A small, lightweight and extensible DynDNS server written with Ruby and Rack.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

314 lines
12 KiB

8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
8 years ago
  1. # dyndnsd.rb
  2. ![ci](https://github.com/cmur2/dyndnsd/workflows/ci/badge.svg) [![Dependencies](https://badges.depfu.com/badges/4f25da8493f7a29f652ac892fbf9227b/overview.svg)](https://depfu.com/github/cmur2/dyndnsd)
  3. A small, lightweight and extensible DynDNS server written with Ruby and Rack.
  4. ## Description
  5. dyndnsd.rb aims to implement a small [DynDNS-compliant](https://help.dyn.com/remote-access-api/) server in Ruby supporting IPv4 and IPv6 addresses. It has an integrated user and hostname database in its configuration file that is used for authentication and authorization. Besides talking the DynDNS protocol it is able to invoke a so-called *updater*, a small Ruby module that takes care of supplying the current hostname => ip mapping to a DNS server.
  6. There are currently two updaters shipped with dyndnsd.rb:
  7. - `zone_transfer_server` that uses [DNS zone transfers via AXFR (RFC5936)](https://tools.ietf.org/html/rfc5936) to allow any secondary nameserver(s) to fetch the zone contents after (optionally) receiving a [DNS NOTIFY (RFC1996)](https://tools.ietf.org/html/rfc1996) request
  8. - `command_with_bind_zone` that writes out a zone file in BIND syntax onto the current system and invokes a user-supplied command afterwards that is assumed to trigger the DNS server (not necessarily BIND since its zone files are read by other DNS servers, too) to reload its zone configuration
  9. Because of the mechanisms used, dyndnsd.rb is known to work only on \*nix systems.
  10. See the [changelog](CHANGELOG.md) before upgrading. The older version 1.x of dyndnsd.rb is still available on [branch dyndnsd-1.x](https://github.com/cmur2/dyndnsd/tree/dyndnsd-1.x).
  11. ## General Usage
  12. Install the gem:
  13. gem install dyndnsd
  14. Create a configuration file in YAML format somewhere:
  15. ```yaml
  16. # listen address and port
  17. host: "0.0.0.0"
  18. port: 80
  19. # optional: drop privileges in case you want to but you may need sudo for external commands
  20. user: "nobody"
  21. group: "nogroup"
  22. # logfile is optional, logs to STDOUT otherwise
  23. logfile: "dyndnsd.log"
  24. # internal database file
  25. db: "db.json"
  26. # enable debug mode?
  27. debug: false
  28. # all hostnames are required to be cool-name.example.org
  29. domain: "example.org"
  30. # configure the updater, here we use command_with_bind_zone, params are updater-specific
  31. updater:
  32. name: "command_with_bind_zone"
  33. params:
  34. zone_file: "dyn.zone"
  35. command: "echo 'Hello'"
  36. ttl: "5m"
  37. dns: "dns.example.org."
  38. email_addr: "admin.example.org."
  39. # user database with hostnames a user is allowed to update
  40. users:
  41. # 'foo' is username, 'secret' the password
  42. foo:
  43. password: "secret"
  44. hosts:
  45. - foo.example.org
  46. - bar.example.org
  47. test:
  48. password: "ihavenohosts"
  49. ```
  50. Run dyndnsd.rb by:
  51. ```bash
  52. dyndnsd /path/to/config.yml
  53. ```
  54. ### Docker image
  55. There is an officially maintained [Docker image for dyndnsd](https://hub.docker.com/r/cmur2/dyndnsd) available at Dockerhub. The goal is to have a minimal secured image available (currently based on Alpine) that works well for the `zone_transfer_server` updater use case.
  56. Users can make extensions by deriving from the official Docker image or building their own.
  57. The Docker image consumes the same configuration file in YAML format as the gem, inside the container it needs to be mounted/available as `/etc/dyndnsd/config.yml`. The following YAML should be used as a base and extended with user's settings:
  58. ```yaml
  59. host: "0.0.0.0"
  60. port: 8080
  61. # omit the logfile: option so logging to STDOUT will happen automatically
  62. db: "/var/lib/dyndnsd/db.json"
  63. # User's settings for updater and permissions follow here!
  64. ```
  65. more ports might be needed depending on if DNS zone transfer is needed
  66. Run the Docker image exposing the DynDNS-API on host port 8080 via:
  67. ```bash
  68. docker run -d --name dyndnsd \
  69. -p 8080:8080 \
  70. -v /host/path/to/dyndnsd/config.yml:/etc/dyndnsd/config.yml \
  71. -v /host/ptherpath/to/dyndnsd/datadir:/var/lib/dyndnsd \
  72. cmur2/dyndnsd:vX.Y.Z
  73. ```
  74. *Note*: You may need to expose more than just port 8080 e.g. if you use the `zone_transfer_server` which can be done by appending additional `-p 5353:5353` flags to the `docker run` command.
