Netgate SG-1000 microFirewall

Author Topic: RFC2136 Server Setup How-to  (Read 17576 times)

0 Members and 1 Guest are viewing this topic.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21397
  • Karma: +1432/-26
    • View Profile
RFC2136 Server Setup How-to
« on: June 27, 2013, 08:43:39 pm »
I just added a how-to on the wiki for setting up an RFC2136 server in BIND:

http://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS

It's actually pretty easy/straightforward and works pretty well for me on over two dozen hosts so far.

I also plan on working on some improvements to the RFC2136 GUI as time allows.
« Last Edit: July 02, 2013, 03:59:28 pm by jimp »
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline NOYB

  • Hero Member
  • *****
  • Posts: 1703
  • Karma: +158/-273
    • View Profile
Re: RFC1918 Server Setup How-to
« Reply #1 on: June 28, 2013, 01:09:27 am »
 
What great timing.  Just set this up this afternoon using instructions found on internet; http://www.shakabuku.org/writing/dyndns.html (TSIG Signed Updates section).
 
A few variations from what you have here.  Also on a chroot installation of BIND 9 so a few path and permissions differences.
 
Would be interested in the significance of the differences.
Code: [Select]
update-policy { grant *.dyn.example.com. self dyn.example.com. A AAAA; };
 vs.
allow-update { key home-dns.shakabuku.org.; };

Code: [Select]
/usr/sbin/dnssec-keygen -K /etc/namedb/keys -a HMAC-MD5 -b 128 -n HOST  myhost.dyn.example.com.
Kmyhost.dyn.example.com.+157+32768
 vs.
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST home-dns.shakabuku.org.

« Last Edit: June 28, 2013, 10:51:03 am by NOYB »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21397
  • Karma: +1432/-26
    • View Profile
Re: RFC2136 Server Setup How-to
« Reply #2 on: June 28, 2013, 06:54:29 am »
That tutorial is one of a few I drew on for information. I fished around for info from a number of places since several of them didn't agree and in some cases nobody mentioned important information (such as what the zone file should contain) or it wasn't suited for what I wanted to do.

The update-policy vs allow-update differences are just a matter of preference and what you want to do. In my example I wanted to set it up to allow a _lot_ of hosts to update themselves, rather than a single one, and I wanted to restrict them to only updating their A and AAAA records (RFC2136 does support IPv6 and it works fine, btw :-)

The keygen line you have is equivalent the only difference there is the -K which makes it output to the given directory not the current directory. My syntax there has a focus on scripting.
« Last Edit: July 02, 2013, 03:59:36 pm by jimp »
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline NOYB

  • Hero Member
  • *****
  • Posts: 1703
  • Karma: +158/-273
    • View Profile
Re: RFC1918 Server Setup How-to
« Reply #3 on: June 28, 2013, 11:22:25 am »
 
Thanks for the additional explanations.
 
Could the RFC2136 help (http://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS) be added to the Dynamic DNS help table of contents and linked from there (http://doc.pfsense.org/index.php/Dynamic_DNS)?
 
You mentioned doing some work on the RFC2136 GUI.  A closed loop status to determine whether or not the update was successful and retry would be nice.  Does DDNS update return any status?  If not maybe a periodic nslookup or something could be used to determine state of the DNS record.
 
Nice work.  Thanks.
 

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21397
  • Karma: +1432/-26
    • View Profile
Re: RFC2136 Server Setup How-to
« Reply #4 on: June 28, 2013, 11:52:21 am »
Could the RFC2136 help (http://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS) be added to the Dynamic DNS help table of contents and linked from there (http://doc.pfsense.org/index.php/Dynamic_DNS)?

Done!

You mentioned doing some work on the RFC2136 GUI.  A closed loop status to determine whether or not the update was successful and retry would be nice.  Does DDNS update return any status?  If not maybe a periodic nslookup or something could be used to determine state of the DNS record.

