DNS linux

Setting Up Dynamic DNS (RFC2136) in BIND

Published by Patrick

Setting Up Dynamic DNS (RFC2136) in BIND

Introduction

Dynamic DNS (DDNS) allows client systems or services to update DNS records automatically, removing the need to manually edit zone files every time an IP address changes. This is especially beneficial in environments where hosts frequently obtain different IP addresses (e.g., via DHCP). In this post, we will:

  1. Outline the prerequisites for setting up BIND with DDNS.
  2. Generate TSIG (Transaction Signature) keys for secure updates.
  3. Modify named.conf to allow and secure dynamic updates.
  4. Show how to use nsupdate to test and perform DNS updates.
  5. Discuss best practices and troubleshooting tips.

Prerequisites

  1. Installed BIND – Ensure BIND (commonly known as named) is installed. You can install it using your package manager (yum, apt, dnf, etc.).
  2. Administrative privileges – You need permission to edit named.conf and restart the BIND service.
  3. A functioning DNS server – Ensure you already have at least one primary zone configured and working properly.

Step 1: Generate a TSIG Key

To secure dynamic updates, use TSIG (Transaction Signatures). TSIG uses shared secrets to authenticate DNS update requests.

Generate a key using tsig-keygen: 

cd /etc/named/
tsig-keygen -a hmac-sha256 ddns-key.example.com > ddns-key.example.com.key

Copy this snippet into your named.conf or an included file (e.g., /etc/named/keys.conf).

View the generated key:

cat ddns-key.example.com.key

Example output:

key "ddns-key.example.com" {
    algorithm hmac-sha256;
    secret "YOUR_BASE64_ENCODED_SECRET==";
};

Step 2: Configure the Zone for Dynamic Updates

Modify your named.conf to allow updates by key:

// Include TSIG keys
include "/etc/named/keys.conf";

// Define the zone
zone "example.com" IN {
    type master;
    file "/var/named/dynamic/example.com.db";
    allow-transfer { none; };
    allow-update { key "ddns-key.example.com"; };
};

Ensure BIND has write permissions for /var/named/dynamic/example.com.db.

Step 3: Configure Logging (Optional)

Logging helps track DNS updates:

logging {
    channel update_debug {
        file "/var/log/named/dynamic-updates.log" versions 3 size 5m;
        severity debug 3;
        print-time yes;
    };
    category update { update_debug; };
    category security { update_debug; };
};

Step 4: Reload BIND

Apply changes by reloading BIND:

sudo systemctl reload named

Or restart BIND:

sudo systemctl restart named

Step 5: Testing Dynamic Updates with nsupdate

Use nsupdate to manually test dynamic updates.

Verify with dig:

dig @127.0.0.1 test.example.com A

Expected output:

;; ANSWER SECTION:
test.example.com.    300   IN   A   192.168.1.100

Execute the update:

nsupdate -v update.txt

Create an update script (e.g., update.txt):

server 127.0.0.1
zone example.com
key ddns-key.example.com "YOUR_BASE64_ENCODED_SECRET=="

update delete test.example.com A
update add test.example.com 300 A 192.168.1.100
send

Step 6: Managing and Reviewing Updates

Checking the Zone File

If using a text-based zone file, dynamic updates create a .jnl journal file. If manual edits are needed:

rndc freeze example.com
# Edit /var/named/dynamic/example.com.db
rndc thaw example.com

Handling Conflicts

Multiple clients updating the same record may cause conflicts. Ensure TSIG keys are unique per client or service to prevent unintended modifications.

Step 7: Best Practices and Tips

  1. Use dedicated keys per zone/service – Prevents one key from modifying multiple zones.
  2. Rotate keys periodically – Treat TSIG keys like passwords.
  3. Restrict updates to specific networks – Use network-based ACLs to limit access.
  4. Monitor logs – Watch for unauthorised attempts or misconfigurations.
  5. Document your DNS setup – Helps simplify future troubleshooting.

Example: DHCP Integration

To integrate with a DHCP server, add the following to the DHCP configuration:

key ddns-key.example.com {
    algorithm hmac-sha256;
    secret "YOUR_BASE64_ENCODED_SECRET==";
};

zone example.com. {
    primary 192.168.1.10;  // IP of DNS server
    key ddns-key.example.com;
}

This enables automatic DNS updates for leased IP addresses.

Other examples on where to use this:

  • Terraform together with the dns provider when provisioning host or docker containers
  • Ansible to configure applications and minimize manual steps
  • external-dns for automatic hostname registrations for ingress resources

Conclusion

Dynamic DNS (RFC2136) automates DNS record management, reducing manual overhead. By securing updates with TSIG and implementing best practices, you can maintain a reliable and secure DNS infrastructure.

Key Takeaways:

  • Generate secure TSIG keys and store them safely.
  • Use allow-update or update-policy to control updates.
  • Verify functionality with nsupdate and dig.
  • Monitor logs to detect unauthorised attempts.