00-dark - ZYTRAX
Download
Report
Transcript 00-dark - ZYTRAX
Module 9
Dynamic DNS (DDNS)
Dynamic DNS (DDNS)
Allows DNS RRs to be updated in
real time from one or more locations
Cannot add or delete zones (BIND –
server is reloaded)
BIND tool – nsupdate
Windows – AD extensive use
Update target defined by SOA
Primary Master entry
DDNS - Usage
DHCP – Forward and Reverse
mapping (especially IPv6)
RR changes – immediately available
NOTIFY propagates to slaves
Large zones – invokes IXFR to
reduce transfer times
DDNS - Security
DDNS - Security
DDNS – Security Issues
Remote access always a problem
Corruptions affects master file
If I can, bad guys can
Propagates to all slaves
BIND disables DDNS by default
DDNS – Security Control
allow-update – zone level
update-policy – RR Level
Allows IP/TSIG/SIG(0) access control
Allows IP/TSIG/SIG(0) access control
nsupdate is invoked with –k option if
TSIG/SIG(0)
DDNS – allow-update
zone "example.com in{
type master;
file "master.example.com";
allow-update {10.1.2.5;}; // this zone only
....
};
zone "example.com" in{
type master;
file "master.example.com";
allow-update {key "example.com";};
};
DDNS – update-policy
zone "example.net" in{
type master;
file "master.example.net";
update-policy { grant example.com subdomain example.net ANY;};
update-policy { grant * self * A;};
update-policy { grant fred.example.net name example.net MX;};
};
DDNS - nsupdate
# nsupdate
> server ns1.example.com
> zone example.com
> update add new 36000 IN A 192.168.5.4
> send
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERR id: 0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> zone example.net
> update add another.example.net. 36000 IN A 192.168.7.15
> send
>quit
Quick Quiz
What does DDNS stand for?
Name one typical use for DDNS?
Why is DDNS dangerous?
Name one BIND parameter that
controls DDNS access?
Is DDNS enabled by default in
BIND?