[clug] Running my own dynamic DNS?

Ian Munsie darkstarsword at gmail.com
Tue Feb 25 16:57:48 MST 2014

> I used to have tangram.dnsalias.net pointing to my home internet connection;
> but then dyn.com (who owns dnsalias.net) stopped offering it as a free
> service.  This made me think that I should actually get a better setup for
> accessing my home internet connection through a dynamic IP address.

Hi Paul,

I don't have any advice on setting up your own nameserver to work with
ddclient or similar, and would be interested in this answer as well.
Edit: Looks like Tony answered that :)

I also have a free account with dyn, but their free service has
certainly degraded (when I signed up you got five hostnames, now it's
only two - and far less choices of domains as well). I'm not sure if
they even still offer the free service and to keep an existing one you
now have to ping them once a month to stop them closing it.

FWIW I recently registered darkstarsword.net through namecheap and
discovered that if you use their nameservers they also offer a dynamic
DNS service that is supported by ddclient (protocol=namecheap in
/etc/ddclient.conf). If you run /usr/sbin/ddclient -help and look
through the output it tells you a bunch of other providers & protocols
that it supports. It mentions some other providers are free, but I
haven't looked into any of them.

I also have two other ways into my home machine that may be useful to you:

1. I run this script on my home machine to connect to a remote machine
and open a reverse tunnel back to itself, re-establishing the
connection every 30 seconds if it drops out (or up to ten minutes if
it dropped out but didn't notice - that's the ServerAliveInteval=). Of
course, this assumes that you have access to another server somewhere
on the Internet with unrestricted SSH access:


HOST=ian at somehost.com

if [ -z "$SSH_AGENT_PID" ]; then
        echo No ssh-agent in current env, respawning...
        exec ssh-agent /bin/sh "$0"


while true; do
        echo Connecting...
        ssh -R $RPORT:localhost:$LPORT -o ServerAliveInterval=600 $HOST
        sleep 30

Then I can do this when I want to get in:
TERMINAL 1: ssh -L 12345:localhost:12345 ian at somehost.com
TERMINAL 2: ssh -p 12345 ian at localhost

Occasionally I may have to kill the ssh instance on somehost.com from
my home server if it was unable to open the reverse tunnel on port
12345 - then 30 seconds later it will automatically reconnect and
hopefully will be able to listen on the port.

2. I can access my SSH server via a hidden service on tor. I don't
need the anonymity* that tor provides, but running a hidden service
means that tor takes care of all the routing issues for me - NAT
traversal just works and it doesn't matter what my IP happens to be at
the time. The latency isn't that great, but it works.

Add this to /etc/tor/torrc, replacing the port numbers with what you
want to use:
HiddenServiceDir /var/lib/tor/hidden_ssh/
HiddenServicePort 12345

If all goes well once you (re)start tor you will find your hidden
service hostname under /var/lib/tor/hidden_ssh/hostname

In my ~/.ssh/config I have this:

Host home-tor
        HostName HOSTNAME.onion
        User ian
        Port 12345
        ProxyCommand /bin/nc -X 5 -x localhost:9050 %h %p

Replace the hostname with whatever tor gave you, and obviously replace
the username, ssh port and tor socks port with whatever you are using.
That ProxyCommand requires openbsd netcat since it is the only flavour
of netcat that knows how to talk to a SOCKS5 proxy.

* If you did an anonymous hidden SSH service you should close the SSH
server to the normal internet and generate a new set of host keys to
make sure an adversary couldn't identify it from that. Also make sure
the SSH banner doesn't give anything away about your system, and
there's probably other things you would need to do as well.

> Does anyone know if it's possible, and sane, to run some kind of dynamic DNS
> system?  Are there standard packages out there that take a regular login
> from ones home router and update a DNS A record based on the router's public
> address?  Or is it just considered too insecure?

I assume from that question that you are behind a NAT at your router.
If you find a solution supported by ddclient, it has a whole bunch of
ways to determine your public IP address - it seems like it does
support some routers (/usr/sbin/ddclient -help|grep use=), but if
nothing else you can do something like this in /etc/ddclient.conf:

use=web, web=checkip.dyndns.com, web-skip='IP Address'

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

More information about the linux mailing list