We have a server with dedicated IP address in my company's headquarter. There're a couple of branches at other locations. We need to setup servers in each branch and allow accessing to those servers through dedicated subdomain name. But we do not have static IP for those branches, so it's not possible to bind any IP in our DNS server at headquarter.
If you have the same need as we are, here's what we did to resolve the problem.
Basically we need to setup DNS Update service at branch site to perform remote DNS update to headquarter to update IP of subdomains used by branch site periodically, so headquarter's DNS will always know the correct IP of each branch server.
For example, our main domain is infolexllc.com, and we need to setup a branch server at New York which will be called ny.infolexllc.com, here's what we do at servers at both ends (both CentOS 5.X):
At branch site(where only dynamic IP is available):1. Install NS Update:
yum install bind-utils
2. Create folder to hold related files and scripts:
mkdir /root/nsupdate
cd /root/nsupdate
3. create key files for NS update
dnssec-keygen -a HMAC-MD5 -b 512 -n USER ny.infolexllc.com
Kny.infolexllc.com.+157+47223
4. You should have two new files created under the current folder:
Kny.infolexllc.com.+157+47223.key Kny.infolexllc.com.+157+47223.private
5. create a new shell file: donsupdate.sh:
Make sure you change value of the script based-on your own environment.
6. Open the newly generated key file Kny.infolexllc.com.+157+47223.key
ny.infolexllc.com. IN KEY 0 3 157 QLwMCWdqUJ/ZOsOsdF4Dj/mYD2XwmqSrPL540JE3dwG7FXZwrJulOp16 Y0SySnfOo7+5s1mhZhUiAHxVOSoXnQ==
Remember the key string started from QlwMC.. all the way to the ending ==
On headquarter server:7. Modify named comnfiguration to allow remote DNS update from ny.infolexllc.com
Open /etc/named.conf
Find zone "infolexllc.com" {
Insert the following section in the configuration file before the zone:
key ny.infolexllc.com.{
algorithm hmac-md5;
secret "QLwMCWdqUJ/ZOsOsdF4Dj/mYD2XwmqSrPL540JE3dwG7FXZwrJulOp16 Y0SySnfOo7+5s1mhZhUiAHxVOSoXnQ==";
};
Insert the following lines at end of the infolexllc.com zone:
allow-update {
key ny.infolexllc.com. ;
};
Restart DNS server:
/etc/init.d/named restart
Now the headquarter DNS server should allow remote DNS update from ny.infolexllc.com
On branch server:8. Test DNS update script:
run
donsupdate.sh
You should see messages like below:
Detected IP address is:123.123.123.123
IP has been changed or one hour has been passed, save the flag and do update...
Creating key...
before getaddrinfo()
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ny.infolexllc.com. 0 ANY A
ny.infolexllc.com. 84600 IN A 123.123.123.123
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 25321
;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; TSIG PSEUDOSECTION:
ny.infolexllc.com. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 123123123123 300 16 ABCabcABCabc123+12aBcde== 25321 NOERROR 0
The status: NOERROR indicates a succeful update.
If you see any other error in status, go check /var/log/messages on head quarter server to find clue.
9. Test the new domain:
ping ny.infolexllc.com
You should see the new domain can be resolved to the dynamic IP currently assigned to branch server.
10. Once update script is working, you can create a cron job on branch server to run the script every 10 minutes. The script itself will check if IP has not been changed in the past hour, it will skip remote update.
I've done this for our branch servers several times. It works very well so far. I hope this set up can help resolving your problem. Feel free to let me know f you have any feedback or question.
Cheers!