Transcript 00-dark - ZYTRAX

Module 9
Dynamic DNS (DDNS)
Dynamic DNS (DDNS)
Allows DNS RRs to be updated in
real time from one or more locations
 Cannot add or delete zones (BIND –
server is reloaded)
 BIND tool – nsupdate
 Windows – AD extensive use
 Update target defined by SOA
Primary Master entry

DDNS - Usage
DHCP – Forward and Reverse
mapping (especially IPv6)
 RR changes – immediately available



NOTIFY propagates to slaves
Large zones – invokes IXFR to
reduce transfer times
DDNS - Security
DDNS - Security
DDNS – Security Issues

Remote access always a problem


Corruptions affects master file


If I can, bad guys can
Propagates to all slaves
BIND disables DDNS by default
DDNS – Security Control

allow-update – zone level


update-policy – RR Level


Allows IP/TSIG/SIG(0) access control
Allows IP/TSIG/SIG(0) access control
nsupdate is invoked with –k option if
TSIG/SIG(0)
DDNS – allow-update
zone "example.com in{
type master;
file "master.example.com";
allow-update {10.1.2.5;}; // this zone only
....
};
zone "example.com" in{
type master;
file "master.example.com";
allow-update {key "example.com";};
};
DDNS – update-policy
zone "example.net" in{
type master;
file "master.example.net";
update-policy { grant example.com subdomain example.net ANY;};
update-policy { grant * self * A;};
update-policy { grant fred.example.net name example.net MX;};
};
DDNS - nsupdate
# nsupdate
> server ns1.example.com
> zone example.com
> update add new 36000 IN A 192.168.5.4
> send
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERR id: 0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> zone example.net
> update add another.example.net. 36000 IN A 192.168.7.15
> send
>quit
Quick Quiz
What does DDNS stand for?
 Name one typical use for DDNS?
 Why is DDNS dangerous?
 Name one BIND parameter that
controls DDNS access?
 Is DDNS enabled by default in
BIND?