  75. ## Using dyndnsd.rb with any nameserver via DNS zone transfers (AXFR)
  76. By using [DNS zone transfers via AXFR (RFC5936)](https://tools.ietf.org/html/rfc5936) any secondary nameserver can retrieve the DNS zone contents from dyndnsd.rb and serve them to clients.
  77. To speedup propagation after changes dyndnsd.rb can issue a [DNS NOTIFY (RFC1996)](https://tools.ietf.org/html/rfc1996) to inform the nameserver that the DNS zone contents changed and should be fetched even before the time indicated in the SOA record is up.
  78. Currently, dyndnsd.rb does not support any authentication for incoming DNS zone transfer request, so it should be isolated from the internet on these ports.
  79. This approach has several advantages:
  80. - dyndnsd.rb can be used in *hidden primary* fashion isolated from client's DNS traffic and does not need to implement full nameserver features
  81. - any existing, production-grade, caching, geo-replicated nameserver setup can be used to pull DNS zone contents from the *hidden primary* dyndnsd.rb and serve it to clients
  82. - any nameserver(s) and dyndnsd.rb do not need to be located on the same host
  83. Example dyndnsd.rb configuration:
  84. ```yaml
  85. host: "0.0.0.0"
  86. port: 8245 # the DynDNS.com alternative HTTP port
  87. db: "/opt/dyndnsd/db.json"
  88. domain: "dyn.example.org"
  89. updater:
  90. name: "zone_transfer_server"
  91. params:
  92. # endpoint(s) to listen for incoming zone transfer (AXFR) requests, default 0.0.0.0@53
  93. server_listens:
  94. - 127.0.0.1@5300
  95. # where to send DNS NOTIFY request(s) to on zone content change
  96. send_notifies:
  97. - '127.0.0.1'
  98. # TTL for all records in the zone (in seconds)
  99. zone_ttl: 300 # 5m
  100. # zone's NS record(s) (at least one)
  101. zone_nameservers:
  102. - "dns.example.org."
  103. # info for zone's SOA record
  104. zone_email_address: "admin.example.org."
  105. # zone's additional A/AAAA records
  106. zone_additional_ips:
  107. - "127.0.0.1"
  108. users:
  109. foo:
  110. password: "secret"
  111. hosts:
  112. - foo.example.org
  113. ```
  114. ## Using dyndnsd.rb with [NSD](https://www.nlnetlabs.nl/projects/nsd/about/)
  115. NSD is a nice, open source, authoritative-only, low-memory DNS server that reads BIND-style zone files (and converts them into its own database) and has a simple configuration file.
  116. A feature NSD is lacking is the [Dynamic DNS update (RFC2136)](https://tools.ietf.org/html/rfc2136) functionality BIND offers, but one can fake it using the following dyndnsd.rb configuration:
  117. ```yaml
  118. host: "0.0.0.0"
  119. port: 8245 # the DynDNS.com alternative HTTP port
  120. db: "/opt/dyndnsd/db.json"
  121. domain: "dyn.example.org"
  122. updater:
  123. name: "command_with_bind_zone"
  124. params:
  125. # make sure to register zone file in your nsd.conf
  126. zone_file: "/etc/nsd3/dyn.example.org.zone"
  127. # fake DNS update (discards NSD stats)
  128. command: "nsdc rebuild; nsdc reload"
  129. ttl: "5m"
  130. dns: "dns.example.org."
  131. email_addr: "admin.example.org."
  132. # specify additional raw BIND-style zone content
  133. # here: an A record for dyn.example.org itself
  134. additional_zone_content: "@ IN A 1.2.3.4"
  135. users:
  136. foo:
  137. password: "secret"
  138. hosts:
  139. - foo.example.org
  140. ```
  141. Start dyndnsd.rb before NSD to make sure the zone file exists else NSD complains.
  142. ## Using dyndnsd.rb with X
  143. Please provide ideas if you are using dyndnsd.rb with other DNS servers :)
  144. ## Advanced topics
  145. ### Update URL
  146. The update URL you want to tell your clients (humans or scripts ^^) consists of the following
  147. http[s]://[USER]:[PASSWORD]@[DOMAIN]:[PORT]/nic/update?hostname=[HOSTNAMES]&myip=[MYIP]&myip6=[MYIP6]
  148. where:
  149. * the protocol depends on your (web server/proxy) settings
  150. * `USER` and `PASSWORD` are needed for HTTP Basic Auth and valid combinations are defined in your config.yaml
  151. * `DOMAIN` should match what you defined in your config.yaml as domain but may be anything else when using a web server as proxy
  152. * `PORT` depends on your (web server/proxy) settings
  153. * `HOSTNAMES` is a required list of comma-separated FQDNs (they all have to end with your config.yaml domain) the user wants to update
  154. * `MYIP` is optional and the HTTP client's IP address will be used if missing
  155. * `MYIP6` is optional but if present also requires presence of `MYIP`
  156. ### IP address determination
  157. The following rules apply:
  158. * use any IP address provided via the `myip` parameter when present, or
  159. * use any IP address provided via the `X-Real-IP` header e.g. when used behind HTTP reverse proxy such as nginx, or
  160. * use any IP address used by the connecting HTTP client
  161. If you want to provide an additional IPv6 address as myip6 parameter, the `myip` parameter containing an IPv4 address has to be present, too! No automatism is applied then.