I'm not sure what all I'm going to do, but I do want to bring it closer in-line with what is being done by the main dyndns tab. So probably things like: Option to use a public IP if WAN is private, showing the cached IP/check if it's up-to-date, adding these hostnames to the rebinding/referer check lists, and adding gateway group support.
« Last Edit: July 02, 2013, 03:59:43 pm by jimp »
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2147
  • Karma: +165/-9
    • View Profile
Re: RFC2136 Server Setup How-to
« Reply #5 on: September 24, 2013, 09:41:24 am »
(better late then never)

Thanks for the DOC / RFC2136_Dynamic_DNS.
Yes, I'm using pfSense as a local "keep the sheeps in and wolfs out" wall, and Yes, I do have some Linux (sorry) server somewhere on the net. Needless to say that bind (named) is resolving my domains over there.

I already new that the Services:> Dynamic DNS clients:> RFC 2139 tab existed but these 'dyndns' and compatible are more easy to set up.
Knowing that my Linux Debian server is running rock solid for years now, I said to myself: let's do it.
But ... making things to work was less easy - RFC2136 is more like a test for "how well do you know bind ?".

Anyway, it works.

It's nice to see that after an update (IP WAN change), the IP is being thrown in my zone:
Code: [Select]
24-Sep-2013 16:02:10.955 update: client 90.60.98.149#42474: updating zone 'test-domaine.fr/IN': deleting rrset at 'brit.test-domaine.fr' A
24-Sep-2013 16:02:10.956 update: client 90.60.98.149#42474: updating zone 'test-domaine.fr/IN': adding an RR at 'brit.test-domaine.fr' A
brit.test-domaine.fr is my 'dynamical sub domain'.
Right after, binds start to notify all my slave DNS:
Code: [Select]
24-Sep-2013 16:02:11.019 notify: zone test-domaine.fr/IN: sending notifies (serial 2013092406)
And a couple of seconds afters that, they all call in, to update their copie of the zone 'test-domaine.fr'.
Code: [Select]
24-Sep-2013 16:02:11.039 xfer-out: client 213.186.33.199#46628: transfer of 'test-domaine.fr/IN': IXFR started
24-Sep-2013 16:02:11.040 xfer-out: client 213.186.33.199#46628: transfer of 'test-domaine.fr/IN': IXFR ended
24-Sep-2013 16:02:11.854 xfer-out: client 174.37.196.55#23866: transfer of 'test-domaine.fr/IN': IXFR started
24-Sep-2013 16:02:11.854 xfer-out: client 174.37.196.55#23866: transfer of 'test-domaine.fr/IN': IXFR ended

(the code snippets are part of the debug log of bind, running on my Linux server).

A real surprise was the fact that bind rewrites &&reformats my zone file !!
My private formating ... gone.
The A and AAAA of a sub domain changed, so bind actually rebuilds my zone file   :o
It increments the SOA serial in that file - from "2013092405" to "2013092406" thus forcing the slave DNS to make a zone transfer (IXFR).

No more need for those DynDNS, FreeDNS, OpenDNS services ....... I'm going to ditch them soon now.

Btw: I discovered something new: in this special case, bind needs the 'rights' to WRITE into /etc/bind/ - needs the 'rights' to overwrite the concerned zone file. It even keeps some kind of journal-log file in the /etc/bind/ directory.
« Last Edit: September 24, 2013, 11:48:49 am by Gertjan »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21397
  • Karma: +1432/-26
    • View Profile
Re: RFC2136 Server Setup How-to
« Reply #6 on: September 24, 2013, 11:21:33 am »
Yes that's why in my example I used a "dyn.example.com" subdomain because it rewrites that file and needs extra permissions... Not fun when it's unexpected. I thought I noted that somewhere but I don't see it now.

If you lock it down to just one subdomain/zone it is easier to manage, though it doesn't look quite so nice as being on the main zone.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline franckroutes

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: RFC2136 Server Setup How-to
« Reply #7 on: October 15, 2013, 09:25:23 am »
Hi

If I May,

Can I ask for some help with this post http://forum.pfsense.org/index.php/topic,67817.0.html

Regards
Franck

Offline franckroutes

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: RFC2136 Server Setup How-to
« Reply #8 on: October 21, 2013, 07:27:39 pm »
Hello,

Can anybody tell me if this solution could still apply if I wanted to create a DNS to handle an internal subdomain of a publicly hosted domain.

