Configure the Dynamic DNS service in Linux
In network management, DNS service management is a basic task. As the number of users expands, it is not easy to manually modify the DNS regional database files. The Research on Dynamic DNS has gradually attracted people's attention. different platforms have launched their own solutions. This article will introduce in detail the ddns solution in Linux environment, that is, the BIND-DNS and DHCP (Dynamic Host configure protocol, Dynamic Host Configuration Protocol) collaborative work developed by Internet Software Consortium (ISC, and then implement ddns together.
In Linux, implementing dynamic dns requires not only the DNS software above BIND 8, but also the DHCP server V3.0 and later versions, because only version above 3.0 fully supports ddns. Therefore, the implementation environment in this article uses slackware linux 9.0 As the ddns server and runs the DNS and DHCP services at the same time. The DNS server uses bind 9.2.2, And the DHCP server uses the DHCP server v3.0pl2.
The following describes how to implement secure and Dynamic DNS in Linux.
Create a key
To achieve dynamic dns updates, you must first consider how to ensure secure implementation of ddns. The method provided by ISC is to create a key for dynamic updates, which is used for verification during updates. To implement this function, run the following command as root:
Root @ slack9:/etc # DNSSEC-keygen-A HMAC-MD5-B 128-N user myddns
Kmyddns. + 157 + 37662
The function of the above DNSSEC-keygen command is to generate an update key, where the parameter-A HMAC-MD5 refers to the key generation algorithm using the HMAC-MD5; the parameter-B 128 refers to the number of keys is 128 bits; parameter-N user myddns indicates that the key user is myddns.
A key file generated by this command is as follows:
-RW ------- 1 Root 48 Jan 14 kmyddns. + 157 + 37662.key
-RW ------- 1 Root 81 Jan 14 kmyddns. + 157 + 37662. Private
You can view the content of the generated key file:
Root @ slack9:/etc # Cat kmyddns. + 157 + 37662.key
Myddns. inkey02157 4gef1mkmn5hrlwyuegjv3g =
Root @ slack9:/etc # Cat kmyddns. + 157 + 37662. Private
Private-key-format: v1.2
Algorithm: 157 (hmac_md5)
Key: 4gef1mkmn5hrlwyuegjv3g =
Read the key file carefully and you will find that the two files contain the same key. The key is the credential used by DHCP to perform security dynamic updates on DNS. You need to add the key to the configuration files of DNS and DHCP respectively.
Modify the DNS master configuration file
After the key is generated, edit and modify the/etc/named. conf file to add the key information to the DNS master configuration file. This article provides an example of the modified/etc/named. conf file:
Options {
Directory "/var/named ";
// Directory for storing database files in the specified region
};
Zone "." In {
Type hint;
File "caching-example/named. ca ";
};
Zone "localhost" in {
Type master;
File "caching-example/localhost. Zone ";
Allow-update {none ;};
};
Zone "0.0.127.in-ADDR. Arpa" in {
Type master;
File "caching-example/named. Local ";
Allow-update {none ;};
};
Key myddns {
Algorithm HMAC-MD5.SIG-ALG.REG.INT;
// Specify the algorithm used to generate the key
Secret 4gef1mkmn5hrlwyuegjv3g ==;
// Specify the key
};
Zone "tcbuu.cn" in {
Type master;
File "tcbuu.cn ";
// Forward region file name tcbuu.cn, which will be used later
Allow-update {key myddns ;};
// Users who use key myddns as the key can dynamically update the region "tcbuu.cn"
};
Zone "1.22.10.in-ADDR. Arpa" in {
Type master;
File "tcbuu.cn. Arpa"; // reverse region file name tcbuu.cn
Allow-update {key myddns ;};
// Users who use key myddns as the key can dynamically update the region "1.22.10.in-ADDR. Arpa"
};
In/etc/named. you can define multiple regions in the conf file. You only need to add the allow-update {key myddns;} command to the region where dynamic updates are allowed, in addition, only the key myddns entity (in this implementation, this entity is a DHCP server with the same key) can be securely and dynamically updated in this region. This method is much safer than the method that only limits IP addresses.
Now that you have configured the DNS server, run # named to run the DNS service.
Modify DHCP configuration file
The main function of DHCP is to dynamically allocate IP addresses, masks, gateways, and other content to DHCP clients. Because of the dynamic nature of DHCP, DHCP becomes the first choice for ddns implementation.
An instance of/etc/DHCPD. conf after modification is provided:
# DHCPD. conf
# Sample configuration file for ISC DHCPD
# Option Definitions common to all supported networks...
Option domain-name "tcbuu.cn ";
Option domain-name-servers 10.22.1.123;
Default-lease-time 600;
Max-lease-time 800;
Ddns-Update-style interim;
// Specify the method for implementing dynamic dns as interim
Subnet 10.22.1.0 netmask 255.255.255.0 {
Range 10.22.1.60 10.22.1.69; // address pool
Option broadcast-address 10.22.1.255;
Option routers 10.22.1.100;
}
Key myddns {// specify the algorithm and key generated by the key
Algorithm HMAC-MD5.SIG-ALG.REG.INT;
Secret 4gef1mkmn5hrlwyuegjv3g ==;
}
Zone tcbuu.cn .{
Primary 10.22.1.123;
Key myddns; // specifies the key myddns used during the update.
