Андрей Смирнов
Время чтения: ~9 мин.
Просмотров: 3

Что такое dyndns и как его использовать?

Безопасность при использовании Dynamic DNS

Так как наш роутер имеет уникальный, постоянный адрес (пусть даже не известный для всех), через который можно получить к нему доступ, то обязательно нужно подумать о безопасности. Чтобы закрыть для посторонних доступ к самому маршрутизатору, FTP-серверу, камерам и другим серверам и устройствам, которые подключены/настроены на роутере.

В первую очередь нужно установить надежный пароль администратора роутера. Об этом я писал в статье как на роутере поменять пароль с admin на другой. Если там есть возможность сменить имя пользователя – смените. Даже если кто-то узнает адрес вашего роутера и перейдет по нему, то не зная логина и пароля, он не сможет получить доступ к настройкам.

Если настроен FTP-сервер, общий доступ к файлам – обязательно нужно сменить имя пользователя и пароль установленного по умолчанию пользователя admin (он запрашивается при доступе к FTP-серверу). Если создаете новых пользователей, то устанавливайте для них надежные пароли.

К маршрутизатору подключена IP-камера, сетевое хранилище NAS? Они также должны быть защищены хорошим паролем. Стандартное имя пользователя (admin) я так же рекомендую сменить. Сделать это можно в настройках этих устройств.

Если вы, например, планируете использовать адрес DDNS только для доступа к FTP-серверу, а доступ к панели управления роутером вам не нужен, то убедитесь, что удаленный доступ отключен в настройках роутера.

Выводы

Функцию DDNS можно настроить только на том роутере, который получает от провайдера внешний, белый, динамический IP-адрес. Если роутер получает статический внешний (WAN) IP-адрес, то в этой функции нет никакого смысла.

Если провайдер не может, или не хочет выдавать вам белый WAN IP-адрес, а вы не хотите, или нет возможности подключить услугу «Статические IP-адрес», то изучите информацию по своему роутеру. Возможно, там есть способ получать доступ к настройкам через облако. Но вот доступ файлам, IP-камере, NAS, через облако скорее всего не настроить.

32

Сергей

Полезное и интересное

Under Construction

An open source DNS Server Solution that includes a Web Management System, a Restful API, Dynamic DNS functionality, and a High Availability design. The web interface allows users to manage all DNS entry types, the adding and removal of their own domains, and a simple user control mechanism. DNS Server is horozontally scalable, thus if the load becomes to high simple depoloy additional slave DNS Servers. Dynamic DNS clients such as ddclient, DD-WRT, Tomato, are known to work with DNS Server. DNS Server is built on top of technologies such as Bind with DLZ Support, Tomcat 9.x, MariaDB(or MySQL 5.7+), NGINX, Ansible, and CentOS 7.x.

Features

  • REST Based Update API based on the Dyndns2 protocol.
  • Compatible with most DDNS clients.
  • Fully functional web application for managment of hosts and user profile information.
  • Designed for multiple slave DNS Servers.
  • IPv4 DNS Record Updates.
  • Basic user signup, forgot, and login functionlaity.
  • Built on CentOS 7 with Bind 9.1x(compiled with DLZ support), Tomcat 9, and MaridbDB.
  • Comming Soon — Many new DNS record types will be added. Ultimatly this will become a fully managed high availablity DNS server.
  • Comming Soon — Ansible Deployment Scripts for Master and Slaves.
  • Comming Soon — NGINX Slave Load Balanceing.
  • Comming Soon — New User Authentication Methods. (FreeIPA?, LDAP?)

Requirements

  • At least 3 CentOS 7.* Virtual Machines or Servers.
  • SSH Access to all DDNS Servers.
  • If publically accessable, Port 53 (UDP) must be open from each slave DNS server to (and from) the internet.

Support

Since I am extremely lazy I am not going to offer any support. Well maybe every once-n-a while. It really depends on my mood.

That being said, time was spent documenting each code section in the DNS Server. This should allow the scripts to be easily understood and modified if needed.

Update API

The update API was designed to mimic the dyndns2 protocol in order to make it compatible most DDNS clients. Once the Dynamic DNS Server is installed and running the API is avaialble. To access the API you will need credentials from the web application in order to use the API’s Http Basic Authentication.

API Stucture:

http://{username}:{password}@{yourdomain.tld or ip address}/ddns/update?&hostname={hostname}&myip={IP Address}

API Responses:

good

IP Address for specified Hosts have been updated.

nochg

There is no update or change required. (No need to update more than once an hour without an IP change)

nohost

One or more Hosts are invalid.

numhost

More than the maximum of ten Hosts specified.

badaddress

IP Address form is invalid.

API Examples:

Included Files

  • Bitcoin Cash daemon deployment Bash script for CentOS 7.
  • Bitcoin Cash daemon systemd service file.
  • Bitcoin Cash logrotate configuration file.
  • Bitcoin Cash configuration file.

Quick Deployment Instrcutions (Work in Progress)

For quick deployment please ensure:

Root access to an updated CentOS 7 server.