  162. ### SSL, multiple listen ports
  163. Use a web server as a proxy to handle SSL and/or multiple listen addresses and ports. DynDNS.com provides HTTP on port 80 and 8245 and HTTPS on port 443.
  164. ### Startup
  165. There is a [Dockerfile](docs/Dockerfile) that can be used to build a Docker image for running dyndnsd.rb.
  166. The [Debian 6 init.d script](docs/debian-6-init-dyndnsd) assumes that dyndnsd.rb is installed into the system ruby (no RVM support) and the config.yaml is at /opt/dyndnsd/config.yaml. Modify to your needs.
  167. ### Monitoring
  168. For monitoring dyndnsd.rb uses the [metriks](https://github.com/eric/metriks) framework and exposes several metrics like the number of unauthenticated requests, requests that did (not) update a hostname, etc. By default, the most important metrics are shown in the [proctitle](https://github.com/eric/metriks#proc-title-reporter, butt you can also configure a [Graphite](https://graphiteapp.org/) backend for central monitoring or the [textfile_reporter](https://github.com/prometheus/node_exporter/#textfile-collector) which outputs Graphite-style metrics that are also compatible with Prometheus to a file.
  169. ```yaml
  170. host: "0.0.0.0"
  171. port: 8245 # the DynDNS.com alternative HTTP port
  172. db: "/opt/dyndnsd/db.json"
  173. domain: "dyn.example.org"
  174. # configure the Graphite backend to be used instead of proctitle
  175. graphite:
  176. host: localhost # defaults for host and port of a carbon server
  177. port: 2003
  178. prefix: "my.graphite.metrics.naming.structure.dyndnsd"
  179. # OR configure the textfile reporter instead of Graphite/proctitle
  180. textfile:
  181. file: /path/to/file.prom
  182. prefix: "my.graphite.metrics.naming.structure.dyndnsd"
  183. # configure the updater, here we use command_with_bind_zone, params are updater-specific
  184. updater:
  185. name: "command_with_bind_zone"
  186. params:
  187. zone_file: "dyn.zone"
  188. command: "echo 'Hello'"
  189. ttl: "5m"
  190. dns: "dns.example.org."
  191. email_addr: "admin.example.org."
  192. # user database with hostnames a user is allowed to update
  193. users:
  194. # 'foo' is username, 'secret' the password
  195. foo:
  196. password: "secret"
  197. hosts:
  198. - foo.example.org
  199. - bar.example.org
  200. test:
  201. password: "ihavenohosts"
  202. ```
  203. ### Tracing (experimental)
  204. For tracing, dyndnsd.rb is instrumented using the [OpenTracing](http://opentracing.io/) framework and will emit span tracing data for the most important operations happening during the request/response cycle. Using a middleware for Rack allows handling incoming OpenTracing span information properly.
  205. Currently, only one OpenTracing-compatible tracer implementation named [CNCF Jaeger](https://github.com/jaegertracing/jaeger) can be configured to use with dyndnsd.rb.
  206. ```yaml
  207. host: "0.0.0.0"
  208. port: 8245 # the DynDNS.com alternative HTTP port
  209. db: "/opt/dyndnsd/db.json"
  210. domain: "dyn.example.org"
  211. # enable and configure tracing using the (currently only) tracer jaeger
  212. tracing:
  213. trust_incoming_span: false # default value, change to accept incoming OpenTracing spans as parents
  214. jaeger:
  215. host: 127.0.0.1 # defaults for host and port of local jaeger-agent
  216. port: 6831
  217. service_name: "my.dyndnsd.identifier"
  218. # configure the updater, here we use command_with_bind_zone, params are updater-specific
  219. updater:
  220. name: "command_with_bind_zone"
  221. params:
  222. zone_file: "dyn.zone"
  223. command: "echo 'Hello'"
  224. ttl: "5m"
  225. dns: "dns.example.org."
  226. email_addr: "admin.example.org."
  227. # user database with hostnames a user is allowed to update
  228. users:
  229. # 'foo' is username, 'secret' the password
  230. foo:
  231. password: "secret"
  232. hosts:
  233. - foo.example.org
  234. - bar.example.org
  235. test:
  236. password: "ihavenohosts"
  237. ```
  238. ## License
  239. dyndnsd.rb is licensed under the Apache License, Version 2.0. See LICENSE for more information.