Place Ghantoos

WRT54GL: OpenWRT Kamikaze 0.9 and dynamic DNS (nsupdate/bind)

Tagged:

Hello again,

My first objective was to update my DNS from my home. The problem was:
1- I wanted it to be secure (at least the most secure possible)
2- my PC is behind a beautiful WRT54GL which leaves me with nothing but my LAN IP.
I had to install the stuff on my linksys running Kamikaze0.9 of OpenWRT.
After some research and some small space headaches (WRT54GL), here is what I did:

First, on my server running bind
Then on my little OpenWRT

Setting up your server dns (bind) to accept specific dynamic updates

First of all, of course, your should have an up and running bind server.
The first thing to do will be the key generation to restrict the update to those who have it.

sudo dnssec-keygen -a HMAC-MD5 -b 512 -n HOST yourkey

This should create Kyourkey.+157+17032.key & Kyourkey.+157+17032.private.
Those two files will have to be sent to your openwrt so it is able to update the DNS.

First we will tell the server to accept incoming updates (the restriction is done later)

 vi /etc/bind/named.conf.options  ## then add:

dnssec-enable yes;

Now edit the named.conf to let him know the generated key, and tell him in which case it will be used.
In order to do this, you will have to copy the key included in the generated Kyourkey.+157+17032.key:

sudo less Kyourkey.+157+17032.key ## which should give you something like that:

yourkey. IN KEY 512 3 157 ASDOKn3qsdk45naozeA2ZOnZ42EAZE/az97e5o43SDQknqs1gFldk/6OAZELqsd91nqjdnJZA2EjQSAZo AOZe==  ## of course, this not a real one : )

Now copy this key, to paste it in named.conf and also the update-policy to the zone and specific field you want to update remotely:

vi /etc/bind/named.conf ## and add the following:

key "yourkey" {
  algorithm hmac-md5;
  secret "ASDOKn3qsdk45naozeA2ZOnZ42EAZE/az97e5o43SDQknqs1gFldk/6OAZELqsd91nqjdnJZA2EjQSAZo AOZe==";
};

...

zone "yoursite.com" {
        type master;
        file "/etc/bind/yourzone_file";
        update-policy { grant yourkey subdomain something.yoursite.com. A TXT; };
};

Now backup up your zone file (just in case) (sudo cp db.yoursite.com db.yoursite.com.bak).
And kill -HUP named to force to reload its configuration.

sudo killall -HUP named

Now you should SCP the key files to your box or openwrt. Be carefull to sudo chmod 755 Kyourkey.* to be able to send them then sudo chmod 600 Kyourkey.* to put them back in their initial state.

Installing nsupdate on your OpenWRT:

At first a thought it was easy: ipkg install bind-client, and it installs all the dependencies.
Of course it wasn’t. The bind-libs dependency was not included in the bind-client package. Also, the bind-libs was not present in the openwrt repository with its friends (bind-client, bind-server, bind-dig, etc.)
I did some research, and the only place I could find the bind-libs package (the 9.4.1-1 version) was at http://openwrt.razvi.ro/
So first thing to do is to get this package and install it, then install libopenssl and zlib packages required by nsupdate. I know libopenssl is huge! but a man’s got to do what a man’s got to do..

wget http://openwrt.razvi.ro/bind-libs_9.4.1-1_mipsel.ipk
ipkg install /tmp/bind-libs_9.4.1-1_mipsel.ipk
ipkg install libopenssl
# zlib should be installed by dependency, if not:
ipkg install zlib
# and last but not least
ipkg install bind-client ## it contains only nsupdate

Once everything is installed, you can check that nsupdate is able to start by typing: nsupdate
If it works, here is the script I used to update the DNS of my server.

First create a folder to put the scrpits:

mkdir /etc/dns-update

Then we create the script:

vi /etc/dns-update/dns-update ## then add the following:

#!/bin/sh
# START=95

IP=`ifconfig $INTERFACE | grep 'inet addr:'| grep -v '127.0.0.1' | grep -v 'local_network_IP' | cut -d: -f2 | awk '{ print $1}'`

sed "4s/IP/$IP/" /etc/dns-update/dns-commands > /etc/dns-update/temp_dns
nsupdate -k /etc/dns-update/Kyourkey.+157+17032.private -v /etc/dns-update/temp_dns
rm /etc/dns-update/temp_dns

This script will be using a template file containing the nsupdate entries:

vi /etc/dns-update/dns-commands  ## the add the following:

server IP_OF_YOUR_SERVER
zone yourzone
update delete something.yoursite.com. A
update add something.yoursite.com. 60 A IP ## the IP here must not be replaced, it is used by the script!!
show
send

Now SCP the keys you have generated earlier on your DNS server:

 scp Kyourkey.* root@Openwrt:/etc/dns-update/

And finally make your script executable:

chmod +x /etc/dns-update/dns-update

I didn’t find a way to update automatically the DNS when a new IP was retrieved by the openwrt dhcp client. (tried to put it in /etc/ppp/ip-ip.d/ and in /etc/init.d/dns-update adding a START=95 in the beginning of the script)
So, I did a CRON:

vi /etc/crontabs/root ## then add:
*/20 * * * * /etc/init.d/dns-update

VoilĂ !

I hope this was useful,

don’t hesitate to leave comment if you find out a better way to do that. (thx in advance)

cheers,

Ghantoos

Tagged:

3 Responses

  1. Dean says:

    I just wrote a small utility that’s an nsupdate replacement for this particular use case: It’s considerably smaller than nsupdate; although it still needs a crypto library: openssl or gcrypt can be specified at compile time. It only does public key SIG(0) updates (public keys for all, yay). There’s another one I haven’t tried: http://ipupdate.sourceforge.net/ which does TSIG.

    An orthogonal issue is that you can incorporate a hotplug script that will get called when PPP is brought up instead of a cronjob. There’s also a slightly more accurate (in my opinion) hereustic for determining the IP: by route instead of “whatever isn’t localhost”. See the dudders .ipk although it would work for nsupdate too.

  2. Dean says:

    Oops: probably should have mentioned it’s at http://dudders.sourceforge.net

  3. Thanks for your comment Dean!

    I’m going to try this out. Sure looks great!

    Although, the real space saver would be to have a tiny libopenssl which is the hugh package needed.: )

    I am going to try another type of solution (e.g. through restricted ssh access on the DNS server, with only nsupdate command allowed) so I don’t have to install nsupdate & libopenssl on the wrt54gl.

    I’ll keep you posted,

    Cheers,

    Ghantoos

    PS: I just added the “subscribe to comment” so you can choose to receive an email when a reply is posted.

Leave a Reply