1,723
edits
Difference between revisions of "OpenWRT DDNS"
m
→Encryption
m (→Encryption) |
|||
| Line 1: | Line 1: | ||
This article was written about DDNS (Dynamic DNS (Domain Naming System (''not'' Service))) on OpenWRT, but some of it could apply to DDNS using other platforms. On the server side, BIND / NAMED is used instead of the default OpenWRT DNS Daemon / Service, DNSMASQ. DDNS-SCRIPTS is / are the service(s) used on the client side. | This article was written about DDNS (Dynamic DNS (Domain Naming System (''not'' Service))) on OpenWRT, but some of it could apply to DDNS using other platforms. On the server side, BIND / NAMED is used instead of the default OpenWRT DNS Daemon / Service, DNSMASQ. DDNS-SCRIPTS is / are the service(s) used on the client side. | ||
To help readers understand things, the terms "user name" and "password" are used in place of [[wikipedia:TSIG|TSIG]] sometimes. Functionally, both are the same. Anyway, the point is to avoid getting sidetracked on the TSIG subject and putting the focus on DDNS and BIND / NAMED. | |||
==Problems== | ==Problems== | ||
| Line 5: | Line 7: | ||
===Encryption=== | ===Encryption=== | ||
The DDNS Client scripts for updating a DNS Server via NSUPDATE expects the password to be encrypted using MD5 (HMAC-MD5). The version of the DNSSEC-KEYGEN tool provided by OpenWRT, which is typically used for generating / encrypting a password in this form does ''not'' support MD5 (HMAC-MD5). Regardless of the arguments pertaining to MD5 encryption, this issue presents a problem. The workaround is easy if you've got a CentOS, Debian, Ubuntu, etc. version of Linux available, as their version of the DNSSEC-KEYGEN utility does support MD5 (HMAC-MD5) | The DDNS Client scripts for updating a DNS Server via NSUPDATE expects the "password" ([[wikipedia:TSIG|TSIG]]) to be encrypted / signed using MD5 (HMAC-MD5). The version of the DNSSEC-KEYGEN tool provided by OpenWRT, which is typically used for generating / encrypting / signing a "password" in this form does ''not'' support MD5 (HMAC-MD5). Regardless of the arguments pertaining to MD5 encryption / signing, this issue presents a problem. The workaround is easy if you've got a CentOS, Debian, Ubuntu, etc. version of Linux available, as their version of the DNSSEC-KEYGEN utility does support MD5 (HMAC-MD5). As of 11.2020, there is very little information on this subject. This web page notes the issue, but there is no answer: https://github.com/openwrt/packages/issues/8927 According to [https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch11_01.htm this] documentation, it is sort of implied that BIND / NAMED only uses MD5 (HMAC-MD5) when using [[wikipedia:TSIG|TSIG]]. | ||
===Permissions=== | ===Permissions=== | ||
| Line 59: | Line 61: | ||
It was found that WGET did not work reliably in situation where the router running the DDNS Client Scripts with a private WAN IP Address was behind another router with a public WAN IP Address. So CURL was used to address the issue. DD-WRT addresses this very issue with a radio button choice titled "Do not use external ip check" (worded poorly as negative questions are always a bit confusing), but OpenWRT offers no similar configuration via its GUI or in the configuration file (/etc/config/ddns). | It was found that WGET did not work reliably in situation where the router running the DDNS Client Scripts with a private WAN IP Address was behind another router with a public WAN IP Address. So CURL was used to address the issue. DD-WRT addresses this very issue with a radio button choice titled "Do not use external ip check" (worded poorly as negative questions are always a bit confusing), but OpenWRT offers no similar configuration via its GUI or in the configuration file (/etc/config/ddns). | ||
==== Additional Configuration Example for a Router with Dual WAN Capability ==== | ====Additional Configuration Example for a Router with Dual WAN Capability==== | ||
The below example assumes the WAN interfaces (OpenWRT perspective, not from ''ifconfig'' perspective) are "wan" and "wwan"<syntaxhighlight lang="text"> | The below example assumes the WAN interfaces (OpenWRT perspective, not from ''ifconfig'' perspective) are "wan" and "wwan"<syntaxhighlight lang="text"> | ||
config ddns 'global' | config ddns 'global' | ||
| Line 96: | Line 98: | ||
</syntaxhighlight>'''SPECIAL NOTES;''' | </syntaxhighlight>'''SPECIAL NOTES;''' | ||
* The OpenWRT DDNS Scripts do NOT like or tolerate dashes or hyphens ( - ) in the service name (IE: ''config service 'What-Ever-Name' will not work and result in nothing showing up in the LuCI GUI)'' | *The OpenWRT DDNS Scripts do NOT like or tolerate dashes or hyphens ( - ) in the service name (IE: ''config service 'What-Ever-Name' will not work and result in nothing showing up in the LuCI GUI)'' | ||
* DDNS Scripts (and maybe BIND / NAMED) do NOT like or tolerate underscores ( _ ) in the ''lookup_host'' or ''domain'' directives (IE: What_Ever_Host_Name.WhatEverDomain.WhatEverSuffix will cause an error) | *DDNS Scripts (and maybe BIND / NAMED) do NOT like or tolerate underscores ( _ ) in the ''lookup_host'' or ''domain'' directives (IE: What_Ever_Host_Name.WhatEverDomain.WhatEverSuffix will cause an error) | ||
===Configuration for Server=== | ===Configuration for Server=== | ||