DDNS (Dynamic DNS)
Dynamic Update is a method for adding, replacing or deleting records in a master server by sending it a special form of DNS messages. The format and meaning of these messages is specified in RFC 2136.
自譯:DDNS是一種用來新增、替換或刪除Master DNS server中Resource Record Data的方法…相關內容可見RFC文件冊編號2136
==> 文件冊看這兒RFC2136 <==
底下是官方說明文件的內容…大概的內容提及DDNS的發展方法…與需要注意的安全性
http://oldwww.isc.org/sw/bind/arm95/Bv9ARM.ch07.html#dynamic_update_security
http://oldwww.isc.org/sw/bind/arm95/Bv9ARM.ch04.html#dynamic_update
底下模擬實作方法…
@Master DNS server (192.168.148.129 Ubuntu 9.04 Server) 主要的DNS server
@DDNS Client User (192.168.148.131 Linux) 在這台上使用 nsupdate指令更新DNS server的資料
@Master DNS Server (192.168.148.129 Ubuntu 9.04 Server)
首先…先建立TSIG key做為安全交換機制…如不懂TSIG請查前文(Key取名為DDNS)
#dnssec-keygen -a hmac-md5 -b 128 -n HOST DDNS
然後執行該指令的目錄下會產生Kddns.XXXX.key 、及Kddns.XXXX.private
這兒假設XXXX為+157+01389(不一定是這樣喔),後面的DDNS的名稱可換掉
分別查看一下檔案內容…等一下會用到
#cat Kddns.+157+01389.key
DDNS. IN KEY 512 3 157 KhDVspoqFonWKv58rFXOWw==
#cat Kddns.+157+01389.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: KhDVspoqFonWKv58rFXOWw==
Bits: AAA=
#vi /etc/bind/named.conf
include "/etc/bind/named.conf.key";
(匯入/etc/bind/named.conf.key檔案內容…分類管理方便)
#vi /etc/bind/named.conf.key
key "DDNS" {
algorithm hmac-md5;
secret "KhDVspoqFonWKv58rFXOWw==";
};
#vi /etc/bind/named.conf
zone "hellokitty.com.tw" in {
type master;
file "hellokitty.com.tw";
allow-update {
192.168.148.131; };
//允許192.168.148.131進行update動作,可以更新所有內容
update-policy {
grant DDNS name www.hellokitty.com.tw. A;};
//update-policy為使用定義的DDNS key對名稱www.hellokitty.com.tw. Resource Record Type為A的資料進行(grant)更新修改
//內容可為多筆,連線來源不受限
//注意…上面的allow-update與update-policy只可存在一種~BIND9版建議使用update-policy
};
BIND 9 supports two alternative methods of granting clients the right to perform dynamic updates to a zone, configured by the allow-update and update-policy option, respectively.
The allow-update clause works the same way as in previous versions of BIND. It grants given clients the permission to update any record of any name in the zone.
The update-policy clause is new in BIND 9 and allows more fine-grained control over what updates are allowed.
A set of rules is specified, where each rule either grants or denies permissions for one or more names to be updated by one or more identities.
If the dynamic update request message is signed (that is, it includes either a TSIG or SIG(0) record), the identity of the signer can be determined.
Rules are specified in the update-policy zone option, and are only meaningful for master zones.
When the update-policy statement is present, it is a configuration error for the allow-update statement to be present.
The update-policy statement only examines the signer of a message; the source address is not relevant.
重新啟動DNS server,並觀察有無Listen
#/etc/init.d/bind9 restart
#netstat -tlnup|grep 53
注意:ubuntu 9.04 server,擺放zone file的位置在/var/cache/bind/目錄中
故上面的hellokitty.com.tw檔案放在這兒…
裡面有一筆(定義www.hellokitty.com.tw的IPv4 A Resource Record type Data)
www IN A 192.168.56.129
請自行修改~
@DDNS Client User (192.168.148.131 Linux)
將Kddns.+157+01389.key傳到這台來備用~用任何方法皆可
#nslookup
>server 192.168.148.129
>set type=a
>www.hellokitty.com.tw
查出結果原為192.168.56.129
><ctrl+D 結束>
使用這把key進行update動作
#nsupdate -k Kddns.+157+01389.key
>server 192.168.148.129
>update delete www.hellokitty.com.tw
刪掉舊的
>update add www.hellokitty.com.tw 86400 A 192.168.56.155
加入新的
>send
> <ctrl+D 結束>
*如有違反更新政策…則會出現被拒絕的訊息
有關nsupdate及nslookup的用法可以查詢nsupdate的manual pages
#nslookup
>server 192.168.148.129
>set type=a
>www.hellokitty.com.tw
查出結果為更新後的192.168.56.155
><ctrl+D 結束>
最後觀察一下DNS Server變化
@Master DNS Server (192.168.148.129)
#cd /var/cache/bind/
#ls -l
會發現有jnl的暫存檔案…且原先的檔案內容不變
留言列表
