[BlueOnyx:25102] Re: DDNS - done for 5209R

Michael Stauber mstauber at blueonyx.it
Sun Sep 12 17:10:58 -05 2021


Hi Colin,

> Forgot to mention, this would be on a 5209R CT.

Ok, I got something for 5209R and I'll eventually port it to 5210R as well.

You usually need a DDNS solution if you have one BlueOnyx 5209R on a
static IP and that one has your DNS server. For sake of clarity we call
this one STATIC.

And you do have another BlueOnyx or Linux server on a dynamic IP. We
call that one MOVER.

You want MOVER to make periodic calls to STATIC to inform it of its
current IP address, so that it can enter said dynamic IP into the DNS
record(s) of your choosing.

On your BlueOnyx 5209R with the DNS server (STATIC) do the following first:

yum clean all
yum update

That makes sure you have all the updates before we begin. You sure need
the latest base-alpine-* that I just published, otherwise the
CSRF-protection will prevent the DDNS updates from working.

Then do this:

yum install base-ddns-*

That will install the RPMs for the new DDNS module. Just to be sure do
the following after it has been installed:

/usr/sausalito/sbin/cced.init rehash
systemctl restart admserv

Now login to the GUI of the server where you have installed this.

Under "Server Management" / "Network Services" you find a new entry
called "Dynamic DNS".

Click on that and on the GUI page it loads you can enable the "Enable
DDNS API". Tick that checkbox.

Under "DDNS Domains" it lists all the domains you have DNS SOA records
for. By default these are all shown on the right hand side of the
selector and are therefore not used for DDNS.

Select the one (or more) domains you want DDNS for and move them to the
lefthand side. Then save the changes.

That has successfully enabled the DDNS API.

At the URL ...

 https://<your-dns-server>:81/ddns/ddnsapi

... your GUI is now waiting for POST or GET requests with the following
variables set:

un = Username of a user with "Server DNS Manager" permissions
pw = Password of said user in plain-text

Before someone gets a heart attack: The API page is only reachable via
HTTPS. Still: You should better NOT be calling it via HTTP in order to
prevent someone from sniffing out the login details!

Even though the API page accepts GET requests (like this) ...

https://<your-dns-server>:81/ddns/ddnsapi?un=<user>&pw=<pass>

... for the same reason you shouldn't use GET requests either. Because
the account password is in the URL and will show up in the logfiles and
also in the process list of the server where you run the script. As
we're using HTTPS the URL parameter shouldn't be visible for anyone
listening on the (encrypted) transaction, but still:

Preferably use POST requests via HTTPS!

We're now getting to how to do THAT.

Login to MOVER via SSH. That's the one with the dynamic IP.

Login to STATIC via SSH and GUI. That's the one with the DNS server and
the PDNS API active and configured.

On STATIC check the file /usr/sausalito/sbin/ddns-client.pl, which is a
sample DDNS client that does POST requests over HTTPS.

Copy that file to MOVER and make it executable. The file path of where
you put it on MOVER is up to you and doesn't matter at all.

Edit the file ddns-client.pl on MOVER and you see it has three lines on
top that you need to edit:

$DNS_Server = 'your-blueonyx-dns-server';
$username = 'admin';
$password = '';

Set $DNS_Server to the FQDN of MOVER. It just needs the domain name, not
an URL.

Set $username to either 'admin', or that of another Server Administrator
with "Server DNS Manager" rights.

Set $password to the password of that user.

Now run the script and on the command line it should tell you if it
worked or not. It's a very simple Perl script and all it needs is Perl
and the Perl module 'LWP::UserAgent'. Which is usually installed with
Perl itself. But if it's missing, you might be able to grab it via "yum
install perl-LWP-*".

If the script did run without error, then login to the GUI of MOVER, go
to "Server Management" / "Network Services" / "DNS" and click on "Edit
Primary Services".

>From the pulldown "Select Domain..." choose one of the domains you had
listed as "DDNS Domains" and you should see that the IPv4 IP Addresses
of all A-Records of said domain(s) now have the IP of the box where you
ran the ddns-client.pl script.

If that all has worked as intended, then all that's left to do is to set
up a cronjob on MOVER that runs ddns-client.pl as often as you like.

On every run it'll connect to STATIC and will inform the DDNS API there
about its current IP. If the IP is different from what STATIC has noted,
then the DNS records of the "DDNS Domains" will be updated and the DNS
server will be restarted.

You should make sure that said DNS records have a short enough TTL so
that IP address changes are propagated quickly. Personally I'd set a TTL
of 300 (5 Minutes), but use your own imagination to set what you see fit.

P.S.: If you cannot use the sample ddns-client.pl script at all for
whatever reasons, then all you really need is *something* that makes
periodic calls to the URL of your STATIC box like this:

https://<your-dns-server>:81/ddns/ddnsapi?un=<user>&pw=<pass>

Change <your-dns-server>, <user> and <pass> accordingly to the FQDN of
the DNS server, the username and the password.

So even a cronjob that calls "curl <URL>" or "wget -q <URL>" will do.

But the above mentioned caveats apply: If you use GET requests, then the
password shows in the AdmServ access logs and additionally the process
list of the server where you run the cronjob may show the password to
other users that are currently logged in.

-- 
With best regards

Michael Stauber


More information about the Blueonyx mailing list