OpenWRT DDNS: Difference between revisions
| Line 70: | Line 70: | ||
The above directives essentially adds a User Name / Password (in encrypted form) that the BIND / NAMED DNS Daemon / Service use to authenticate clients. "ddns" is the User name and the text within, but not including the double quotes, is the password. | The above directives essentially adds a User Name / Password (in encrypted form) that the BIND / NAMED DNS Daemon / Service use to authenticate clients. "ddns" is the User name and the text within, but not including the double quotes, is the password. | ||
=== Secure Encrypted Communication Between Client and Server === | === Generating a "User Name" / "Password" for the above Server Configuration === | ||
As noted, the DDNS Scripts only seem capable of using passwords that have been encrypted with MD5 (HMAC-MD5). DH and SHA256 encryption methods were attempted, but did NOT work. An error in the DDNS log file indicated it was attempting to use an MD5 encrypted password, regardless of how the "password" / "secret" was encrypted. | |||
And also, as noted previously, the dnssec-keygen program (opkg install bind-dnssec) provided by OpenWRT does not support generating MD5 passwords. If one attempts to do so, an error occurs. Solution, again as noted previously, use a different CentOS, or whatever Linux distribution to generate an MD5 encrypted "password" / "secret" | |||
This command will generate a "password" / "secret" for the "user" named "ddns": dnssec-keygen -a HMAC-MD5 -b 512 -n USER ddns | |||
The DDNS Script will also complain that the "password isn't complex enough", but will still function, if a value of less than 512 is used in the above command. | |||
=== File Permissions for BIND / NAMED Daemon / Server === | |||
As it comes from OpenWRT, the bind-server (opkg install bind-server) does not include, specify, configure, or make provisions for any directories that have additional BIND / NAMED files for things such as master and slave zone storage files. Whatever directory is configured for BIND / NAMED to uses for purposes such as that, it must have the proper permissions to create "journal files" as that's where DDNS Client updates are initially stored. IE, updates are not written directly to WhatEverZoneFile. | |||
* chown bind:bind /etc/bind (for example, as the location for files can anywhere) | |||
The bind User and Group are configured when the bind-server package is installed. If the BIND / NAMED Daemon / Service doesn't have write permissions, the journal file cannot be created. It results in a very, very obscure error in one of the below mentioned log files. | |||
===Secure Encrypted Communication Between Client and Server=== | |||
...coming soon. | ...coming soon. | ||
| Line 218: | Line 234: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Additional Subjects == | ==Additional Subjects== | ||
===DDNS on a Router Behind Another Router=== | ===DDNS on a Router Behind Another Router=== | ||
| Line 270: | Line 286: | ||
Some good hints came from here: https://github.com/openwrt/packages/issues/8277 | Some good hints came from here: https://github.com/openwrt/packages/issues/8277 | ||
== Special Thanks == | ==Special Thanks== | ||
Several authors of several web pages stand out in terms of offering really good tips this article is based on. The are noted below; | Several authors of several web pages stand out in terms of offering really good tips this article is based on. The are noted below; | ||
* https://www.leurent.eu/wiki/FAQ:OpenWRT (the example given using the dnssec-keygen will not work with the version of the tool included with OpenWRT, so use a different Linux system to generate the password) | *https://www.leurent.eu/wiki/FAQ:OpenWRT (the example given using the dnssec-keygen will not work with the version of the tool included with OpenWRT, so use a different Linux system to generate the password) | ||
* https://www.foell.org/justin/diy-dynamic-dns-with-openwrt-bind/ and https://github.com/sleinen/openwrt-nsupdate (Nice examples, but older article, and is seems the DDNS Scripts have essentially addressed the custom DDNS script the authors describe, so don't actually follow the instructions) | *https://www.foell.org/justin/diy-dynamic-dns-with-openwrt-bind/ and https://github.com/sleinen/openwrt-nsupdate (Nice examples, but older article, and is seems the DDNS Scripts have essentially addressed the custom DDNS script the authors describe, so don't actually follow the instructions) | ||
* https://stackoverflow.com/questions/11153958/how-to-enable-named-bind-dns-full-logging (the first person, [https://stackoverflow.com/users/1618161/steven-carr Steven Carr], that answers the question is greate, and I hate, hate, hate the idiot user ( [https://stackoverflow.com/users/1439767/alexsergeyev alexsergeyev]) that replied to this great answer by questioning why it is configured such that the logging to go to separate files. Well alexsergeyev, you're too stupid to understand the answer. So shut up and let smart users like [https://stackoverflow.com/users/1618161/steven-carr Steven Carr] answer the questions and quit bothering them since you have nothing useful to contribute.) | *https://stackoverflow.com/questions/11153958/how-to-enable-named-bind-dns-full-logging (the first person, [https://stackoverflow.com/users/1618161/steven-carr Steven Carr], that answers the question is greate, and I hate, hate, hate the idiot user ( [https://stackoverflow.com/users/1439767/alexsergeyev alexsergeyev]) that replied to this great answer by questioning why it is configured such that the logging to go to separate files. Well alexsergeyev, you're too stupid to understand the answer. So shut up and let smart users like [https://stackoverflow.com/users/1618161/steven-carr Steven Carr] answer the questions and quit bothering them since you have nothing useful to contribute.) | ||