# Bind 9 Dynamic DNS

## richcoosa19

Ok, I have a domain that I purchased and I want to run websites through it, call it:

bindexample.com

the problem is that one server has both external and internal addresses

external-server IN A 68.71.25.23

internal-server IN A 192.168.0.1

I would like all internal computers to dynamically register their hostname with Bind through 192.168.0.1, and I would like for Bind to listen to requests on 68.71.25.23.  This works fine with the Linux boxes that I have, but the windows boxes don't know where to go to update DNS.

In the Event Viewer it says "Sent to server:  <?>"

Any thoughts?

 :Crying or Very sad: Last edited by richcoosa19 on Fri Aug 17, 2007 5:33 pm; edited 2 times in total

----------

## steveb

How are your internal clients getting their IP address? With DHCP?

// SteveB

----------

## richcoosa19

 *steveb wrote:*   

> How are your internal clients getting their IP address? With DHCP?
> 
> // SteveB

 

Yup through DHCP and a key that was created on the server during installation of Bind should be making the update possible.

Want me to post my bind config and the current zone that's a problem?

----------

## steveb

 *richcoosa19 wrote:*   

> Want me to post my bind config and the current zone that's a problem?

 Yes please

----------

## richcoosa19

 *steveb wrote:*   

>  *richcoosa19 wrote:*   Want me to post my bind config and the current zone that's a problem? Yes please

 

named.conf:

```
controls {

        inet 127.0.0.1 allow {localhost; } keys { "rndc-key"; };

        };

include "/etc/bind/rndc.key";

options {

        directory "/var/bind";

        // uncomment the following lines to turn on DNS forwarding,

        // and change the forwarding ip address(es) :

        //forward first;

        //forwarders {

        //      68.87.68.162;

        //      68.87.74.162;

        //};

        //listen-on-v6 { none; };

        listen-on { 127.0.0.1; };

        listen-on { 192.168.0.254; };

        listen-on { 71.59.62.23; };

        // to allow only specific hosts to use the DNS server:

        //allow-query {

        //      127.0.0.1;

        //};

        //allow-query { "home"; };

        // if you have problems and are behind a firewall:

        //query-source address * port 53;

        pid-file "/var/run/named/named.pid";

};

// Briefly, a zone which has been declared delegation-only will be effectively

// limited to containing NS RRs for subdomains, but no actual data beyond its

// own apex (for example, its SOA RR and apex NS RRset). This can be used to

// filter out "wildcard" or "synthesized" data from NAT boxes or from

// authoritative name servers whose undelegated (in-zone) data is of no

// interest.

// See http://www.isc.org/products/BIND/delegation-only.html for more info

//zone "COM" { type delegation-only; };

//zone "NET" { type delegation-only; };

zone "." IN {

        type hint;

        file "named.ca";

};

zone "localhost" IN {

        type master;

        file "pri/localhost.zone";

        allow-update { key "rndc-key"; };

        notify no;

};

zone "127.in-addr.arpa" IN {

        type master;

        file "pri/127.zone";

        allow-update { key "rndc-key"; };

        notify no;

};

zone "romefightproductions.com" IN {

        type master;

        file "pri/romefightproductions.com.zone";

        allow-update { key "rndc-key"; };

        notify no;

};

zone "slackwaretoy.net" IN {

        type master;

        file "pri/slackwaretoy.net.zone";

        allow-update { key "rndc-key"; };

        notify no;

};

zone "0.168.192.in-addr.arpa" IN {

        type master;

        file "pri/0.168.192.zone";

        allow-update { key "rndc-key"; };

        notify no;

};

include "/etc/bind/logging.conf";

```

Slackwaretoy.net zone:

```

$ORIGIN .

$TTL 86400      ; 1 day

slackwaretoy.net        IN SOA  gentoo-server.slackwaretoy.net. richie\@slackwaretoy.net. (

                                2005101029 ; serial

                                10800      ; refresh (3 hours)

                                7200       ; retry (2 hours)

                                36000000   ; expire (59 weeks 3 days 16 hours)

                                86400      ; minimum (1 day)

                                )

                        NS      gentoo-server.slackwaretoy.net.

                        NS      local-server.slackwaretoy.net.

gentoo-server           A       71.59.62.23

local-server            A       192.168.0.254

                        MX      10 gentoo-server.slackwaretoy.net.

www                     CNAME   gentoo-server.slackwaretoy.net.

$ORIGIN slackwaretoy.net.

