0

I am curious if I can use my BIND9 server to provide dynamic dns for a couple IPsec tunnels I want to setup. 2 of the endpoints have dynamic IP addresses, the "main" endpoint is a static address.

I would use no-ip.org or something else but I want more control and don't want to pay for the pro version.

I already have DNSSEC running. So would I just expose the server to the internet via NAT? or should I do something to BIND9 to bolt it down? Maybe a separate domain?

As far as updates I would be using the Dynamic DNS server in my pfSense boxes they support for RFC 2136 (Dynamic DNS updates).

Any insight would be appreciated.

AtomicPorkchop
  • 1,975
  • 8
  • 34
  • 55
  • DNSSEC has nothing to do with dynamic updates. Lookup TSIG for doing low grade update security (allowing updates only over the tunnel would be a better idea, but may not be workable). Sorry for the short response, no time for a full answer right now. But the short answer is yes, it's would work basically as you describe. – Chris S Dec 20 '11 at 04:25
  • Ah ok perfect. I am using BIND views so I can keep the DNS server split. Is there anything else I can / should do? Normally I would restrict which WAN addresses are allow to access the server, but the IP changes so I can do that. – AtomicPorkchop Dec 20 '11 at 05:05
  • What is the current use of your bind9 ? – Sandman4 Dec 20 '11 at 11:11
  • @Sandman4 it was originally only running internal DNS. – AtomicPorkchop Dec 21 '11 at 00:45

1 Answers1

1

Can I use my Linux BIND9.... the answer is yes.

Maybe you can find some substitute to no-ip.com that will satisfy - here is the complete list

Yes, you could expose bind via NAT, why not (and it's not related to DNSSEC) ? I think it's designed to be used on the internet :) ? To make it safer, you can add something like the following:

options {
    allow-transfer {none;};
    allow-recursion {none;};
    allow-query-cache {none;};
    allow-update {key updates-key;};
}
key "updates-key" {
    algorithm hmac-md5;
    secret "zzzzzzzzzzzzzzzzzzzzz==";
};

Depending on the purpose of your DNS server, you can use split-views to hide private information, may allow recursion for certain ip ranges etc.

Sandman4
  • 4,077
  • 2
  • 21
  • 27
  • Yeah that is exactly what I am doing. I DO NOT allow updates unless you have a key, that is how I planned to allow updates without exposing my server to really bad things. I am also using BIND views to control what is visable from the internet. You said DNSSEC is not related? Then what is DNSSEC because I thought that was the process that protects DNS servers from unautorized updates by using keys. – AtomicPorkchop Dec 21 '11 at 00:49
  • btw that link is broken, it takes me to the DNS "can't find this site" page. – AtomicPorkchop Dec 21 '11 at 01:15
  • sorry for the link - fixed – Sandman4 Dec 21 '11 at 08:16
  • DNSSEC is not about updates at all, it's about ANSWERS - DNSSEC server once configured (it's somewhat complicated process) provides cryptographically signed answers so that clients can verify that answers really originate from authoritative server and thus prevents spoofing attacks. – Sandman4 Dec 21 '11 at 08:46
  • Oh okay. becasue I am also running DNSSEC on the same server, I thought that was how to secured the server for updates. – AtomicPorkchop Dec 21 '11 at 23:02