1

I set up my own dynamic DNS server with Bind on Debian Jessy. Everything is running fine and smooth. The actual ddns update is done with nsupdate (executed by php on the same server). The php link itself is encrypted with https but I wondered whether the nsupdate command which also includes the ddns secret key string is encrypted somewhat, too? Theoretically and generally spoken, if it weren't encrypted someone could read the secret key during the transmission which would allow him to send ddns updates himself to a server?

If so, is there a way to ensure the nsupdate is only run locally (since it is executed on the same/my server anyway) or some other security measure? Currently, the lines use the server's official DNS name within the nsupdate command instead of 'localhost' or something (not sure if that is even supported):

server ns1.external-domain-name.de
zone external-domain-name.de.
key ddns.external-domain-name.de.key MySecretKey12345
update delete ddns.external-domain-name.de.
update add ddns.external-domain-name.de 60 A
send
Markus K.
  • 11
  • 1
  • The messages are not encrypted but the shared-secret key is not sent and thus cannot be eavesdropped; it is used to generate (at the client) and verify (at the server) a Message Authentication Code, which without `-g` or `-o` is specifically HMAC (rfc2104) using MD5 (rfc1321). – dave_thompson_085 Nov 14 '16 at 20:18

2 Answers2

1

The secret is encrypted. We can't tell you the strength of the encryption as you didn't provide us the specifics (HMAC-MD5 via TSIG, etc.), but it is a safe assumption that DDNS secrets include a cryptographic wrapper of some sort. They would be susceptible to replay attacks otherwise, as you have noted.

Andrew B
  • 32,588
  • 12
  • 93
  • 131
  • 1
    If encryption were used it wouldn't prevent replay, and encryption alone wouldn't prevent tampering/forgery. TSIG (or SIG(0)) does prevent tampering/forgery, and a time check prevents _most_ replay, see rfc2845 3.3, 4.5.2, 6.4. – dave_thompson_085 Nov 14 '16 at 20:18
  • @dave Correct, I was braindead from a maintenance when I wrote that. The intent was to state that the encapsulation method (TSIG, SIG(0), etc.) and server software take that into consideration. – Andrew B Nov 14 '16 at 20:19
0

The commands can be sent in clear, but the secret key used to allow the updates is not.

But anyway, if you need to do the updates on the same host, it is easier to use the -l option with nsupdate. It will use a self-generated key and only communicate with localhost :

-l
Local-host only mode. This sets the server address to localhost (disabling the server so that the server address cannot be overridden). Connections to the local server will use a TSIG key found in /var/run/named/session.key, which is automatically generated by named if any local master zone has set update-policy to local.

For that, you need to add update-policy local; in your dynamic zone definition:

zone "dyn.example.com" {
    type master;
    file "/var/cache/bind/dyn.example.com";
    update-policy local;
};

And you need to restart the server with systemctl restart bind9 or the equivalent on your system. rndc reload is not sufficient to make it generate the special "local-ddns" key.

If you need more rules in your update-policy, you need to replace that update-policy local; with a section that includes grant local-ddns zonesub ANY; instead. You cannot have both the simple "local" line and a real policy section. So you need something like this:

zone "dyn.example.com" {
  type master;
  file "/var/cache/bind/dyn.example.com";
  update-policy {
    grant local-ddns zonesub ANY; // Generates a "local-ddns" key in /var/run/named/session.key
    // other update policies
    // grant   *.dyn.example.com. self *.dyn.example.com. ANY;
  };
};

Then you can do updates like this:

host=myhost: ip=10.1.2.3.4
printf "update add $host.dyn.example.com. 3600 A $ip\n\n" | nsupdate -l

If you use config files to feed to nsupdate -l, you cannot have a server ... line in them or you will get this error:

cannot reset server in localhost-only mode
syntax error
mivk
  • 4,004
  • 3
  • 37
  • 32