Skip to content. | Skip to navigation

Navigation

You are here: Home / Support / Guides / Tools / DNS / Dynamic DNS

Personal tools

 

DNS

Domain Name Service trickery

Dynamic DNS

named, dhcpd and dynamic DNS

Dynamic DNS

From time to time we want to allow some other entity (commonly a DHCP client) to update the DNS. The entity knows some DNS fact, commonly its hostname, and want's to insert that record into the DNS. There are rather large trust implications here as you can imagine.

For a Secure Network

For a secure network, one where you trust all the hosts, for example a DHCP network, the changes to the stock DNS options are very simple.

options

By default, deny updates:

options {
  ...
  allow-update { none; };
  ...
};

view/zones

For each dynamic zone, allow the DHCP server to make updates:

zone "office.soho" IN {
        type master;
        file "internal/office.soho.db";
        forwarders {};
        allow-update {
                // DHCP server IP addresses
        };
};

DHCP Server

The changes for the DHCP server are equally straight-forward. We need to tell it to enable dynamic DNS updates at all (and specify forward updates) and then tell each subnet which DNS zones to change:

ddns-updates on;
ddns-update-style interim;
allow client-updates;
do-forward-udates;

zone office.soho {
       primary master-DNS-server-for-office.soho;
}

zone 0.168.192.in-addr.arpa {
       primary master-DNS-server-for-0.168.192.in-addr.arpa;
}

subnet 192.168.0.0 netmask 255.255.255.0 {
       ...

       ddns-domainname "office.soho.";
       ddns-rev-domainname "in-addr.arpa.";
}

IPv6

IPv6 has SLAAC to do its dynamic address allocation but you still might want to it update the DNS where possible. The magic incantations in /etc/dhcp/dhcpd6.conf look like:

ddns-updates on;
ddns-update-style interim;
allow client-updates;
do-forward-udates;

zone office.local {
       primary master-DNS-server-for-office.local;
}

zone 0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa {
       primary master-DNS-server-for-d.c.b.a.ip6.arpa;
}

subnet6 fe80::/64 {
       option domain-name-servers 192.168.0.253;
       option domain-name "office.local";

       ddns-domainname "office.local.";
       ddns-rev-domainname "ip6.arpa.";
}

Clearly, where hosts only use SLAAC then we're not going to get much from the IPv6 entry. However, Windows clients will do DHCP6 lookups in addition to managing their IPv6 interfaces with SLAAC.

For Insecure Networks

For example, across the public Internet we need tsigs.

Document Actions