User Tools

Site Tools


2017:12:30:hooking-freedns-to-linux-network-states

Hooking FreeDNS to Linux network states

Introduction

In prior articles, I've mentioned the FreeDNS service a number of times, how I've used their commercial side for several years, and I really enjoy their attributes:

  • Reliable.
  • Fast - for both their service, and their responses.
  • Affordable (and in nearly all cases, free - this includes A record updates with a TTL of 60.)
  • Simple to use (updates can be made via basic HTTPS calls, such as with curl, wget, or your favorite programming language.)
  • Saving the best for last: the founder, Joshua Anderson, is really nice.

Use cases

  1. Several servers that run on ephemeral IP addresses (e.g. on Google Compute Engine).
  2. Reduce ingress connections to bastion hosts based upon these dynamic IP addresses. I've run into cases where the Netgate SG-2440 chokes when a VPN server running as TCP/443 1) is exposed on the WAN interface, and a horde of bots bangs on it.

Implementation

  1. Create a FreeDNS account at https://freedns.afraid.org/pricing/
  2. Setup a DDNS sub-domain at https://freedns.afraid.org/subdomain/
  3. Obtain the reciprocal hash from https://freedns.afraid.org/dynamic/ (it ends with two equal signs)
  4. Save the following script to /etc/network/if-up.d/freedns
  5. Edit the appropriate variables:
    • watchNIC - Interface to watch.
    • freeDNShash - FreeDNS hash, including the two equal signs at the end.
    • lockFile - Path to LockFile.
    • wait - Minimum time to wait before trying to update again (useful if your network connection is bouncing).
  6. Set user and group ownership: chown root: /etc/network/if-up.d/freedns
  7. Make this script executable, and only accessible by file owner: chmod 700 /etc/network/if-up.d/freedns
/etc/network/if-up.d/freedns
#!/usr/bin/env bash
: <<'!COMMENT'
 
Hooking FreeDNS to Linux network states
https://thad.getterman.org/2017/12/30/hooking-freedns-to-linux-network-states
 
Louis T. Getterman IV (@LTGIV)
 
!COMMENT
 
# Variables
watchNIC="eth0"
freeDNShash="ValueGoesHereIncludingDoubleEqualSigns"
lockFile="/run/lock/freeDNS"
wait=300
 
if [ "$IFACE" = "${watchNIC}" ]; then
	(
		flock --nonblock 9 || exit 1
			/usr/bin/curl --silent "https://freedns.afraid.org/dynamic/update.php?${freeDNShash}"
			sleep ${wait}
	) 9>"${lockFile}"
fi
 
exit 0

FAQ

Q. “Why not just use ddclient?”

A. ddclient is great, but, I don't want my FreeDNS credentials sitting on a bunch of servers. If a box is compromised, I want to try and reduce what's compromised, and FreeDNS doesn't support oAuth (with their hashing mechanism, they don't necessarily need to.)

References


1) Useful for circumventing restrictive network connections.

External links

2017/12/30/hooking-freedns-to-linux-network-states.txt · Last modified: 2017/12/31 08:52 by Louis T. Getterman IV