dynamic DNS *NOT* DHCP

[Paul Vixie]

/dev/rob0 <rob0 at gmx.co.uk> writes:

> I want to rig up something to do dynamic updates in my BIND 9 server
> for my home IP and a few other possibly dynamic (but mostly static) IP 
> addresses.
> 
> I guess I could set up some sort of key authentication and use
> nsupdate, but I don't want to have a dynamic zone. Maybe a subdomain; 
> could I delegate a sub zone to myself (the same server) and have that 
> one be the dynamic one? I don't see why not.

that's what i do.  vix.com is static, and the zone file is full of comments
and is maintained with cvs and i would not like to see it rewritten by BIND9.
however, reject-all.vix.com is a fully dynamic zone which shares a TSIG key
with my mail servers (who also use it as a private blackhole list.)

> I could also rig something up with wget or a script to ssh in and run
> on the server, but I thought I'd ask and see if anyone has already done 
> this. I'm not getting much out of Google for this.

speaking as the editor and main author of RFC2136, "we've got you covered."

> Suggestions or clue-by-four's will be appreciated. Code would be even 
> better. :)

when my maillog watcher sees a worm go by, it calls the following shell
script with four arguments:

        $1 = source address to be blackholed
        $2 = hostname of mailserver doing the blackholing
        $3 = name of program doing the blackholing
        $4 = reason (tends to be the name of the worm)

this gives me a private blackhole list of all worm-infected Win/XP machines,
about a third of whom will try to send me spam within the following month.
there's another script that removes things after one month, since the whole
thing is currently stored in BIND9's heap ("RAM") and there are about 700K
(seven hundred thousand) at any given time.

--- addhost.sh

#!/bin/sh

node=`echo $1 | awk -F. '{print $4 "." $3 "." $2 "." $1}'`; shift
zone="reject-all.example.com"
server="ns1.example.com"
ttl="1800"
nsupdate="/usr/local/bin/nsupdate"
keyfile="/var/named/rejectall/Kupdate-rejectall.+123+45678.key"

( echo server $server
  echo zone $zone
  echo prereq nxdomain $node.$zone
  echo update add $node.$zone $ttl A 0.0.0.0
  echo update add $node.$zone $ttl TXT created `date +%Y%m%d%H%M%S`
  if [ $# -gt 0 ]; then echo update add $node.$zone $ttl TXT reason $@; fi
  echo send ) | $nsupdate -k $keyfile /dev/stdin

exit $?

--- named.conf

key update-rejectall {
        algorithm hmac-md5;
        secret "abcdefghijklmnop===";
};

zone "reject-all.example.com" {
        type master;
        file "pri/reject-all.example.com";
        allow-transfer { isc; localhost; };
        allow-query { mynetworks; localhost; };
        allow-update { key update-rejectall; };
};

---

hope this helps.
-- 
Paul Vixie