Home > Uncategorized > Dynamically add hosts on a corporate network with nsupdate

Dynamically add hosts on a corporate network with nsupdate

I need to dynamically add/remove (virtual) hosts on the network of my company. I cannot use static IP because there may be conflict with DHCP given IP to my colleagues PCs. I also do not have the rights to update the corporate DNS.

I will install my own DNS (Bind server) which will contain the name of my machines and will forward all requests for unknown name to the corporate DNS.

Bind configuration

This is target to Debian distribution as Debian store Bind configuration file to /etc/bind instead of /etc/ as many other distribution.

  • Install the bind9 package
  • Comment the zone "." section in /etc/bind/named.conf. We are on a corporate network and we do not have access to the root DNSs.
  • Create a new root zone like this
    zone  "." {
            type forward;
            forwarders {10.1.1.100;10.1.1.101;};
    };

    where 10.1.1.100 and 101 are the corporate DNS IPs. I don’t know if this should be set in named.conf or named.conf.local. I don’t even know if it’s matter.

  • Create the key which will be used to update the DNS from the client PCs. Assuming your e-mail address is admin@nospam.com, this look like this:
    $ dnssec-keygen -a HMAC-MD5 -b 512 -n USER admin.nospam.com.
  • Now create your zone in named.conf.local:
    key xrunhprof.corp. {
            algorithm hmac-md5;
            secret "hJUw1ggZk5d7yIVVt67qCNxlk2Wn8SAg0/6fuyCspcdEUuz1zumrfzYC Xb1B1i3nUwLXPCOXx8F2aVT0oB99xA==";
    };
    
    zone  "xrunhprof.corp" {
            type master;
            file  "/var/cache/bind/db.xrunhprof";
            allow-update {
                    key xrunhprof.corp.;
            };
    };

    The secret key can be found in the .key file created with dnssec-keygen.

  • Create an empty zone file in /var/cache/bind/db.xrunhprof:
    $TTL 86400
    
    @       IN      SOA     10.1.10.145.      xrunhprof.wordpress.com. (
                            2008102201	; serial number YYMMDDNN
                            28800           ; Refresh
                            7200            ; Retry
                            864000          ; Expire
                            86400           ; Min TTL
    			)
    
                    NS      10.1.10.145.
    
    $ORIGIN xrunhprof.corp.

    10.1.10.145 is the IP of the host running the Bind server.

  • Restart Bind to take the changes into account.

Client configuration

The client need to update it’s DNS entries each time it does a DHCP request. Here is a script to do such update:

#! /bin/sh
if [ "x$1" != "xlo" ]; then
  unset LANG
  IP=$(/sbin/ifconfig eth0 | sed -n 's/.*inet *addr:\([0-9\.]*\).*/\1/p')
  nsupdate -k $(dirname $0)/Kxrunhprof.corp.+157+05662.private << _ACEOF
server 10.1.10.145
zone xrunhprof.corp
update delete $HOSTNAME. A
update add $HOSTNAME. 86400 A $IP
show
send
_ACEOF
fi

This script need to be in the same directory as .private and .key files created with dnssec-keygen.

On Debian this script can be called with a post-up directive in /etc/network/interface. On Redhat like distribution (I tested with Mandriva) it can be set in /etc/sysconfig/network-scripts/ifup.d/. In both case do not forget to chmod +x the script.

Conclusion

I’m totally novice in Bind and DNS, so this how-to may contains error. For example I guess the update access control of my Bind server is a big security hole as any client can update the entry of any other client.

References

  1. nsupdate: Painless Dynamic DNS by Jeff Garzik
  2. Bind zone file creator
  3. Bind configuration reference
  4. Mandriva sysconfig reference: /usr/share/doc/initscripts/sysconfig.txt
Advertisements
Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: