-dyn-nsupdate: Dynamically and securely update DNS zones via CGI
-===============================================================
+dyn-nsupdate: Self-made DynDNS
+==============================
Introduction
------------
Welcome to dyn-nsupdate_, a collection of tools using BIND_, CGI_ and Python_ to
-provide DynDNS services. Both IPv4 and IPv6 are fully supported.
+provide DynDNS services with your own nameserver. Both IPv4 and IPv6 are fully
+supported.
dyn-nsupdate consists of two pieces: The server part provides a way to update IP
-addresses in Bind's DNS zone via CGI, in a safe manner. The client part uses CGI
+addresses in Bind's DNS zones via CGI, in a safe manner. The client part uses CGI
to update some domain to the current address(es) of the machine it is running
on. Alternatively, some routers can be configured to do this themselves. The
FritzBox is known to be supported.
There are two pieces that have to be installed: A setuid wrapper which checks
the passwords, and applies the updates; and some CGI scripts offered through a
-webserver.
+webserver. Please read this guide carefully and make sure you understand the
+security implications of what you are doing. setuid wrappers are not toys!
-Let's start with the setuid wrapper. To compile it, you will need cmake and
+Let's setting up the setuid wrapper. To compile it, you will need cmake and
boost, including the regex and program_options boost packages. Starting in the
source directory, run::
cd nsupd-wrapper
mkdir -p build
cd build
- cmake .. -DCMAKE_BUILD_TYPE=Release -DDYNNSUPDATE_CONFIG_FILE=/var/lib/bind/dyn-nsupdate.conf
+ DIR=/var/lib/bind
+ cmake .. -DCMAKE_BUILD_TYPE=Release -DDYNNSUPDATE_CONFIG_FILE=$DIR/dyn-nsupdate.conf
make
-This should compile the binary ``dyn-nsupdate``. If you want to put the files in
-another directory, change the configuration file name accordingly. You can now
-install it and the sample configuration file, and set their permissions::
+This should compile the binary ``dyn-nsupdate``. Notice that the path to the
+configuration file will be hard-coded into the binary. If it were run-time
+configurable, then a user could call the script with her own configuration file,
+gaining access to all domains BIND lets you configure. If you want to put the
+files in another directory, change the configuration file name accordingly. Make
+sure the file (nor any of the directories it is in) can *not be written by
+non-root*. The setuid wrapper trusts that file. You can now install it and the
+sample configuration file, and set their permissions::
- sudo install dyn-nsupdate /var/lib/bind/dyn-nsupdate -o bind -g bind -m +rx,u+ws
- sudo install ../../dyn-nsupdate.conf /var/lib/bind/dyn-nsupdate.conf -o bind -g bind -m u+rw
+ sudo install dyn-nsupdate $DIR/dyn-nsupdate -o bind -g bind -m +rx,u+ws
+ sudo install ../../dyn-nsupdate.conf.dist $DIR/dyn-nsupdate.conf -o bind -g bind -m u+rw
Finally, edit the config file. The format should be pretty self-explanatory. In
-particular, *change the password*!
+particular, **change the password**!
Now, let's go on with the CGI scripts. They are using Python 2, so make sure you
have that installed. There are two scripts: One is used for clients to detect
That's it! Your server is now configured. You can use ``curl`` to test your
setup::
- curl 'https://ns.example.com/update?domain=test.dyn.example.com&password=some_secure_password&ip=127.0.0.1'
+ DOMAIN=test.dyn.example.com
+ PW=some_secure_password
+ curl 'https://ns.example.com/update?domain=$DOMAIN&password=$PW&ip=127.0.0.1'
Client setup (using the script)
projects / dyn-nsupdate.git / blobdiff