DNAME usage?
Timothe Litt
litt at acm.org
Fri Nov 17 21:36:01 UTC 2017
On 17-Nov-17 14:48, Mark Andrews wrote:
> Alternatively use a http server that can update the records for the interfaces it is listening on.
>
> This sort of thing is possible. Named gets informed by the OS when addresses get added and removed. It currently just adds and removes listening sockets but you could trigger other actions like sending dynamic dns updates.
>
> Unless you ask for the functionality it won’t be added.
>
>
> --
> Mark Andrews
>
>> On 18 Nov 2017, at 06:38, Mark Andrews <marka at isc.org> wrote:
>>
>> Just have the machine hosting the http server do a dynamic update of the A ana AAAA records when they are assigned to the interface.
>>
>> It should be possible to get the os to run a program when this happens so it can perform a second dynamic update on a the different name.
>>
>> --
>> Mark Andrews
We don't have the whole story from the OP, but in the typical
configuration that prompts this question, neither will solve the
problem. The problem is that the dhcp client and http server are likely
not the same machine.
If you have a dynamic IP(v4) address & want to update DNS for a server,
it's probably NATed (by a router) before the HTTP server sees it.
The HTTP server always listens on the inside NAT address. So it won't
see an address change on its interface.
The router implementing NAT is what will get the dynamic address, from
an ISP. If it's a sealed box, it probably has support for updating DNS
- though it's typically the dyndns protocol, not DNS update. (Assuming
the ISP hasn't disabled the feature.) This is what dyndns, NO-IP, &
others use. If you can modify the URL that it uses, you can point it to
your own script, which then does a DNS UPDATE transaction. I use this
approach with Cisco IOS routers - though many others allow this - and
still others can be fooled (e.g. with a HOSTS entry for one of the
update servers). What's nice about this is that you don't have to
jailbreak or modify anything. Just pretend to be an update service.
If you're using a jailbroken or other Linux router, and it happens to be
the same physical machine as HTTP server, it could look for routing
updates on the external interface. I don't think this is a common case
(except for jailbroken routers - like OpenWRT).
Most often, the HTTP server is on a separate machine and LAN - it can't
see the external interface that gets the dynamic address.
When the router won't notify someone about address changes, the usual
solution is for something behind the NAT to poll an external public
server for your IP address, then use the result to initiate a DNS
UDPATE. (e.g. A local script asks the external server to return the IP
address that contacted it. (REMOTE_ADDR)) There are a bunch of services
and scripts for this. Most of the scripts update a DNS provider with
the dyndns protocol (others use it). The nicer "what's my IP address)
scripts return json. But changing them to do DNS UPDATE is pretty
simple - See Net::DNS if you're a Perl person.
If you have more than one site - or a friend - and prefer to be
independent, you can easily write your own CGI scripts to return the
other's IP address. echo "Content-Type:
text/plain\nConnection:close\n\n$REMOTE_ADDR\n"; exit (If your friend
doesn't have a static IP address, beware of deadlocks.)
If you have access to the DHCP client's status (e.g. a leases file or
some GUI or CLI on the router), you can sometimes get the external
address from there.
A web search for "dynamic IP update script" will turn up lots of
resources - scripts & services.
A drawback with polling solutions is that they're not instantaneous -
you get the polling delay on top of whatever minimum TTL the DNS service
imposes. (And there are limits on how fast you can - or would want to -
poll.) That's fine for home hobbyists - especially since dynamic IP
addresses are often stable for a VERY long time. But I would be careful
about running a business or other critical server where DNS updates lag
address changes.
So get a router that talks some dynamic update protocol and go from
there. That minimizes the delay, and avoids having to retrieve your
public address from an external source.
https://help.dyn.com/remote-access-api/perform-update/ defines the
dyndns update protocol - writing a server is straightforward.
Of course if you have IPv6 - and are getting a dynamic address - you
don't have to deal with NAT. In that case, you can certainly have
dhclient or RTNETLINK (see ip monitor) trigger a script.
But note that in the problem statement is:
> the super domain is managed by an outside service.
This probably makes the OP's life more difficult. Those services tend
not to support DNS UPDATE (or even dyndns update). In that case, you're
into using curl/wget to forms to their web gui. And tracking their
"improvements".
Grief like that is why I ended up running my own DNS master server...and
getting static IP addresses for my central site.
I guess I should point out that the ISP that is providing the dynamic IP
address may consider running a server as a violation of their Terms of
Service, even if they don't block the port(s) that you want to use.
>>> On 18 Nov 2017, at 04:19, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>>>
>>> I am a bit confused by DNAME's
>>> I had used them before but I may have used them wrong.
>>>
>>> On windows 2008r2 I have some zone's where I create a DNAME for the
>>> root and point it to an A record.
>>>
>>> IE:
>>>
>>> zone bla.bla
>>> SOA <standard SOA>
>>> NS <mydns>
>>> DNAME www.bla.com
>>>
>>> where www.bla.com is an A record.
>>>
>>> the reason I was doing this is because www.bla.com has a dhcp assigned address
>>>
>>> and I want bla.bla to always point to it.
>>> windows dns does not allow a cname at the root of a zone.
>>>
>>> as of 2012r2 with updates this no longer works.
>>>
>>> So I decided to see what bind would do with DNAME If I tried a similar
>>> experiment
>>> I have a db.self file I used when I want certain outside addresses to
>>> point back to my inside addresses.
>>>
>>> my db.self file looks like so
>>>
>>>
>>> $TTL 3D
>>> @ 1D IN SOA ns jeffsadowski.gmail.com. (
>>> 2017081201 ;
>>> 3H ;
>>> 15 ;
>>> 1w ;
>>> 3h ;
>>> )
>>> @ IN NS ns
>>> ns IN A 192.168.1.252
>>> @ IN A 192.168.1.252
>>>
>>> And I wand similar for my DNAME so I created db.dname that looks like so
>>>
>>> $TTL 3D
>>> @ 1D IN SOA ns jeffsadowski.gmail.com. (
>>> 2017081201 ;
>>> 3H ;
>>> 15 ;
>>> 1w ;
>>> 3h ;
>>> )
>>> @ IN NS ns
>>> ns IN A 192.168.1.252
>>> @ IN DNAME methanemaker.mooo.com
>>>
>>> then when I try and start bind I get error messages like so
>>>
>>> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: NS
>>> 'ns.bla.bla' is below a DNAME 'bla.bla' (illegal)
>>> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: not loaded
>>> due to errors.
>>>
>>> I tried without the NS likes and I get this message
>>>
>>> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: has no NS records
>>> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: not loaded
>>> due to errors.
>>>
>>> If anyone has a better idea how to map to a dhcp addressed machine
>>> from a zone I'd like to know?
>>>
>>> I don't want to recreate the entire superdomain for just one record
>>> that needs changed
>>> IE:
>>> the super domain is managed by an outside service. I don't want to
>>> keep a second copy inside that has a few with different records.
>>> _______________________________________________
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171117/bdda6aaa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4577 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171117/bdda6aaa/attachment.bin>
More information about the bind-users
mailing list