DNAME usage?
Jeff Sadowski
jeff.sadowski at gmail.com
Sat Nov 18 03:53:57 UTC 2017
On Fri, Nov 17, 2017 at 2:36 PM, Timothe Litt <litt at acm.org> wrote:
>
> On 17-Nov-17 14:48, Mark Andrews wrote:
>
> Alternatively use a http server that can update the records for the
> interfaces it is listening on.
>
> This sort of thing is possible. Named gets informed by the OS when addresses
> get added and removed. It currently just adds and removes listening sockets
> but you could trigger other actions like sending dynamic dns updates.
>
> Unless you ask for the functionality it won’t be added.
>
>
> --
> Mark Andrews
>
> On 18 Nov 2017, at 06:38, Mark Andrews <marka at isc.org> wrote:
>
> Just have the machine hosting the http server do a dynamic update of the A
> ana AAAA records when they are assigned to the interface.
>
> It should be possible to get the os to run a program when this happens so it
> can perform a second dynamic update on a the different name.
>
> --
> Mark Andrews
>
> We don't have the whole story from the OP, but in the typical configuration
> that prompts this question, neither will solve the problem. The problem is
> that the dhcp client and http server are likely not the same machine.
>
You are correct sir. :-)
> If you have a dynamic IP(v4) address & want to update DNS for a server, it's
> probably NATed (by a router) before the HTTP server sees it.
>
All clients accessing the web server are also in the nat so this
shouldn't matter
> The HTTP server always listens on the inside NAT address. So it won't see
> an address change on its interface.
>
No it sees a change when rebooted. The other issue is when it is
cloned and renamed it is then two different machines that currently
have it autogen a new zone and dname with the windows 2008r2 method
> The router implementing NAT is what will get the dynamic address, from an
> ISP. If it's a sealed box, it probably has support for updating DNS -
> though it's typically the dyndns protocol, not DNS update. (Assuming the
> ISP hasn't disabled the feature.) This is what dyndns, NO-IP, & others use.
> If you can modify the URL that it uses, you can point it to your own script,
> which then does a DNS UPDATE transaction. I use this approach with Cisco
> IOS routers - though many others allow this - and still others can be fooled
> (e.g. with a HOSTS entry for one of the update servers). What's nice about
> this is that you don't have to jailbreak or modify anything. Just pretend
> to be an update service.
>
> If you're using a jailbroken or other Linux router, and it happens to be the
> same physical machine as HTTP server, it could look for routing updates on
> the external interface. I don't think this is a common case (except for
> jailbroken routers - like OpenWRT).
>
> Most often, the HTTP server is on a separate machine and LAN - it can't see
> the external interface that gets the dynamic address.
>
> When the router won't notify someone about address changes, the usual
> solution is for something behind the NAT to poll an external public server
> for your IP address, then use the result to initiate a DNS UDPATE. (e.g. A
> local script asks the external server to return the IP address that
> contacted it. (REMOTE_ADDR)) There are a bunch of services and scripts for
> this. Most of the scripts update a DNS provider with the dyndns protocol
> (others use it). The nicer "what's my IP address) scripts return json. But
> changing them to do DNS UPDATE is pretty simple - See Net::DNS if you're a
> Perl person.
>
> If you have more than one site - or a friend - and prefer to be independent,
> you can easily write your own CGI scripts to return the other's IP address.
> echo "Content-Type: text/plain\nConnection:close\n\n$REMOTE_ADDR\n"; exit
> (If your friend doesn't have a static IP address, beware of deadlocks.)
>
> If you have access to the DHCP client's status (e.g. a leases file or some
> GUI or CLI on the router), you can sometimes get the external address from
> there.
>
> A web search for "dynamic IP update script" will turn up lots of resources -
> scripts & services.
>
> A drawback with polling solutions is that they're not instantaneous - you
> get the polling delay on top of whatever minimum TTL the DNS service
> imposes. (And there are limits on how fast you can - or would want to -
> poll.) That's fine for home hobbyists - especially since dynamic IP
> addresses are often stable for a VERY long time. But I would be careful
> about running a business or other critical server where DNS updates lag
> address changes.
>
> So get a router that talks some dynamic update protocol and go from there.
> That minimizes the delay, and avoids having to retrieve your public address
> from an external source.
>
> https://help.dyn.com/remote-access-api/perform-update/ defines the dyndns
> update protocol - writing a server is straightforward.
>
> Of course if you have IPv6 - and are getting a dynamic address - you don't
> have to deal with NAT. In that case, you can certainly have dhclient or
> RTNETLINK (see ip monitor) trigger a script.
>
> But note that in the problem statement is:
>
> the super domain is managed by an outside service.
>
> This probably makes the OP's life more difficult. Those services tend not
> to support DNS UPDATE (or even dyndns update). In that case, you're into
> using curl/wget to forms to their web gui. And tracking their
> "improvements".
>
> Grief like that is why I ended up running my own DNS master server...and
> getting static IP addresses for my central site.
>
> I guess I should point out that the ISP that is providing the dynamic IP
> address may consider running a server as a violation of their Terms of
> Service, even if they don't block the port(s) that you want to use.
>
>
> On 18 Nov 2017, at 04:19, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>
> I am a bit confused by DNAME's
> I had used them before but I may have used them wrong.
>
> On windows 2008r2 I have some zone's where I create a DNAME for the
> root and point it to an A record.
>
> IE:
>
> zone bla.bla
> SOA <standard SOA>
> NS <mydns>
> DNAME www.bla.com
>
> where www.bla.com is an A record.
>
> the reason I was doing this is because www.bla.com has a dhcp assigned
> address
>
> and I want bla.bla to always point to it.
> windows dns does not allow a cname at the root of a zone.
>
> as of 2012r2 with updates this no longer works.
>
> So I decided to see what bind would do with DNAME If I tried a similar
> experiment
> I have a db.self file I used when I want certain outside addresses to
> point back to my inside addresses.
>
> my db.self file looks like so
>
>
> $TTL 3D
> @ 1D IN SOA ns jeffsadowski.gmail.com. (
> 2017081201 ;
> 3H ;
> 15 ;
> 1w ;
> 3h ;
> )
> @ IN NS ns
> ns IN A 192.168.1.252
> @ IN A 192.168.1.252
>
> And I wand similar for my DNAME so I created db.dname that looks like so
>
> $TTL 3D
> @ 1D IN SOA ns jeffsadowski.gmail.com. (
> 2017081201 ;
> 3H ;
> 15 ;
> 1w ;
> 3h ;
> )
> @ IN NS ns
> ns IN A 192.168.1.252
> @ IN DNAME methanemaker.mooo.com
>
> then when I try and start bind I get error messages like so
>
> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: NS
> 'ns.bla.bla' is below a DNAME 'bla.bla' (illegal)
> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: not loaded
> due to errors.
>
> I tried without the NS likes and I get this message
>
> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: has no NS records
> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: not loaded
> due to errors.
>
> If anyone has a better idea how to map to a dhcp addressed machine
> from a zone I'd like to know?
>
> I don't want to recreate the entire superdomain for just one record
> that needs changed
> IE:
> the super domain is managed by an outside service. I don't want to
> keep a second copy inside that has a few with different records.
> _______________________________________________
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list