```

----------

## steveb

Please post the content of /etc/dhcp/dhcpd.conf as well.

// SteveB

----------

## richcoosa19

 *steveb wrote:*   

> Please post the content of /etc/dhcp/dhcpd.conf as well.
> 
> // SteveB

 

As you wish, here is dhcpd.conf:

```

authoritative;

ddns-updates            on;

ddns-update-style       interim;

ddns-domainname         "slackwaretoy.net";

include "/etc/bind/rndc.key";

zone slackwaretoy.net.{

        primary 192.168.0.254;

key rndc-key;

}

zone 0.168.192.in-addr.arpa.{

        primary 192.168.0.254;

key rndc-key;

}

subnet 192.168.0.0 netmask 255.255.255.0 {

  range 192.168.0.100 192.168.0.200;

  option domain-name-servers 192.168.0.254;

  option domain-name "slackwaretoy.net";

  option routers 192.168.0.254;

  option broadcast-address 192.168.0.255;

  default-lease-time 3600;

  max-lease-time 172800;

}

```

----------

## steveb

Can you try this dhcpd.conf file:

```
# /etc/dhcp/dhcpd.conf

# Option definitions common to all supported networks...

option domain-name "slackwaretoy.net";

option domain-name-servers 192.168.0.254;

default-lease-time 3600;

max-lease-time 172800;

# If this DHCP server is the official DHCP server for the local

# network, the authoritative directive should be uncommented.

authoritative;

# Dynamic DNS update

ddns-update-style ad-hoc;               # Can be 'none', 'ad-hoc', or 'interim'

ddns-domainname "slackwaretoy.net.";            # Name of the domain

ddns-rev-domainname "in-addr.arpa.";            # Reverse domain name

ddns-updates on;                  # Enable DDNS updates

ignore client-updates;                  # Ignore all client requests for DDNS update

update-static-leases true;                                      # Update static adresses in DNS as well

# slackwaretoy.net network (192.168.0.1 - 192.168.0.254)

subnet 192.168.0.0 netmask 255.255.255.0 {

   range 192.168.0.100 192.168.0.200;         # Range of valid IP addresses available for client offer

   # range dynamic-bootp 192.168.0.??? 192.168.0.???;   # BOOTP range

   # option ntp-servers 192.168.0.???;         # Network Time Protocol servers for the clients

   option domain-name-servers 192.168.0.254;      # DNS servers the clients should use for name resolution

   # option netbios-node-type 8;            # WINS hybrid type (WINS - broadcast)

   # option netbios-name-servers 192.168.0.???;      # WINS name servers

   option domain-name "slackwaretoy.net";         # Internet Domain Name to append to a client's hostname

   option routers 192.168.0.254;            # Gateway for the client to use

   option subnet-mask 255.255.255.0;         # Subnet mask specific to the lease range

   option broadcast-address 192.168.0.255;         # Broadcast address specific to the lease range

   default-lease-time 3600;            # Default time in seconds that the IP is leased

   max-lease-time 172800;               # Max time in seconds that the IP is leased

   always-broadcast on;               # Windows Vista needs that!

   include "/etc/bind/rndc.key";

   zone slackwaretoy.net. {

      primary 192.168.0.254;

      key "rndc-key";

   }

   zone 0.168.192.in-addr.arpa. {

      primary 192.168.0.254;

      key "rndc-key";

   }

}
```

Btw: It is not so good to have class c addresses in your public available DNS server. It would probably be wise to separate them on a different domain (for example something in *.local) or use views in BIND to not show them to the public.

