myddns;};
FILE://indicates that a user using key Myddns as a key can dynamically update the area "1.22.10.in-addr.arpa"
};
Multiple zones can be defined in/etc/named.conf, as long as the allow-update {key Myddns is added to the zone that allows dynamic updates.} Directive, dynamic updates can be implemented, and only a key Myddns entity (a DHCP server that has the same key in the implementation of this article) can implement a secure dynamic update of the zone. This method is much more secure than the original method of limiting IP addresses.
This completes the configuration of the DNS server, and you can perform #named to run the DNS service.