Configure BIND as an RFC 2136 Dynamic DNS Server

If the DNS for a domain is directly controlled on a BIND server, RFC 2136 Dynamic DNS support can be setup for use by pfsense. This section shows how to configure BIND to support this feature.

The exact location of the configuration directory for BIND will vary by operating system. It could be in /usr/local/etc/namedb/, /etc/namedb/, or elsewhere.

See also

See Configuring RFC 2136 Dynamic DNS updates for more information on RFC 2136 Dynamic DNS.

Configure the BIND Server

On the server in named.conf, add the following block:

include "/etc/namedb/dns.keys.conf";
zone "dyn.example.com" {
     type master;
     file "dynamic/dyn.example.com";
     update-policy { grant *.dyn.example.com. self dyn.example.com. A AAAA; };
};

Then create the initial zone file. BIND requires read/write access to this file and the directory in which it resides so that the zone and its journal may be updated.

Warning

BIND will rewrite this zone file, which is why a subdomain is used in the example.

From there, create the zone file for the new dynamic zone, dynamic/dyn.example.com

$ORIGIN      .
$TTL 30      ; 30 seconds
dyn.example.com              IN SOA  ns.example.com. hostmaster.example.com. (
                             2016062801 ; serial
                             3600       ; refresh (1 hour)
                             600        ; retry (10 minutes)
                             2600       ; expire (43 minutes 20 seconds)
                             30         ; minimum (30 seconds)
                             )
                     NS      ns.example.com.
                     NS      ns2.example.com.

Reload the named service using rndc reload or a similar command, and then if any slave name servers are in place, add a zone to those servers as well:

zone "dyn.example.com" {
     type slave;
     file "dynamic/dyn.example.com";
     masters{ 192.0.2.5; };
};

On the master name server, make the keys directory:

# mkdir -p /etc/namedb/keys

And now generate a host key. The second line is the output of the command, not part of the command itself.

# /usr/sbin/dnssec-keygen -K /etc/namedb/keys -a HMAC-MD5 -b 128 -n HOST myhost.dyn.example.com.
Kmyhost.dyn.example.com.+157+32768

The output Kmyhost.dyn.example.com.+157+32768 is the first part of the filename for the key, it will append .private to one file and .key to another. Both contain the same data in different formats.

Now read the key from the new key file:

# /usr/bin/grep ^Key: /etc/namedb/keys/Kmyhost.dyn.example.com.+157+32768.private | /usr/bin/awk '{ print $2; }'
/0/4bxF9A08n/zke/vANyQ==

And then add that key to dns.keys.conf:

key myhost.dyn.example.com. {
     algorithm hmac-md5;
     secret "/0/4bxF9A08n/zke/vANyQ==";
};

This can be automated with a simple script, make-ddns-host.sh:

#!/bin/sh
KEY_NAME=${1}
KEY_DIR=/etc/namedb/keys
KEYS_CONFIG=/etc/namedb/dns.keys.conf
/bin/mkdir -p ${KEY_DIR}
cd ${KEY_DIR}
KEY_FILE_NAME=`/usr/sbin/dnssec-keygen -K ${KEY_DIR} -a HMAC-MD5 -b 128 -n HOST ${KEY_NAME}.`
KEY_TEXT=`/usr/bin/grep "^Key:" ${KEY_DIR}/${KEY_FILE_NAME}.private | /usr/bin/awk '{ print $2; }'`
echo "key ${KEY_NAME}. {" >> ${KEYS_CONFIG}
echo "       algorithm hmac-md5;" >> ${KEYS_CONFIG}
echo "       secret \"${KEY_TEXT}\";" >> ${KEYS_CONFIG}
echo "};" >> ${KEYS_CONFIG}
echo "Key for ${KEY_NAME} is: ${KEY_TEXT}"

After making the file, make it executable:

# chmod u+x make-ddns-host.sh

To use the script:

# ./make-ddns-host.sh mynewhost.dyn.example.com
# rndc reload

Configuring a Client in pfSense

To add a DynDNS entry in the pfSense GUI:

  • Navigate to Services > Dynamic DNS, RFC 2136 tab
  • Click fa-plus Add to create a new entry with the following settings:
    Enable:Checked
    Interface:WAN
    Hostname:The fully qualified hostname, e.g. xxxxx.dyn.example.com
    TTL:30
    Key Name:The fully qualified hostname again, exactly: xxxxx.dyn.example.com
    Key Type:Host
    Key:Secret key for this hostname
    Server:The IP address or hostname of the BIND server
    Protocol:Unchecked
    Description:My DynDNS Entry
  • Click Save

Assuming the firewall has connectivity to the name server, and there are no other access policies that would prevent the update, RFC 2136 DynDNS service is now working. If the update does not work, check the BIND log and the system log on pfSense.