Btw2: I have remarked some entries because I don't know if you use them or not.

Btw3: Normally I create separate key's for DHCP. I don't like to use the rndc keys for DDNS updates but since you use the rndc key I left it there.

// SteveB

----------

## richcoosa19

 *steveb wrote:*   

> 
> 
> Btw: It is not so good to have class c addresses in your public available DNS server. It would probably be wise to separate them on a different domain (for example something in *.local) or use views in BIND to not show them to the public.
> 
> Btw2: I have remarked some entries because I don't know if you use them or not.
> ...

 

Your example worked perfectly, except for the fact that my main server is not configured for DDNS, which I didn't want.  Could you give me examples of using a view in Bind?  Or would it be better to just simply put the class C's - at least the ones that are supposed to be dynamic - in a different domain, and if so, could you give me a good example of a local type domain that will update through DDNS, whereas the others will be static - really only one address needs to be static...?  I only own one domain (slackwaretoy.net), and the other is pointed to me by someone else to host webpages for (romefightproductions.com).

Incase you are wondering...I have been using tinydns instead of bind for about 3 years, but I longed for the support of Dynamic DNS (which tiny did not support - as far as I could find).  This is my first shot at configuring a Bind system at all.

----------

## steveb

 *richcoosa19 wrote:*   

> Your example worked perfectly, except for the fact that my main server is not configured for DDNS, which I didn't want.

 You don't want DDNS? I was under the impression that you want DDNS?

 *richcoosa19 wrote:*   

> Could you give me examples of using a view in Bind? Or would it be better to just simply put the class C's - at least the ones that are supposed to be dynamic - in a different domain, and if so, could you give me a good example of a local type domain that will update through DDNS, whereas the others will be static - really only one address needs to be static...?  I only own one domain (slackwaretoy.net), and the other is pointed to me by someone else to host webpages for (romefightproductions.com).

 I will do that. But now I need to go. Will do the examples after I return (in about 12 hours).

// SteveB

----------

## richcoosa19

 *steveb wrote:*   

>  *richcoosa19 wrote:*   Your example worked perfectly, except for the fact that my main server is not configured for DDNS, which I didn't want. You don't want DDNS? I was under the impression that you want DDNS?
> 
>  *richcoosa19 wrote:*   Could you give me examples of using a view in Bind? Or would it be better to just simply put the class C's - at least the ones that are supposed to be dynamic - in a different domain, and if so, could you give me a good example of a local type domain that will update through DDNS, whereas the others will be static - really only one address needs to be static...?  I only own one domain (slackwaretoy.net), and the other is pointed to me by someone else to host webpages for (romefightproductions.com). I will do that. But now I need to go. Will do the examples after I return (in about 12 hours).
> 
> // SteveB

 

Sorry for the mix up in words, I was really drowsy from taking an antihistamine last night.  The deal is that I have a server that needs a static DNS address to answer outside DNS requests for a couple of websites that I host.  Also I wanted to be able to use DDNS with my internal network to be able to ping the internal computers by their names.