}
Zone 1.22.10.in-ADDR. ARPA .{
Primary 10.22.1.123;
Key myddns; // specifies the key myddns used during the update.
}
Note:
1. ddns-Update-style interim
The DHCP server developed by ISC currently mainly supports the interim Method for Dynamic DNS update. Another method called ad-hoc is basically no longer used. Therefore, in fact, the interim method is the only way to update the Security ddns through DHCP in Linux.
2. Key myddns {// specify the algorithm and key generated by the key
Algorithm HMAC-MD5.SIG-ALG.REG.INT;
Secret 4gef1mkmn5hrlwyuegjv3g ==;
}
The content of this segment is exactly the same as that in/etc/named. conf. Note that when editing/etc/DHCPD. conf, there is no ";" at the end of {}, which is different from/etc/named. conf.
3. The region name specified in/etc/DHCPD. conf must end. Therefore, in Zone tcbuu.cn., CN and zone 1.22.10.in-ADDR. ARPA. must be followed by ".".
After configuring/etc/DHCPD. conf, run # DHCPD to run the DHCP service.
Test ddns
After configuring the above server, you can now check the ddns implementation process.
After the DNS is configured to support dynamic updates, there will be two additional regional files in binary format ending with. JNL in the/var/named/directory. These two files are the runtime files of the currently working region files. All the records for dynamic updates will be first reflected in these two files, then, it takes about 15 minutes to reflect the updated content to a text-formatted regional file, that is. the area file ending with JNL is the latest content.
In the example in this article, the region file in the/var/named/directory is:
Tcbuu.cn forward region file.
Tcbuu.cn. Arpa reverse region file.
Tcbuu.cn. ARPA. JNL temporary binary forward zone file (new ).
Tcbuu.cn. JNL temporary binary reverse region file (new ).
1. Test with Windows 2000 as the DHCP Client
(1) set the host name of the client to kill-virus and run ipconfig/all to display the obtained IP address 10.22.1.69.
(2) run the NSLookup test on the client.
C: \ Documents ents and Settings \ Administrator> NSLookup
Default Server: slack9.tcbuu.cn
Address: 10.22.1.123
> Kill-virus.tcbuu.cn//test that the customer's fqdnexists In the hosts file
Server: slack9.tcbuu.cn
Address: 10.22.1.123
Name: kill-virus.tcbuu.cn
Address: 10.22.1.69 // test result, indicating that the resource record exists
(3) execute ipconfig/release on the client kill-virus to release the obtained IP address.
(4) Run ipconfig/renew on the client kill-virus to obtain the IP address again.
(5) Use NSLookup to display the content in the regional database.
C: \ Documents ents and Settings \ Administrator> NSLookup
Default Server: slack9.tcbuu.cn
Address: 10.22.1.123
> Ls tcbuu.cn//display the resource records in the Hangzhou Data Warehouse
[Ftp.tcbuu.cn]
Tcbuu.cn. Ns Server = slack9.tcbuu.cn
D2501 A 10.22.1.60
Dellpc A 10.22.1.100
Kill-virus A 10.22.1.61 // ip address change
Slack9 A 10.22.1.123
The preceding test shows that the same client kill-virus can obtain IP addresses through the DHCP service and establish contact with the dynamic DNS server, the host name of the client is dynamically updated to the forward region file as a record together with the obtained IP address. You can use the same method to test reverse region updates.
2. Test with Linux DHCP Client
Run the dhcpcd daemon on the Linux DHCP client. If you want to perform dynamic updates, you also need to add the-H parameter. The command format is as follows:
# Dhcpcd-H mylinux
Among them,-H is followed by the Host Name of the local machine, which is used to register to the regional file of the ddns server through the DHCP service. It is essential for dynamic updates.
Dynamically updated regional database files
You can view the forward region database file/var/named/tcbuu.cn and reverse region database file/var/named/tcbuu.cn to learn what the regional database file has updated.
# Cat/var/named/tcbuu.cn
Starting $ origin.
Hour $ TTL 36000; 10 hours
Tcbuu.cn in SOA slack9.tcbuu.cn. root.slack9.tcbuu.cn .(
2004011402; Serial
3600; refresh (1 hour)
1800; retry (30 minutes)
36000; expire (10 hours)
36000; minimum (10 hours)
)
NS slack9.tcbuu.cn.
Starting $ origin tcbuu.cn.
Dellpc A 10.22.1.100
FTP cname slack9
Bytes $ TTL 300; 5 minutes
Kill-virus A 10.22.1.61
TXT "3156e87eb0180675cfb5e3e8ad026e78b3"
Hour $ TTL 36000; 10 hours
Slack9 A 10.22.1.123
WWW cname slack9
The format of the file in the above area has changed significantly compared with that before the update, indicating that the file has been updated. It should also be noted that a TXT Record of the same name is added to the record of the dynamically updated client kill-virus. TXT type records are BIND-DNS and DHCP specifically used to achieve ddns auxiliary resource records, its value is a hash mark string, the value of this string can also be in/var/State/DHCP/DHCPD. in the leases file.
In general, in Linux, the process of implementing secure ddns through DHCP can be divided into three steps: first, creating a key for secure dynamic updates; second, modify the DNS master configuration file/etc/named. conf is used to define a dynamically updated key and a region that can be dynamically updated. Third, modify the DHCP configuration file/etc/DHCPD. conf is used to define the key that uses dynamic updates and the regions that specify dynamic updates.