An open API service indexing awesome lists of open source software.

https://github.com/fireflycons/pfsense-aws-dynamicdns

How to set up Dynamic DNS with AWS Route 53 and pfSense, and update security groups when IP changes
https://github.com/fireflycons/pfsense-aws-dynamicdns

Last synced: over 1 year ago
JSON representation

How to set up Dynamic DNS with AWS Route 53 and pfSense, and update security groups when IP changes

Awesome Lists containing this project

README

          

# Overview

Whilst this is a guide to configuring Dynamic DNS (DDNS) on pfSense because that's what I use, the CloudFormation template creates an IAM user with the correct permissions to generically perform a DNS update so can be used for any DDNS provision that supports AWS. Even roll your own with aws cli or one of the SDKs.

Also included in this repository is a [PowerShell Lambda project](DynamicIpWatcher/) which will track your dynamically updated DNS records in Route 53 and update security groups in your AWS account with detected changes.

# What is Dynamic DNS

[Dynamic DNS](https://en.wikipedia.org/wiki/Dynamic_DNS) is a service that translates your external IP Address into an URL like yourcompany.dyndns.org

If you have a static IP from your provider, you will not need DynDNS necessarily, since you can just update the record directly in the knowledge that the underlying IP will not change.

Most of you, at least for private usage, will have an external IP Address that changes every so often at your service provider's whim, so it would be impossible to reach your internal network after a change to your IP Address.

This is where DDNS comes into play.

Each time your IP address gets changed by your service provider, pfSense will tell your DDNS provider your new IP Address automatically, in this case Route 53.

Note that there is a cost associated with Route 53, albeit fairly small. You'd only want to use Route 53 if you already have an AWS account. Free providers exist, such as [No-IP](https://www.noip.com/free) or [freeDNS](http://freedns.afraid.org/).

# Setup

## Prerequisites

* You must have the domain you want to update registered with Route 53. Either register a new one, or transfer one in from another DNS provider.

## Find the Hosted Zone ID

Here you get the Zone ID of the domain that will be updated by DynDNS.

For the purpuse of this guide, we will assume that the DNS domain is `mycompany.org`

1. Log into AWS console.
2. Go to the Route 53 console, display your hosted zones and note the Hosted Zone ID of the domain you wish to update.

## Create an IAM User

Here you create an IAM user in your AWS account with permission to update DNS records

1. Log into AWS console.
2. Go to CloudFormation console and create a new CloudFormation Stack using the template provided. It will prompt you for the name to give the new user, and for the Hosted Zone ID of the zone (which you found above) it will have permission to manage.
3. Go to the IAM console and find the user that has been created by CloudFormation.
4. Select the Security Credentials tab, and press Create Access Key.
5. Note down the Access Key ID and Secret Access Key, you will need them later.

## Configure pfSense to update Route 53

Now you set up pfSense to do the heavy lifting.

1. Log into the pfSense user interface.
2. From the `Services` menu, select `Dynamic DNS`.
3. Press the Add button to create a new Dynamic DNS service.
4. Fill out the form as follows. Only the fields listed here require values.
* `Service Type` - `Route 53`
* `Interface to monitor` - Select `WAN`, or whichever interface is connected to your service provider's modem/router.
* `Hostname` - Enter the fully qualified name of the record you which to be updated, e.g. `www.mycompany.org`. If the record doesn't yet exist, pfSense will create an [A record](https://support.dnsimple.com/articles/a-record/) for you.
* `Username` - Enter the Access Key ID you created above.
* `Password` - Enter the Secret Access Key from above.
* `Zone ID` - There have been different reports as to what works here. One of the following should work. Either just the Hosted Zone ID, or the Hosted Zone ID prefixed with `us-east-1/`. Note that it must be `us-east-1` and not any other region. The latter is working for me.
* `TTL` - Choose a [TTL value](https://en.wikipedia.org/wiki/Time_to_live#DNS_records), e.g. 300 (5 min)
* `Description` - Anything you want, or leave blank.
5. Save the configuration and the DNS update should soon happen. Your external IP should then show up green in the Cached IP column.

## Troubleshooting

If there is an issue with the DNS update, the Cached IP column will show the IP address in red, or will show `N/A`

1. Check for typos in the `Username`, `Password` and `Zone ID` fields.
2. Examine the pfSense system log for clues. In pfSense, select `System Logs` from the `Status` menu.
3. Look for messages beginning `/services_dyndns_edit.php: error message:`

### Error Log example 1

```xml


Sender
SignatureDoesNotMatch
Credential should be scoped to a valid region, not 'eu-west-1'.

112208b4-2bec-11e9-b72a-d74051dabb6f

```
This indicates an issue with the Zone ID field in the configuration. Review step 4 above. If you have included a region with the zone ID, it must be `us-east-1`, irresepctive of what your preferred region is for deploying resources.

### Error log example 2

Account and Zone IDs redacted.

```xml


Sender
AccessDenied
User: arn:aws:iam::000000000000:user/test-ddns is not authorized to perform: route53:ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/Zxxxxxxxxxxxx

e8048f80-2c41-11e9-8a34-7b4695c088ab

```

The zone ID you gave to CloudFormation when you created the user is not the same as the zone ID you gave to pfSense. The IAM user only has permission to update the specific zone given when you created the user.