Configuring BIND as an RFC 2136 Dynamic DNS Server

If the DNS for a domain is directly controlled on a BIND server, RFC 2136 Dynamic DNS support can be setup for use by pfSense®. This section shows how to configure BIND to support this feature.

The exact location of the configuration directory for BIND will vary by operating system. It could be in /usr/local/etc/namedb/, /etc/namedb/, or elsewhere.

See also

See Configuring RFC 2136 Dynamic DNS updates for more information on RFC 2136 Dynamic DNS.

Configure the BIND Server

On the server in named.conf, add the following block:

include "/etc/namedb/dns.keys.conf";
zone "dyn.example.com" {
     type master;
     file "dynamic/dyn.example.com";
     update-policy { grant *.dyn.example.com. self . A AAAA; };
};

Then create the initial zone file. BIND requires read/write access to this file and the directory in which it resides so that the zone and its journal may be updated.

Warning

BIND will rewrite this zone file, which is why a subdomain is used in the example.

From there, create the zone file for the new dynamic zone, dynamic/dyn.example.com

$ORIGIN      .
$TTL 30      ; 30 seconds
dyn.example.com              IN SOA  ns.example.com. hostmaster.example.com. (
                             2016062801 ; serial
                             3600       ; refresh (1 hour)
                             600        ; retry (10 minutes)
                             2600       ; expire (43 minutes 20 seconds)
                             30         ; minimum (30 seconds)
                             )
                     NS      ns.example.com.
                     NS      ns2.example.com.

Reload the named service using rndc reload or a similar command, and then if any slave name servers are in place, add a zone to those servers as well:

zone "dyn.example.com" {
     type slave;
     file "dynamic/dyn.example.com";
     masters{ 192.0.2.5; };
};

For BIND 9.16+ create an entry using tsig-keygen:

# tsig-keygen -a hmac-sha256 myhost.dyn.example.com
key "myhost.dyn.example.com" {
     algorithm hmac-md5;
     secret "/0/4bxF9A08n/zke/vANyQ==";
};

Add that key to dns.keys.conf manually or by redirecting command output:

# tsig-keygen -a hmac-sha256 myhost.dyn.example.com >> /etc/namedb/dns.keys.conf

For BIND version < 9.16, follow the next steps.

On the master name server, make the keys directory:

# mkdir -p /etc/namedb/keys

And now generate a host key. The second line is the output of the command, not part of the command itself.

# /usr/sbin/dnssec-keygen -K /etc/namedb/keys -a HMAC-MD5 -b 128 -n HOST myhost.dyn.example.com.
Kmyhost.dyn.example.com.+157+32768

The output Kmyhost.dyn.example.com.+157+32768 is the first part of the filename for the key, it will append .private to one file and .key to another. Both contain the same data in different formats.

Now read the key from the new key file:

# /usr/bin/grep ^Key: /etc/namedb/keys/Kmyhost.dyn.example.com.+157+32768.private | /usr/bin/awk '{ print $2; }'
/0/4bxF9A08n/zke/vANyQ==

And then add that key to dns.keys.conf:

key "myhost.dyn.example.com" {
     algorithm hmac-md5;
     secret "/0/4bxF9A08n/zke/vANyQ==";
};

This can be automated with a simple script, make-ddns-host.sh:

#!/bin/sh
KEY_NAME=${1}
KEY_DIR=/etc/namedb/keys
KEYS_CONFIG=/etc/namedb/dns.keys.conf
/bin/mkdir -p ${KEY_DIR}
cd ${KEY_DIR}
KEY_FILE_NAME=`/usr/sbin/dnssec-keygen -K ${KEY_DIR} -a HMAC-MD5 -b 128 -n HOST ${KEY_NAME}.`
KEY_TEXT=`/usr/bin/grep "^Key:" ${KEY_DIR}/${KEY_FILE_NAME}.private | /usr/bin/awk '{ print $2; }'`
echo "key ${KEY_NAME}. {" >> ${KEYS_CONFIG}
echo "       algorithm hmac-md5;" >> ${KEYS_CONFIG}
echo "       secret \"${KEY_TEXT}\";" >> ${KEYS_CONFIG}
echo "};" >> ${KEYS_CONFIG}
echo "Key for ${KEY_NAME} is: ${KEY_TEXT}"

After making the file, make it executable:

# chmod u+x make-ddns-host.sh

To use the script:

# ./make-ddns-host.sh mynewhost.dyn.example.com
# rndc reload

Configuring a Client in pfSense Software

To add a DynDNS entry in the pfSense software GUI:

  • Navigate to Services > Dynamic DNS, RFC 2136 tab

  • Click fa-plus Add to create a new entry with the following settings:

    Enable

    Checked

    Interface

    WAN

    Hostname

    The fully qualified hostname, e.g. xxxxx.dyn.example.com

    TTL

    30

    Key Name

    The fully qualified hostname again, exactly: xxxxx.dyn.example.com

    Key algorithm

    HMAC-SHA256

    Key

    Secret key for this hostname

    Server

    The IP address or hostname of the BIND server

    Protocol

    Unchecked

    Description

    My DynDNS Entry

  • Click Save

Assuming the firewall has connectivity to the name server, and there are no other access policies that would prevent the update, RFC 2136 DynDNS service is now working. If the update does not work, check the BIND log and the system log on the firewall.