As Root Type

yum install -y git
# Need to fill this in

Bind — Internet Systems Consortium:

Bind with DLZ Support Documentation:

Donations

Many Bothans died getting this DNS server to you, honor them by sending me some Bitcoin(BTC), or Ethereum(ETH).

  • BTC: 1K4N5msYZHse6Hbxz4oWUjwqPf8wu6ducV
  • ETH: 0x76AB557F159a5048fA944566dbb18C834228d4e7

http://www.gnu.org/licenses/gpl-3.0.html

Installation

  • Make sure you have Ruby 1.9 or 2 installed (e.g. the package on Debian Linux).

  • Download dns.rb, config.yml and db.yml. These three files are all you need.

  • Modify to match your setup, especially the , and settings.

  • Modify to contain your subdomains and passwords. For example:

    The IP addresses themselfs are best added later on via the HTTP interface. Either by your router or via a command line script (see «Some useful commands» later on).

  • Run the server: . To stop it press .

Right now I just leave it running within a terminal. But feel free to automatically start it on server boot up. If you want you can also redirect into an access log file and into an error log file.

How Do We Use the Information We Collect?

We use the information we collect in a variety of ways in providing the Service and operating our business, including the following:

  • We use the information that we collect to operate, maintain, enhance and provide all features of the Service, to provide services and information that you request, to respond to comments and questions and otherwise to provide support to users, and to process and deliver entries and rewards in connection with promotions that may be offered from time to time on the Service.
  • We use the information that we collect to understand and analyze the usage trends and preferences of our users, to improve the Service, and to develop new products, services, feature, and functionality.
  • We may use your email address or other information we collect (i) to contact you for administrative purposes such as customer service, to address intellectual property infringement or other claimed violations of our terms of use or (ii) to send communications, including updates on promotions and events, relating to products and services offered by us and by third parties we work with that are related to the Service. You have the ability to opt-out of receiving any future promotional communications as described below under «Your Choices.»
  • We may use «cookies» information and «automatically collected» information to: (i) personalize our services, such as remembering your information so that you will not have to re-enter it during your visit or the next time you visit the Service; (ii) provide customized advertisements, content, and information; (iii) monitor and analyze the effectiveness of the Service and third party marketing activities; (iv) monitor aggregate Service, mobile app and website usage metrics such as total number of visitors and pages viewed; and (v) track your entries, submissions, and status in any promotions or other activities on the Service.

Termination Of Service

No-IP may suspend or terminate your account or access rights to Services at any time, without notice, for conduct that No-IP reasonably believes violates this TOS or any other applicable policies or guidelines that No-IP has posted on the No-IP Web site. In addition to restricting or terminating Customer’s access to the Service, No-IP may remove any materials that we have reasonable grounds to believe are in violation of the copyright laws of the United States or may be otherwise illegal, may subject us to liability or that violate this TOS. No-IP may also cooperate with legal authorities and/or third parties in the investigation of any suspected criminal activity.

HTTP/HTTPS interface to update IPs

The HTTP interface is very minimalistic: The server only understands one HTTP request to update or invalidate IP addresses. This isn’t a webinterface you can use in your browser! Rather it’s the interface your router can use to automatically report a changed IP to the DNS server (look for something like DynDNS in your router configuration). The HTTP interface is inspired by DynDNS and others so routers can easily be configured to report to this DNS server.

HTTP basic auth is used for all HTTP requests. The username and password have to match one configured in the file. For example with the HTTP user and password you can update the IP address of the subdomain.

The HTTP request where is either an IPv4 or IPv6 address then assigns a new address to the subdomain matching the authentication.

If is an empty string () both the IPv4 and IPv6 address are invalidated. The server won’t return an IP for that subdomain until a new IP is assigned.

You can omit the parameter (just ). In that case the server will set the subdomain matching the authentication to whatever IP the client is using to connect to the HTTP interface. In the internet this is your public IP. If you use MiniDynDNS in a local network this will probably be a local IP address.

You can use on the command line or in scripts to assign a new IP to a subdomain (see «Some useful commands»). Languages like PHP and Ruby can also do HTTP requests directly.

Some useful commands

All these commands assume that the DNS server is running on 127.0.0.2 with default ports (53 for DNS, 80 for HTTP, 443 for HTTPS).

Update a name with a new IPv4 or IPv6 address:

Same with and over HTTPS:

Note: Don’t use the self-signed certificate of your CA with . For some reason this causes OpenSSL to freak out and block the entire HTTP/HTTPS interface. Please let me know if you know why.

Send an USR1 signal to the server to make it pick up changes from the
YAML database file:

Shutdown the server by sending it the INT signal (like pressing ):

Query IPv4 (A), IPv6 (AAAA) or both (ANY) records from DNS server running on 127.0.0.2:

Query the servers start of authority (SOA) record:

Рейтинг автора
5
Материал подготовил
Максим Иванов
Наш эксперт
Написано статей
129
Ссылка на основную публикацию
Похожие публикации