Wednesday, March 13, 2013

Using DynDNS in Juniper SSG devices

Juniper SSG devices behaviour when configuring dynamic DNS is sometimes frustrating. There is not enough useful information on how to configure on certain circumstances. So I’ll try to give some tips that could help you if you are near to throw in the towel.

Juniper SSG devices can update a hostname’s ip in DynDNS, but usually you can only give the actual ip value associated to a given interface. So if you select the trust interface as source in your DDNS entry interface, you will assign a local IP in your DynDNS hostname’s registry.

If you select the untrust interface as source in your DDNS entry interface but you are behind a NAT router, your DynDNS hostname’s registry will have that of your untrust interface ip not the public ip of your NAT router. If you continue reading you will learn how to resolve this issue.

DynDNS basics in Juniper SSG devices:

To guarantee DDNS correct configuration, you must first of all make sure that DNSs are set on Juniper device. So go to Network/DNS menu on your firewall and check that DNSs are ok.

Next you should test that you are able to reach members.dyndns.org server from your firewall. To do this make a ping to members.dyndns.org from commandline in your Juniper device:

image

On Juniper SSG devices you can connect to DynDNS servers to update your ip using clear-text to send your username and password (http) or using SSL to send this data (https). If you are planning to use SSL then you must install the Equifax Secure CA certificate in your Juniper SSG device.

To get this certificate go to https://members.dyndns.org, doubleclick the padlock and export the Equifax Secure CA certificate (Note: If you are using IE and you can not connect to https://members.dyndns.org even using a username and password you must read this: http://support.microsoft.com/kb/834489/en-us):

image

Next import this file in Juniper menu Objects/certificates:

image

Please check that this certificate is not expired:

image

Now you can configure your DDNS entry. Agent must be left blak, Juniper device will fill it. In field Bind to interface you can use any of your interfaces, I’ve used my untrust interface:

image

With this configuration your hostname in DynDNS will get that of your untrust interface, in some cases this can be right, but if you are behind a NAT router you must make a little trick:

Here is an extract from http://dyn.com/support/developers/api/perform-update/ that explains how to update a dyndns hostname using a web browser:









If you try to update your DynDNS hostname using a web browser, you can test using different ipaddress values. If you use valid ipaddress values the hostname’s ip updates correctly but if you use a non valid ipaddress like 0.0.0.0 then DynDNS servers assign your actual public ip to your hostname.


So using myhostname.dyndns.org&myip=0.0.0.0 as your hostname in your DDNS entry, you can get the same behaviour in your Juniper SSG device:


image


Enjoy

1 comment:

  1. Excellent article which really helped. However, if you're using no-ip instead of dyndns you have to set &myip= instead of &myip=0.0.0.0 in the host name for it to work.

    If you leave the myip as 0.0.0.0 you receive a nohost error.



    ReplyDelete