----------

## steveb

Okay. Let's make the example with a local (on the internet not valid) domain. I call the domain richcoosa.local. Here the DHCP configuration:

```
# /etc/dhcp/dhcpd.conf

# Option definitions common to all supported networks...

option domain-name "richcoosa.local";

option domain-name-servers 192.168.0.254;

default-lease-time 3600;

max-lease-time 172800;

# If this DHCP server is the official DHCP server for the local

# network, the authoritative directive should be uncommented.

authoritative;

# Dynamic DNS update

ddns-update-style ad-hoc;               # Can be 'none', 'ad-hoc', or 'interim'

ddns-domainname "richcoosa.local.";     # Name of the domain

ddns-rev-domainname "in-addr.arpa.";    # Reverse domain name

ddns-updates on;                        # Enable DDNS updates

ignore client-updates;                  # Ignore all client requests for DDNS update

update-static-leases true;              # Update static adresses in DNS as well

# richcoosa.local network (192.168.0.1 - 192.168.0.254)

subnet 192.168.0.0 netmask 255.255.255.0 {

   range 192.168.0.100 192.168.0.200;                   # Range of valid IP addresses available for client offer

   # range dynamic-bootp 192.168.0.??? 192.168.0.???;   # BOOTP range

   # option ntp-servers 192.168.0.???;                  # Network Time Protocol servers for the clients

   option domain-name-servers 192.168.0.254;            # DNS servers the clients should use for name resolution

   # option netbios-node-type 8;                        # WINS hybrid type (WINS - broadcast)

   # option netbios-name-servers 192.168.0.???;         # WINS name servers

   option domain-name "richcoosa.local";                # Internet Domain Name to append to a client's hostname

   option routers 192.168.0.254;                        # Gateway for the client to use

   option subnet-mask 255.255.255.0;                    # Subnet mask specific to the lease range

   option broadcast-address 192.168.0.255;              # Broadcast address specific to the lease range

   default-lease-time 3600;                             # Default time in seconds that the IP is leased

   max-lease-time 172800;                               # Max time in seconds that the IP is leased

   always-broadcast on;                                 # Windows Vista needs that!

   include "/etc/bind/rndc.key";

   zone richcoosa.local {

      primary 192.168.0.254;

      key "rndc-key";

   }

   zone 0.168.192.in-addr.arpa. {

      primary 192.168.0.254;

      key "rndc-key";

   }

}
```

In BIND just add a new zone:

```
zone "richcoosa.local" IN {

        type master;

        file "pri/richcoosa.local.zone";

        allow-update { key "rndc-key"; };

        notify no;

};
```

And create pri/richcoosa.local.zone:

```
$TTL 86400  ; 1 day

@                    IN SOA  gentoo-server.richcoosa.local. richie.richcoosa.local. (

                                2008081301 ; serial

                                10800      ; refresh (3 hours)

                                7200       ; retry (2 hours)

                                36000000   ; expire (59 weeks 3 days 16 hours)

                                86400      ; minimum (1 day)

                                )

                     IN NS      gentoo-server.richcoosa.local.

                     IN MX      10 gentoo-server.richcoosa.local.

$ORIGIN richcoosa.local.

gentoo-server        IN A       192.168.0.254

www                  IN CNAME   gentoo-server.richcoosa.local.
```

The real zone pri/slackwaretoy.net.zone and pri/romefightproductions.com.zone should be free of any local addresses (the one starting with 192.168.xx.xx). I think you know what I mean. If not, then let me know.

With the above setup all your internal DHCP clients will have a richcoosa.local domain an the two other domains should be free of any local systems and/or addresses.

// SteveB

----------

## richcoosa19

Beautiful, I pretty much did the same thing on Friday night.  I wanted to wait until you posted to make sure I did it right though.  I created a new zone for the local addresses as network.local.  Thank you so much for all of your help Steve!

----------

## steveb

 :Smile: 

btw: I think that some stuff is not 100% okay. Look at this:

DNS report for slackwaretoy.net

DNS report for romefightproductions.com

Could you post the zone files for the above mentioned domains?

// SteveB

----------

## richcoosa19

 *steveb wrote:*   

> 
> 
> btw: I think that some stuff is not 100% okay. Look at this:
> 
> DNS report for slackwaretoy.net
> ...

 

I only have one IP since I am running this from my home comcast ISP.  I only can have one NS in DNS.  I am basically pointing all dns from romefightproductions back to slackwaretoy.net:

Slackwaretoy.net zone file:

$ORIGIN .

