dyn-nsupdate: Self-made DynDNS
-===============================================================
+==============================
Introduction
------------
There are two pieces that have to be installed: A setuid wrapper which checks
the passwords, and applies the updates; and some CGI scripts offered through a
-webserver.
+webserver. Please read this guide carefully and make sure you understand the
+security implications of what you are doing. setuid wrappers are not toys!
-Let's start with the setuid wrapper. To compile it, you will need cmake and
+Let's setting up the setuid wrapper. To compile it, you will need cmake and
boost, including the regex and program_options boost packages. Starting in the
source directory, run::
cd nsupd-wrapper
mkdir -p build
cd build
- cmake .. -DCMAKE_BUILD_TYPE=Release \
- -DDYNNSUPDATE_CONFIG_FILE=/var/lib/bind/dyn-nsupdate.conf
+ DIR=/var/lib/bind
+ cmake .. -DCMAKE_BUILD_TYPE=Release -DDYNNSUPDATE_CONFIG_FILE=$DIR/dyn-nsupdate.conf
make
-This should compile the binary ``dyn-nsupdate``. If you want to put the files in
-another directory, change the configuration file name accordingly. You can now
-install it and the sample configuration file, and set their permissions::
+This should compile the binary ``dyn-nsupdate``. Notice that the path to the
+configuration file will be hard-coded into the binary. If it were run-time
+configurable, then a user could call the script with her own configuration file,
+gaining access to all domains BIND lets you configure. If you want to put the
+files in another directory, change the configuration file name accordingly. Make
+sure the file (nor any of the directories it is in) can *not be written by
+non-root*. The setuid wrapper trusts that file. You can now install it and the
+sample configuration file, and set their permissions::
- sudo install dyn-nsupdate /var/lib/bind/dyn-nsupdate -o bind -g bind -m +rx,u+ws
- sudo install ../../dyn-nsupdate.conf.dist /var/lib/bind/dyn-nsupdate.conf -o bind -g bind -m u+rw
+ sudo install dyn-nsupdate $DIR/dyn-nsupdate -o bind -g bind -m +rx,u+ws
+ sudo install ../../dyn-nsupdate.conf.dist $DIR/dyn-nsupdate.conf -o bind -g bind -m u+rw
Finally, edit the config file. The format should be pretty self-explanatory. In
particular, **change the password**!
have that installed. There are two scripts: One is used for clients to detect
their current external IP address, and one is used to do the actual update of
the domain. The first script should be available on a domain that is available
-only through a single protocol, i.e., IPv4 only or IPv6 only. If you want to
+only through a single protocol, i.e., IPv4 only or IPv6 only. This is required
+to reliably detect the current address of the given protocol. If you want to
support both IPv4 and IPv6, I suggest you have three domains
``ipv4.ns.example.com``, ``ipv6.ns.example.com`` and ``ns.example.com`` where
only the latter is available via both protocols (this is something you have to
You can find the client script at ``client-scripts/dyn-ns-client``. It requires
Python 3. Copy that script to the machine that should be available under the
-dynamic domain. Then change the configuration section at the top to match your
-setup. Note that the script can update a list of domain names, in case you need
-the machine to have several names (it is preferable to use a CNAME instead, this
-will reduce the number of updates performed in the zone). The ``serverIPv4`` and
-``serverIPv6`` are only used if IPv4/IPv6 is enabled. These machines must be
-available with that protocol only, otherwise it is not possible to reliably
-detect the current external address.
+dynamic domain. Also copy the sample configuration file ``dyn-ns-client.conf.dist`` to
+``$HOME/.config/dyn-nsupdate/dyn-ns-client.conf``. (You can choose another
+name, but then you will have to tell the script about it.) That file contains
+comments that should explain everything. Note that the script can update a list
+of domain names, in case you need the machine to have several names. It is
+preferable to use a CNAME instead, this will reduce the number of updates
+performed in the zone.
To run the script regularly, simply set up a cronjob. You can do so by running
``crontab -e``, and add a line as follows::
-------
If you found a bug, or want to leave a comment, please
-`send me a mail <mailto:post-AT-ralfj-DOT-de>`_.
+`send me a mail <mailto:post-AT-ralfj-DOT-de>`_. All sorts of feedback are
+welcome :)