How to configure a DNS name server with dynamic IPs

TomHsiung

TomHsiung

Hello, guys

Goal: to set up my own DNS name server. It shall response DNS queries from the WAN.

I have my own registered domain name (second level domain). After reading books for DNS, the name server shall be the authoritative server of my domain (zone). The zone (so the authoritative server) should have:

At least one NS record that point to its primary name server;
That name server must also have a valid A record (mapping IP address and name server FQDN);
The authoritative server (for the zone) must have exactly one SOA record.

The critical issue is the IP address, it is changing after some time. The DNS name server is an all-in-one server, which also serves websites, video streaming service, DHCP service, etc. The IP of the server is changing because it connects WAN via PPPoE.

Is it possible to have this name server?

Tom
 
Sorry for sounding overly critical: Why would you even bother?

Is it possible: yes.
Is it feasibe: that's the part I am not too sure about.

Why bother? See: the only reason to set up a custom DNS server is if you actually have something custom to feed to your clients. For example: in my WAN setup, powered by OpenVPN, I have an internal domain and in order to resolve the clients need to use an internal DNS server.

But if that doesn't apply to you: why bother?

Way too much hassle, especially if the clients can work out their own setups.
 
Yes. I asked my domain provider. They actually support own DNS name server. However, an static IP address is need to set up the private name server.

PS: the static IP address is used to add a A record to the parent name server, which is called a "glue" record.

For example, my if my domain is toms-therapeutics.site, and my own name server is ns1.toms-therapeutics.site, the parent name server should be the authoritative one for site. And a following resource record but be added into the database of authoritative name sever for site (which is a TLD).

ns1.toms-therapeutics.site. IN A 123.1.2.3

In summary,

PS: The last "dot" after the FQDN should be omitted in resource records?

On the authoritative name server for zone TLD site:

Code: 
...
...
...
toms-therapeutics.site. IN NS ns1.toms-therapeutics.site.
toms-therapeutics.site. IN NS ns2.toms-therapeutics.site.
...
...
...
ns1.toms-therapeutics.site. IN A 123.1.2.3
ns2.toms-therapeutics.site. IN A 123.1.2.6

On the authoritative reverse name server for in-addr.arpa.
Code: 
...
...
...
4.2.1.123.IN-ADDR.ARPA. IN PTR www.toms-therapeutics.site.
5.2.1.123.IN-ADDR.ARPA. IN PTR mail1.toms-therapeutics.site.
7.2.1.123.IN-ADDR.ARPA. IN PTR mail2.toms-therapeutics.site.
...
...
...

On my own name server for zone toms-therapeutics.site (SOA records is omitted here):

Code: 
toms-therapeutics.site. IN NS ns1.toms-therapeutics.site.
toms-therapeutics.site. IN NS ns2.toms-therapeutics.site.
ns1.toms-therapeutics.site. IN A 123.1.2.3
ns2.toms-therapeutics.site. IN A 123.1.2.6
...
...
...
www.toms-therapeutics.site. IN A 123.1.2.4
mail1.toms-therapeutics.site. IN A 123.1.2.5
mail2.toms-therapeutics.site. IN A 123.1.2.7
toms-therapeutics.site. IN MX 10 mail1.toms-therapeutics.site.
toms-therapeutics.site. IN MX 20 mail2.toms-therapeutics.site.
...
...
...
 
From RFC1591:

3. The Administration of Delegated Domains
[...]
There must be a primary and a secondary nameserver that have IP
connectivity to the Internet and can be easily checked for
operational status and database accuracy by the IR and the IANA.

In cases when there are persistent problems with the proper
operation of a domain, the delegation may be revoked, and possibly
delegated to another designated manager.
Click to expand...

Running an authorative DNS-Server on dynamic IP therefore isn't allowed because 1) you shall always have a primary and secondary NS, and 2) a dynamic IP can't be easily checked.
Many registrars even explicitly prohibit NS records pointing to dynamic IP ranges.

If all you want is to run some services from a (slow) home-internet-connection, either use a service like dyndns or build something similar, e.g. by using an API at your registrars DNS service to update the records.

I still highly advise against running any "important" or sensitive services from a home internet connection with dynamic IP. If you get a new IP handed out by DHCP, your old one is usually re-assigned within extremely short time (often within a few minutes!) and DNS records can take up to 24h to propagate. So your records will point to another - possibly malicious - persons equipment, often for several hours.
Back when I had a DSL connection that was forcibly disconnected every 24h I was running a honeypot for a short time (mainly to catch/analyze malicious SSH and SMTP connections), that very often registered a ton of HTTP requests to dynamic hostnames that pointed to "my" IP. Sometimes these were even direct POSTs to login pages/APIs e.g. for owncloud, including login credentials - of course mostly unencrypted, because "SSL is hard"...
I could have easily gathered lots and lots of dynamic hostnames and login credentials for the services that are running on those IPs. Given that dynamic IP ranges are usually handed out on relatively small, regional network segments, it is very likely these services were running somewhere in my direct neighborhood...

If you really want to access ressources at your home network, I'd highly recommend using an external VPN gateway e.g. on a cheap $2.5/month VPS with static IPs, to which your home gateway/router connects. You can then safely and reliably connect to that server and route your services at home through that connection.
As a bonus you can use that VPN server as a secure gateway when you have to use untrusted and maybe restricted networks (mobile, cafes, airports etc...)
 
sko said:
If you really want to access ressources at your home network, I'd highly recommend using an external VPN gateway e.g. on a cheap $2.5/month VPS with static IPs
Click to expand...
Thanks. I still have known little about VPN. I will take a look at it later.
 
You must log in or register to reply here.
Back
Top