Bind Package Feature Request - Make "Base Domain IP" dynamic



  • For my pfsense server's bind package, my zones must each have a hard-coded Base Domain IP. I'd like to see this package gain a brilliant capacity for this optionally allow selection of the public IP as it is determined by the dynDNS service. I want to use this Bind package, but in my case there's no benefit over my existing external DNS solution, since I don't have a straight-forward way to dynamically update records I'm hosting.

    Any tips for workarounds would be highly appreciated.



  • I have an obvious question: what's your ultimate use case here?  What do you want this bind9 server to do, act as internal authoritative for any given domain that you serve?  Work as the external authoritative resolver?

    We'd need more info to try and give you a workaround or alternative approach… but my first impression is that you should be rolling your own bind9 server to do extremely advanced configuration such as this and then just hand off DNS stuff to that server...



  • @teward:

    what's your ultimate use case here?  What do you want this bind9 server to do, act as internal authoritative for any given domain that you serve?

    We'd need more info to try and give you a workaround or alternative approach…

    Excellent question.

    I have many domains with GoDaddy and most of them have wildcard records that resolve to my pfsense router's WAN IP. Since there's no godaddy support for dyndns, I'm looking for alternatives for keeping the records updated.

    The bind package in pfsense does work well for running authoritative DNS. I'm don't strictly require that I host the DNS for my domains, but with my goal of automatic updating of them to track my public IP, it seems like a possible solution. With pfsense's bind, I have to manually enter the base IP for the domain, it doesn't give an option to automatically follow my external IP (and it's a little more complex because my WAN IP is actually behind a stupid router from my ISP that just port forwards everything, so really I need whatever dyndns uses to find my public IP to get injected in to my bind-hosted records).

    Anyway, I'm open to entirely different suggestions. I'm happy to host stuff myself and don't really want to pay more for something external, I'll consider extremely inexpensive alternatives, or other ideas.


  • Banned

    @docdawning:

    I'll consider extremely inexpensive alternatives, or other ideas.

    https://dns.he.net/



  • @docdawning:

    @teward:

    what's your ultimate use case here?  What do you want this bind9 server to do, act as internal authoritative for any given domain that you serve?

    We'd need more info to try and give you a workaround or alternative approach…

    Excellent question.

    I have many domains with GoDaddy and most of them have wildcard records that resolve to my pfsense router's WAN IP. Since there's no godaddy support for dyndns, I'm looking for alternatives for keeping the records updated.

    The bind package in pfsense does work well for running authoritative DNS. I'm don't strictly require that I host the DNS for my domains, but with my goal of automatic updating of them to track my public IP, it seems like a possible solution. With pfsense's bind, I have to manually enter the base IP for the domain, it doesn't give an option to automatically follow my external IP (and it's a little more complex because my WAN IP is actually behind a stupid router from my ISP that just port forwards everything, so really I need whatever dyndns uses to find my public IP to get injected in to my bind-hosted records).

    Anyway, I'm open to entirely different suggestions. I'm happy to host stuff myself and don't really want to pay more for something external, I'll consider extremely inexpensive alternatives, or other ideas.

    If you wildcard all the domains, then I would suggest getting a separate domain for your items, a small VPS ($60/yr for a 512MB RAM server from RamNode as an example), put bind9 on it, and make it authoritative for your separate domain.  Then, configure the BIND server to accept updates from a TSIG key for autoupdates, and from behind your Dynamic IP system, grab the IP address, and put it into an automatic update script that issues an 'nsupdate' call to the BIND server on your VPS.  Then, wildcard-CNAME the other domains right to the dedicated 'dynamic update' address record.  Update the dedicated address for the dynamic IP destination, and it updates the A record for that address; the CNAME refers then back to the IP address for the A record, as it's IP destination.

    Web requests will still have the $HOST header so it should 'work fine' without issue.  A large number of my domains (and subdomains, though they aren't wildcarded) go to my own infrastructure at my apartment, which is behind residential dynamic IP service, and because I have individual server separation for each site/service, there's an nginx server listening that reverse proxies to the specific backend.  So far, this works well.

    My two cents, personally.

    Some notes on this though, you'd have to wget or curl the data from external



  • Thanks teward. I have a significant VM hosting infrastructure in-house as well as an existing separate domain like you describe as it is. All I really want to do is get my pfsense's bind package to handle the dyn updates. I'm thinking I may just spin up a dedicated appliance, and do something along the lines of what you suggest. I write plenty of bash scripts, so I'd make it a cron job through one of them. It's just kind of silly as it feels like pfsense's bind could be somewhat easily more integrated so this can all happen in this one spot. I think the reason it's disintegrated is because the bind package really is something separate from the core pfsense elements.



  • @doktornotor:

    @docdawning:

    I'll consider extremely inexpensive alternatives, or other ideas.

    https://dns.he.net/

    This WAS looking so so promising and I've gone down the road of having my stuff mostly setup here, but then I ran in to the deal-breaker: "Zone failed validation test. Wildcarding has been disabled due to abuse."

    Update: I contacted them and they confirmed they're not going to allow wildcarding. They said they'd manually rig it for me if I only had a few domains. While that would work for me, it's not a viable long-term solution for me. So I guess I'm back to getting pfsense's bind to meet my needs, hosting my own DNS server outside of pfsense or using a paid service.


Log in to reply