On Tue, Sep 8, 2015 at 8:14 AM, Chris Bagnall <pfse...@lists.minotaur.cc> wrote:
> Would you be willing to share your RFC2136/bind9 config? > Here's a copy of my notes: Dynamic DNS Update <http://projects/confluence/display/INF/Dynamic+DNS+Update> - Created by Vick Khera <http://projects/confluence/display/~khera>, last modified on Nov 10, 2014 <http://projects/confluence/pages/diffpagesbyversion.action?pageId=5603398&selectedPageVersions=5&selectedPageVersions=6> To support the ever-changing IP address that FiOS issues, dynamic DNS is configured under the domain dyn.khera.org to work with RFC2136 clients. The pfSense firewall is able to function as such a client, and to use these dynamic host names within firewall rules to permit the client to move IP yet still retain services via the firewall. Initial Configuration This configuration is based on that from http://www.shakabuku.org/writing/dyndns.html and https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS. *named.conf zone file additions* 1 2 3 4 5 6 7 8 9 include "../dyn-keys.conf"; zone "dyn.khera.org" { type master; file "../dynamic/dyn.khera.org"; update-policy { grant *.dyn.khera.org. self dyn.khera.org. A AAAA; grant dyn-control zonesub ANY; }; }; This defines the dynamic zone, which will be periodically written to the dynamic/dyn.khera.org zone file. Line 1 includes by reference the list of keys we will allow to update the zone. Line 6 permits keys of the name format *.dyn.khera.org to update entries of that name only. That is, foobar.dyn.khera.org key is only permitted to update A and AAAA records for the domain name foobar.dyn.khera.org and nothing else. The line 7 permissions allows our master control key to update any record in this zone. Also, in khera.org zone, an entry for dyn.khera.org NS kci.kcilink.com was created to send all requests for the dynamic zone to the primary server. The key for the "dyn-control" is generated using this command: ddns-confgen -k dyn-control The resulting key then copied to the top of the dyn-keys.conf file and to the dyn-control.key file for use with nsupdate command. Create an empty zone file dyn.khera.org and run rndc reload to load the new configuration. Manual Zone Manipulation Manual control of the zone is done via the nsupdate command. From time to time, bind will write the dynamic/dyn.khera.org file with the current set of entries. Between those writes, a journal file is kept to avoid losing updates. *Adding an Entry* # nsupdate -k dyn-control.key > server localhost > update add test.dyn.khera.org 60 a 192.168.1.10 > send *Delete an Entry* # nsupdate -k dyn-control.key > server localhost > update delete test.dyn.khera.org a > send Adding Client To add a client, newhost.dyn.khera.org, first create a key: ddns-confgen -k newhost.dyn.khera.org -a hmac-md5 Copy the key into the dyn-keys.conf file and execute rndc reload to load the new key into memory. The client will then use the following settings: - Server: kci.kcilink.com - Hostname: newhost.dyn.khera.org - Key name: newhost.dyn.khera.org - Key: hmac key just generated - Key Type: host - TTL: 60 The configuration will permit the use of the key name newhost.dyn.khera.org to *only* update the A and AAAA records for the domain name newhost.dyn.khera.org. Any other updates using that key will be denied. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