$TTL 86400      ; 1 day

@               IN SOA  gentoo-server.slackwaretoy.net. richie.slackwaretoy.net. (

                                2005101041 ; serial

                                10800      ; refresh (3 hours)

                                7200       ; retry (2 hours)

                                36000000   ; expire (59 weeks 3 days 16 hours)

                                86400      ; minimum (1 day)

                                )

dns1.slackwaretoy.net                   NS      gentoo-server.slackwaretoy.net.

dns1.slackwaretoy.net                   NS      local-server.slackwaretoy.net.

gentoo-server.slackwaretoy.net  IN      MX      10      slackwaretoy.net.

gentoo-server.slackwaretoy.net  IN      A       71.59.62.23

local-server.slackwaretoy.net   IN      A       192.168.0.254

*.slackwaretoy.net              IN      CNAME   gentoo-server.slackwaretoy.net.

$ORIGIN slackwaretoy.net.

$TTL 1800       ; 30 minutes

romefightproductions.com zone file:

$TTL 86400

@               IN SOA  gentoo-server.slackwaretoy.net        richie@slackwaretoy.net (

                2005101003      ;serial

                10800           ;refresh

                7200            ;retry

                36000000        ;expire

                86400)          ;default minimum ttl

                IN NS   gentoo-server.slackwaretoy.net.

*.romefightproductions.com      IN CNAME        gentoo-server.slackwaretoy.net

----------

## steveb

 *richcoosa19 wrote:*   

> I only have one IP since I am running this from my home comcast ISP.

 I think comcast is a DSL provider. Is that right? Is the IP you use a static or a dynamic IP?

// SteveB

----------

## richcoosa19

 *steveb wrote:*   

>  *richcoosa19 wrote:*   I only have one IP since I am running this from my home comcast ISP. I think comcast is a DSL provider. Is that right? Is the IP you use a static or a dynamic IP?
> 
> // SteveB

 

It's a cable internet provider, it uses a dynamic IP.  But as long as I still have the modem plugged in to answer the DHCP requests I have the same IP, I have had the same IP for about 1 year now that way.

----------

## steveb

 *richcoosa19 wrote:*   

> It's a cable internet provider, it uses a dynamic IP.  But as long as I still have the modem plugged in to answer the DHCP requests I have the same IP, I have had the same IP for about 1 year now that way.

 Okay. I did not know about the not changing IP on comcast (this probably explains why I have so much comcast IP's trying to send spam to my domains. Probably all of them are infected Windows systems).

Anway... Change your zone files:

slackwaretoy.net.zone:

```
$TTL 86400  ; 1 day

@                    IN SOA     gentoo-server.slackwaretoy.net. richie.slackwaretoy.net. (

                                    2008081401 ; serial

                                    10800      ; refresh (3 hours)

                                    7200       ; retry (2 hours)

                                    36000000   ; expire (59 weeks 3 days 16 hours)

                                    86400      ; minimum (1 day)

                                )

                     IN NS      gentoo-server.slackwaretoy.net.

                     IN A       71.59.62.23

                     IN MX      10 gentoo-server.slackwaretoy.net.

$ORIGIN slackwaretoy.net.

gentoo-server        IN A       71.59.62.23

*                    IN CNAME   gentoo-server.slackwaretoy.net.
```

romefightproductions.com.zone:

```
$TTL 86400  ; 1 day

@                    IN SOA     gentoo-server.romefightproductions.com. richie.romefightproductions.com. (

                                    2008081401 ; serial

                                    10800      ; refresh (3 hours)

                                    7200       ; retry (2 hours)

                                    36000000   ; expire (59 weeks 3 days 16 hours)

                                    86400      ; minimum (1 day)

                                )

                     IN NS      gentoo-server.romefightproductions.com.

                     IN A       71.59.62.23

                     IN MX      10 gentoo-server.romefightproductions.com.

$ORIGIN romefightproductions.com.

gentoo-server        IN A       71.59.62.23

*                    IN CNAME   gentoo-server.romefightproductions.com.
```

For proper operation of your domain you would need another DNS server as secondary. Most TLD's request that. My suggestion would be to go quickly to EveryDNS and register there and use them as your secondary or even as your primary. They even have tools/possibility to manage the problem with your (possibly) changing IP address.

