RFC2136 Server Setup How-to
-
Yes that's why in my example I used a "dyn.example.com" subdomain because it rewrites that file and needs extra permissions… Not fun when it's unexpected. I thought I noted that somewhere but I don't see it now.
If you lock it down to just one subdomain/zone it is easier to manage, though it doesn't look quite so nice as being on the main zone.
-
Hi
If I May,
Can I ask for some help with this post http://forum.pfsense.org/index.php/topic,67817.0.html
Regards
Franck -
Hello,
Can anybody tell me if this solution could still apply if I wanted to create a DNS to handle an internal subdomain of a publicly hosted domain.
Please help
Here is a post I've opened on expert exchange "http://www.experts-exchange.com/Networking/Protocols/DNS/Q_28268075.html#a39589557"
Regards
Franck -
It sounds like this thread is more or less about what I like to do: replace DynDNS service and host it on my own pfSense box.
However, I'm a bit confused by the how-to article https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS
because I'm not clear what box is and what subsystem is running where and what's a server of what client…In short, I have a domain example.com and example.net. I want to use example.net for dynamic DNS, which allows me to point CNAME records from example.com at example.net to have in essence dynamic DNS for example.com, yet I can have the DNS servers cleanly separated.
DNS Servers for example.com are somewhere on an OS X Server box and should not be considered.Then I'd like to have two pfSense units. The main unit is at a colocation service, fixed IP address, and I want that unit to host the primary DNS server for example.net, and and update the address records as needed dynamically.
I have a second pfSense unit with DHCP assigned IP address at home, and of course a roaming laptop, etc. all of which should stop using Dyn.com's DynDNS service and use the above mentioned pfSense unit at the colocation service.
Sorry for being a bit dense, but this is new turf for me.
-
This is not meant to run as a server on pfSense, but on another server running BIND.
I don't know if the new BIND package is capable of handling this task, but it's still best to run an authoritative name server on a separate box.
-
This is not meant to run as a server on pfSense, but on another server running BIND.
I don't know if the new BIND package is capable of handling this task, but it's still best to run an authoritative name server on a separate box.
Hm, that wouldn't work for me, because my main DNS server is on the net with the dynamic IP.
Although that seems paradox at first, this works because I have a direct assigned IP address block which is routed to the dynamic network over a quasi-permanent VPN connection between the two pfSense units. But of course exactly when the IP address changes, that also means the VPN is down until the hostname can be resolved again, so for these moments my main DNS server is inaccessible.
That's also why I want to segment the name space cleanly into example.com and example.net, with the .net portion being hosted by the pfSense unit with a permanent, fixed IP address and located at the colocation provider.How does the bind package interfere with the DNS forwarder? Any known issues when installing bind?
If what you describe would work with the bind package, I'd finally have the solution that I've been looking for for quite some time, because the various DynDNS providers get ever more expensive, their service more convoluted, and I also want to reduce the number of failure points in my setup. Simplify, simplify…
-
I just upgraded to the 2.2-RELEASE version of pfSense, and set up an RFC 2136 dynamic DNS client. I had problems getting it to work initially, but its fine now.
It turns out that in the "Hostname" field (with the text "Fully qualified hostname of the host to be updated"), you cannot have a trailing "." character on the DNS name. If this is present, it silently fails without attempting to transmit a packet to the DNS server. This, of course, discovered by running tcpdump on both ends.. Removing the trailing period character immediately had it working.
-
Did it work with the trailing "." in 2.1.x?
I don't recall attempting to end it with a trailing '.' before
-
Just to say that in 2.2 the validation of an FQDN now allows the trailing "." (root domain) to be specified.
So there will be places like this where the trailing dot is now allowed by the validation, but maybe some downstream implementing code does not cope with trailing dot and needs to be enhanced. -
Hello, I'm trying to enable RFC2136
But I followed the tutorial and am having the following errorFeb 25 19:56:29 ns php-fpm[72872]: /services_rfc2136_edit.php: The command '/usr/local/bin/nsupdate -k /var/etc/K0domain.net.+157+00000.key -v /var/etc/nsupdatecmds0' returned exit code '134', the output was '; Communication with 177.177.177.70#53 failed: operation canceled name.c:1014: REQUIRE((__builtin_expect(!!((source) != ((void *)0)), 1) && __builtin_expect(!!(((const isc__magic_t *)(source))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n')))), 1))) failed, back trace #0 0xa8567f33 in ??' Feb 25 19:56:29 ns kernel: pid 94766 (nsupdate), uid 0: exited on signal 6 (core dumped) Feb 25 19:56:29 ns php-fpm[72872]: /services_rfc2136_edit.php: phpDynDNS: ERROR while updating IP Address (A) for domain.net (177.177.177.70)
I also tried it in another way by using a script to just update my Zone A with my external iP
Using nsupdate however I get the declined errorSending update to 172.16.0.1#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 34415 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 ;; ZONE SECTION: ;domain.net. IN SOA ;; UPDATE SECTION: domain.net. 0 ANY A domain.net. 30 IN A 172.16.0.48 ;; TSIG PSEUDOSECTION: 172.16.0.1. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1488057940 300 16 lUuMfR2HVuCcC7A== 34415 NOERROR 0 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 34415 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;domain.net. IN SOA ;; TSIG PSEUDOSECTION: 172.16.0.1. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1488057940 300 17g+7Cw== 34415 NOERROR 0
-
domain.net is probably not your URL and 172.16.0.1 is a private IP (RFC1918).
If, for whatever reason, you don't want your public URL known here then use example.com as placeholder. This way we know you're not putting rubbish in those fields.Since your public IP changes (you wouldn't use a DynDNS service otherwise) just use your current IP; alternatively use an IP from TEST-NET-2 198.51.100.0/24 (RFC5737)
-
I'm using a different DNS server that I love, but that hasn't been updated in 7 years, mydns-ng. It has support for RFC2136, but I'm having some problems connecting pfsense to it. A DNS request is coming into the DNS server, but it isn't what I would expect it to be. It's just checking the SOA for the zone, but then not trying to update the A record. I very much think it's something I'm just doing wrong by misunderstanding one of the fields. In particular the 'key' field in pfsense. There is no matching field in mydns that I can find, so I'm not certain what to put there.
When I try to use nsupdate from the CLI, I get errors from the dns server that I'm not authenticated, but pfsense never goes far enough to receive that failure. Does anyone have any insights or suggestions for me?
-
You have some logs as showed above ?