Explain the dynamic DNS service configuration under Linux

In network management, the management of DNS services is a fundamental task. As the size of the user grows, it is not an easy task to manually modify the DNS zone database file frequently. Research on dynamic DNS (DDNS) has gradually attracted people's attention, and different platforms have launched their own solutions. This article will detail the DDNS solution in the Linux environment, that is, the BIND-DNS and the Dynamic Host Configure Protocol (DHCP) developed by the Internet Software Consortium (ISC) work together to implement the DDNS method.

The implementation of dynamic DNS under Linux requires not only the DNS software of Bind 8 or above, but also the version of DHCP Server v3.0 or higher, because only the version of 3.0 or above fully implements DDNS support. Therefore, the implementation environment of this paper uses Slackware Linux 9.0 as the DDNS server, which runs both DNS and DHCP services. The DNS Server uses Bind 9.2.2 and the DHCP Server uses DHCP Server v3.0pl2.

The following is a detailed introduction to the implementation of secure and dynamic DNS in the Linux environment.

Creating a Key

To achieve dynamic DNS updates, the first thing to consider is how to ensure DDNS is securely implemented. The method given by the ISC is to create a key for dynamic update, which is verified by the key when the update is made. In order to do this, you need to run the following command as root:

root@slack9:/etc# dnssec-keygen -a HMAC-MD5 -b 128 -n USER myddns

Kmyddns. +157+37662

The function of the above dnssec-keygen command is to generate an update key, where the parameter -a HMAC-MD5 means that the key generation algorithm uses HMAC-MD5; ​​the parameter -b 128 refers to the key. The number of bits is 128 bits; the parameter -n USER myddns means that the user of the key is myddns.

The pair of key files generated by this command are as follows:

-rw------- 1 root root 48 Jan 14 18:26 Kmyddns.+157+37662.key< Br>

-rw------- 1 root root 81 Jan 14 18:26 Kmyddns.+157+37662.private

You can view the contents of the newly generated key file:

root@slack9:/etc# cat Kmyddns.+157+37662.key

myddns.INKEY02157 4gEF1Mkmn5hrlwYUeGJV3g==

root@slack9:/etc# cat Kmyddns.+157+ 37662.private

Private-key-format: v1.2

Algorithm: 157 (HMAC_MD5)

Key: 4gEF1Mkmn5hrlwYUeGJV3g==

Read this carefully The key file will find that the keys contained in the two files are the same, which is the credential of DHCP for dynamic dynamic update of DNS. This key needs to be added to the DNS and DHCP configuration files respectively.

Modify the DNS main configuration file

After the key is generated, the /etc/named.conf file should be edited and modified. The main purpose is to add the key information to the DNS main configuration. In the file. This article gives an example of the modified /etc/named.conf:

options { directory "/var/named"; file://specifies the directory where the database files are stored}; zone ". " IN { type hint; file "caching-example/named.ca"; }; zone "localhost" IN { type master; file "caching-example/localhost.zone"; allow-update { none; } ; }; zone "0.0.127.in-addr.arpa" IN { type master; file "caching-example/named.local"; allow-update { none; }; }; key myddns { algorithm HMAC-MD5 .SIG-ALG.REG.INT; file://indicates the algorithm for generating the key secret 4gEF1Mkmn5hrlwYUeGJV3g==; file://specifies the key}; zone "tcbuu.cn" IN { type master; file "tcbuu. Cn"; file://forward area file name tcbuu.cn, which will be used later allow-update { key myddns; }; file://indicates key myddns The user who is the key can dynamically update the area <tcbuu.cn” }; zone "1.22.10.in-addr.arpa" IN { type master; file "tcbuu.cn.arpa";//reverse The zone file name tcbuu.cn allow-update { key myddns; }; file://indicates that the user who uses key myddns as the key can dynamically update the zone <1.22.10.in-addr.arpa” };

You can define multiple areas in /etc/named.conf. You can implement dynamic update by adding the allow-update { key myddns; } command in the area that allows dynamic updates, and only have the key myddns entity. In this implementation, the entity is a DHCP server with the same key) to achieve secure dynamic updates to the zone. This method is much safer than the original method of only limiting the IP address.

This completes the configuration of the DNS server, you can run #named to run the DNS service.