ISC dynamic DNS Workshop

1 Dynamic DNS workshop

The virtual machines have a domain name in the form

Please login to the machines with a modern web browser under the URL with the username user and the password DNSandBIND. You can also login with SSH and the same username and password.

The virtual machines run the cockpit tool ( to provide a terminal in the web browser.

Then select the terminal (last menue option on the left) and start the tutorial.

1.1 Virtual machines

Every participant has a VM number. Please replace the XXX in the instructions with your participant number from the table below:

VM-Nr. Name

1.2 Basic Installation

  • The DNS authoritative DNS Server runs a BIND 9.11.20 ESV (RedHat EL 8)
  • The BIND 9 configuration file can be found in /etc/named.conf
  • The Logging configuration for authoritative DNS Server from Webinar 1/2021 has been applied
  • The log-file can be found in /var/named
  • For the sessions you need to become the user root with the sudo command, for example with sudo -s

2 Session 1 - Making a static zone dynamic

  • The DNS server has one zone configured with the name This zone has only one authoritative server.
  • Goal: turning the static zone into a dynamic zone

2.1 Making the zone dynamic

  • Inspect the zone file in /var/named/dynamic/ Create a backup copy of the file.
  • Open the BIND 9 configuration file /etc/named.conf in your favorite editor (vi, nano, emacs)
  • Find the zone configuration at the end of the file
  • add the line allow-update { localhost; }; in the zone block to mark this zone as a dynamic zone that accepts dynamic update
  • check the new BIND 9 configuration with named-checkconf -z
  • reload the new configuration in the BIND 9 server with rndc reload

2.2 sending an update

  • Start the nsupdate tool
  • Enter the default TTL and the update line
> ttl 60
> update add IN A
> show
> send
> answer
> quit

2.3 Inspect the log-files

  • check the file /var/named/update.log for update log messages
# tail /var/named/update.log
19-May-2021 10:09:02.549 info: client @0x7f5cdc039c20 2604:a880:400:d0::18b1:b001#36896: updating zone '': adding an RR at '' A

2.4 Query the new entry

  • Send a DNS query for the new entry
# dig a

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25939
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;      IN      A

;; ANSWER SECTION: 60    IN      A

;; Query time: 645 msec
;; WHEN: Wed May 19 10:12:58 UTC 2021
;; MSG SIZE  rcvd: 69

2.5 Inspect the updated zone file

  • BIND 9 will write the new zone content back into the zone file after around 15 minutes. Committing all changes into the zone files can be forced with rndc sync.
  • You will find the new (binary) journal file in the same directory as the zone file
  • Force the zone file to be updated with rndc sync
  • Inspect the new zone file /var/named/dynamic/ and compare with the original file (the backup copy)
  • Find the new IPv4 Address record in the zone file

3 Session 2 - Sending scripted dynamic updates

  • Create a text file dns-update.txt with the following content on the VM machine (replacing the XXX with your VM number)
TTL 60
add  IN TXT "This is informal"
add   IN AAAA 2001:db8::1
add  IN A
add       IN MX 10
  • execute the updates from the file
nsupdate dns-update.txt
  • Check that the new records are in the zone (by sending DNS queries to the zone or inspecting the zone file after issuing rndc sync)
  • Check for the new SOA serial number, it should have been incremented

4 Session 3 - Inspecting the journal file

  • Find the journal-file for the zone in /var/named/dynamic
  • Print the content of the journal-file and try to match the content with the updates you've send to the zone in Session 1 and Session 2
# named-journalprint /var/named/dynamic/
del       60      IN      SOA 1001 3600 1200 3542400 60
add       60      IN      SOA 1002 3600 1200 3542400 60
add 60        IN      A
del       60      IN      SOA 1002 3600 1200 3542400 60
add       60      IN      SOA 1003 3600 1200 3542400 60
add 60       IN      A
add       60      IN      MX      10
add 60       IN      TXT     "This is informal"
add 60        IN      AAAA    2001:db8::1

5 Session 4 - Removing DNS entries from a dynamic zone

  • start nsupdate
  • remove the MX DNS resource record and the record for info
> update delete
> update delete MX
> send
> answer
> quit

6 Session 5 - Inspecting an incremental zone transfer

  • Get the current SOA serial number from your zone using dig
dig soa
  • Send a query for an incremental zone transfer to the authoritative server for the zone using the initial SOA serial. This will print all the changes from the initial zone version to the current version.
dig IXFR=1001
  • Inspect the output of the incremental zone transfer
  • Try other incremental zone transfers with SOA serial numbers between 1001 and the current SOA serial

6.1 FIN

  • please "raise your hand" in the zoom meeting to indicate that you are done with the workshop part, so that the host gets feedback and knows when to continue
  • Questions can be asked in the chat or at the end of the workshop part