Another provider of secondary DNS which I could recommend is Free DNS by Afraid.org. The offer +/- the same functionality as EveryDNS (but have less troubles then EveryDNS).

// SteveB

----------

## richcoosa19

Now when I try to get the address locally it works fine, but when I try to resolve the domain externally it doesn't resolve.

From a desktop on the local network:

Server:         192.168.0.254

Address:        192.168.0.254#53

www.slackwaretoy.net    canonical name = gentoo-server.slackwaretoy.net.

Name:   gentoo-server.slackwaretoy.net

Address: 71.59.62.23

From a desktop at my work:

Server:    (Host Address withheld for my employers security)

Address:  (IP Address withheld for my employers security)

Non-authoritative answer:

Name:    www.slackwaretoy.net

----------

## steveb

Your server is not listening to UDP port 53 on the external interface:

```
mail ~ # nmap -sV -sU -p 53 71.59.62.23

Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-17 23:53 CEST

Note: Host seems down. If it is really up, but blocking our ping probes, try -P0

Nmap finished: 1 IP address (0 hosts up) scanned in 4.029 seconds

mail ~ #
```

Can you post your named.conf file?

// SteveB

----------

## richcoosa19

//authoritative;

include "/etc/bind/rndc.key";

options {

        directory "/var/bind";

        // uncomment the following lines to turn on DNS forwarding,

        // and change the forwarding ip address(es) :

        //forward first;

//forwarders {

//      68.87.68.162;

//      68.87.74.162;

//};

        //listen-on-v6 { none; };

        //recursion no;

        //listen-on-v6 { none; };

        recursion no;

        listen-on-v6 { none; };

        listen-on { 127.0.0.1; };

        listen-on { 71.59.62.23; };

        listen-on { 192.168.0.254; };

        // to allow only specific hosts to use the DNS server:

//      allow-query {

//              "any";

//      };

        //allow-query { "home"; };

        // if you have problems and are behind a firewall:

        //query-source address * port 53;

        pid-file "/var/run/named/named.pid";

};

// Briefly, a zone which has been declared delegation-only will be effectively

// limited to containing NS RRs for subdomains, but no actual data beyond its

// own apex (for example, its SOA RR and apex NS RRset). This can be used to

// filter out "wildcard" or "synthesized" data from NAT boxes or from

// authoritative name servers whose undelegated (in-zone) data is of no

// interest.

// See http://www.isc.org/products/BIND/delegation-only.html for more info

//zone "COM" { type delegation-only; };

//zone "NET" { type delegation-only; };

zone "." IN {

        type hint;

        file "named.ca";

};

zone "localhost" IN {

        type master;

        file "pri/localhost.zone";

        allow-update { none; };

        notify no;

};

zone "127.in-addr.arpa" IN {

        type master;

        file "pri/127.zone";

        allow-update { none; };

        notify no;

};

/* "romefightproductions.com" IN {

        type master;

        file "pri/romefightproductions.com.zone";

        allow-update { none; };

        notify no;

};

*/

zone "slackwaretoy.net" IN {

        type master;

        file "pri/slackwaretoy.net.zone";

        allow-update { none; };

        notify no;

};

zone "0.168.192.in-addr.arpa" IN {

        type master;

        file "pri/0.168.192.zone";

        allow-update { key "rndc-key"; };

        notify no;

};

zone "network.local" {

        type master;

        file "pri/network.local";

        allow-update { key "rndc-key"; };

        notify yes;

};

include "/etc/bind/logging.conf";

----------

## steveb

Please change:

```
listen-on { 127.0.0.1; };

listen-on { 71.59.62.23; };

listen-on { 192.168.0.254; };
```

to:

```
listen-on { 127.0.0.1; 71.59.62.23; 192.168.0.254; };
```

or to:

```
listen-on { any; };
```

Then restart BIND and check again.

// SteveB

----------