Please help

Here is a post I've opened on expert exchange  "http://www.experts-exchange.com/Networking/Protocols/DNS/Q_28268075.html#a39589557"

Regards
Franck

Offline rcfa

  • Hero Member
  • *****
  • Posts: 731
  • Karma: +4/-0
    • View Profile
Re: RFC2136 Server Setup How-to
« Reply #9 on: November 10, 2013, 02:28:33 pm »
It sounds like this thread is more or less about what I like to do: replace DynDNS service and host it on my own pfSense box.
However, I'm a bit confused by the how-to article https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS
because I'm not clear what box is and what subsystem is running where and what's a server of what client...

In short, I have a domain example.com and example.net. I want to use example.net for dynamic DNS, which allows me to point CNAME records from example.com at example.net to have in essence dynamic DNS for example.com, yet I can have the DNS servers cleanly separated.
DNS Servers for example.com are somewhere on an OS X Server box and should not be considered.

Then I'd like to have two pfSense units. The main unit is at a colocation service, fixed IP address, and I want that unit to host the primary DNS server for example.net, and and update the address records as needed dynamically.

I have a second pfSense unit with DHCP assigned IP address at home, and of course a roaming laptop, etc. all of which should stop using Dyn.com's DynDNS service and use the above mentioned pfSense unit at the colocation service.

Sorry for being a bit dense, but this is new turf for me.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21397
  • Karma: +1432/-26
    • View Profile
Re: RFC2136 Server Setup How-to
« Reply #10 on: November 10, 2013, 04:25:59 pm »
This is not meant to run as a server on pfSense, but on another server running BIND.

I don't know if the new BIND package is capable of handling this task, but it's still best to run an authoritative name server on a separate box.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline rcfa

  • Hero Member
  • *****
  • Posts: 731
  • Karma: +4/-0
    • View Profile
Re: RFC2136 Server Setup How-to
« Reply #11 on: November 10, 2013, 05:04:37 pm »
This is not meant to run as a server on pfSense, but on another server running BIND.

I don't know if the new BIND package is capable of handling this task, but it's still best to run an authoritative name server on a separate box.

Hm, that wouldn't work for me, because my main DNS server is on the net with the dynamic IP.
Although that seems paradox at first, this works because I have a direct assigned IP address block which is routed to the dynamic network over a quasi-permanent VPN connection between the two pfSense units. But of course exactly when the IP address changes, that also means the VPN is down until the hostname can be resolved again, so for these moments my main DNS server is inaccessible.
That's also why I want to segment the name space cleanly into example.com and example.net, with the .net portion being hosted by the pfSense unit with a permanent, fixed IP address and located at the colocation provider.

How does the bind package interfere with the DNS forwarder? Any known issues when installing bind?

If what you describe would work with the bind package, I'd finally have the solution that I've been looking for for quite some time, because the various DynDNS providers get ever more expensive, their service more convoluted, and I also want to reduce the number of failure points in my setup. Simplify, simplify...

Offline lmamakos

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: RFC2136 Server Setup How-to
« Reply #12 on: January 24, 2015, 09:21:10 pm »
I just upgraded to the 2.2-RELEASE version of pfSense, and set up an RFC 2136 dynamic DNS client.  I had problems getting it to work initially, but its fine now.

It turns out that in the "Hostname" field (with the text "Fully qualified hostname of the host to be updated"), you cannot have a trailing "." character on the DNS name.  If this is present, it silently fails without attempting to transmit a packet to the DNS server.  This, of course, discovered by running tcpdump on both ends..   Removing the trailing period character immediately had it working.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21397
  • Karma: +1432/-26
    • View Profile
Re: RFC2136 Server Setup How-to
« Reply #13 on: January 25, 2015, 10:25:20 am »
Did it work with the trailing "." in 2.1.x?

I don't recall attempting to end it with a trailing '.' before
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4612
  • Karma: +550/-3
    • View Profile
    • International Nepal Fellowship
Re: RFC2136 Server Setup How-to
« Reply #14 on: January 26, 2015, 06:54:00 am »
Just to say that in 2.2 the validation of an FQDN now allows the trailing "." (root domain) to be specified.
So there will be places like this where the trailing dot is now allowed by the validation, but maybe some downstream implementing code does not cope with trailing dot and needs to be enhanced.
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/