Case Study - DDNS Security
intro
Both DNS and DDNS serve the purpose of translating hostnames into IP addresses. From the viewpoint of a DNS client, these two services are quite similar. However, the key distinction between the two lies in the frequency of updates to the DNS server’s records. In DNS, updates to records are performed manually by the record owner whenever there are changes to its infrastructure, which occurs only sporadically. Conversely, in DDNS, updates to the records occur more frequently and are automated to ensure that DNS clients always have access to the most up-to-date information.
types of DDNS
There two main types of DDNS:
Standards-Based: RFC 2136 defines a standardized mechanism for extending the DNS protocol to support automated updates. This form of DDNS adheres to the standard and is frequently utilized as an extension of a DHCP system.Proprietary: Despite the existence of a standard for DDNS implementation, custom implementations also exist. These custom implementations frequently utilize HTTP, along with a set of user credentials, to log in and modify DNS records as required.
how to setup a DDNS using bind9
Installation
bind9 is a popular DNS server that can be used to illustrate this concept, it can be installed using
> apt install bind9
After the installation, you may need to go to your DNS provider and add records such as
subdomain.ddns.test.com 3600 IN NS ns.test.com
ns.test.com 3600 IN A <server-ip>
Configuration
It is preferrable to use dnssec-keygen to generate a symmetric key. Usually, it’s saved in a file with the following content:
# tsig-keygen keyname >> /secrets/keyname
key "keyname" {
algorithm hmac-sha256;
secret "BASE64=";
};
NOTE:: keyname represents the name of the key. This key (the value next to secret) can be passed to a DNS update tool such as nsupdate and update the record of a DNS server.
# e.g updating a dns server using nsupdate
> nsupdate -y hmac-sha256:rndc-key:<secret>
>> server ns.test.com
>> update add <record-name>.test.com. 3600 A <ip>
>> send
>> quit
Ensure the file is given sufficient read permission so that the process that needs to update the record can read from it.
Then, edit the file /etc/bind/named.conf with the following content:
zone home.ddns.example.com. {
type master;
file "/var/lib/bind/db.subdomain.test.com";
allow-update { key keyname; };
};
The entry is the definition of a new DNS zone. The zone still needs to be defined in a db file. The attribute allow-update enables DDNS mode and allows the update of DNS record given a valid secret key provided. For more detail, read here: https://www.zytrax.com/books/dns/ch7/xfer.html#allow-update
The zone file would look something like below. You may find a reference here: https://linux.robert-scheck.de/netzwerk/eigener-dyndns-dienst/
$ORIGIN .
$TTL 84600 ; 23 hours 30 minutes
ddns.example.net IN SOA ns.example.net. hostmaster.example.net. (
2023050901 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns.example.net.
Now, you can restart the service and test a DNS record update
> systemctl restart bind9
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack