Categories

Hooking FreeDNS to Linux network states

In prior articles, I’ve mentioned the FreeDNS service a number of times, how I’ve used their commercial side for several years, and I really enjoy their attributes:

• Reliable.
• Fast — for both their service, and their responses.
• Affordable (and in nearly all cases, free – this includes A record updates with a TTL of 60.)
• Simple to use (updates can be made via basic HTTPS calls, such as with curl, wget, or your favorite programming language.)
• Saving the best for last: the founder, Joshua Anderson, is really nice.

Use cases

1. Several servers that run on ephemeral IP addresses (e.g. on Google Compute Engine).
2. Reduce ingress connections to bastion hosts based upon these dynamic IP addresses. I’ve run into cases where the Netgate SG-2440 chokes when a VPN server running as TCP/443 (useful for circumventing restrictive network connections) is exposed on the WAN interface, and a horde of bots bangs on it.

Implementation

1. Create a FreeDNS account:
https://freedns.afraid.org/pricing/
2. Setup a DDNS sub-domain:
https://freedns.afraid.org/subdomain/
3. Obtain the reciprocal hash
https://freedns.afraid.org/dynamic/
(it ends with two equal signs)
4. Save this script from my snippets repository to
/etc/network/if-up.d/
5. Edit the appropriate variables:
• watchNIC — Interface to watch.
• freeDNShash — FreeDNS hash, including the two equal signs at the end.
• lockFile — Path to LockFile.
• wait — Minimum time to wait before trying to update again (useful if your network connection is bouncing).
6. Set user and group ownership:
chown root: /etc/network/if-up.d/freedns.bash
7. Make this script executable, and only accessible by file owner:
chmod 700 /etc/network/if-up.d/freedns.bash

FAQ

Q. Why not just use ddclient?

A. ddclient is great, but, I don’t want my FreeDNS credentials sitting on a bunch of servers. If a box is compromised, I want to try and reduce what’s compromised, and FreeDNS doesn’t support oAuth (with their hashing mechanism, they don’t necessarily need to.)