Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Routing Platforms => Topic started by: bpothier on June 11, 2014, 03:08:56 PM

Title: Configuring Dynamic DNS/DDNS on Juniper/NetScreen/SSG
Post by: bpothier on June 11, 2014, 03:08:56 PM
This isn't something people do often, so I figured I would add a post about it (mostly so I can Google it myself in a few years...)

To configure Dynamic DNS (DDNS) updates on your NetScreen/SSG device (may vary slightly between revisions/models):

NOTE: You might also require PING/ICMP Echo Request to be enabled on WAN interface...

By default, DDNS uses HTTPS to connect to update server. You must add the CA certificate that signed the server's certificate.  For tunnelbroker, connect to https://ipv4.tunnelbroker.net/nic/update - you don't need to login so click cancel if prompted. To display the certificate click (or double-click) on the "padlock" next to "https" in the address bar.
- in Chrome, click "Connection" then "Certificate details"
- in IE, click the padlock then "View certificates" - (IE seems to have issues saving certificates to a file...)
Select the "Certification Path" tab
Double-click the entry immediately above(currently "Starfield Secure Certificate Authority - G2") the default/bottom one (e.g. tunnelbroker.net)
Select "Details" tab
Select "Copy to file"
Next / Base-64 / Browse - pick somewhere you can find it and a name you can remember, e.g. "starfield-2.cer"

Now, go to Web-UI on NS/SSG
Navigate to Objects - Certificates
Select "File: Choose File"
Find the cert you saved previously, OK
Select "Load"

Adding Certificates via CLI:
Not recommended as it requires storing the cert file on a tftp server, but read about it here: http://kb.juniper.net/InfoCenter/index?page=content&id=KB4777

The NS/SSG can now validate the certificate when it connects to update server!

Next, gather your tunnel information.
From https://tunnelbroker.net/ find your tunnel entry
e.g. username-1.tunnel.tserv3.xxx1.ipv6.he.net
copy this hostname somewhere you can find it
Click on the tunnel entry
Click on the Advanced tab
Copy your Update Key somewhere you can find it

Now, the actual DDNS part....
Option #1: Web-UI
In NS/SSG Web-UI, navigate to Network / DNS / DDNS
Take note of any existing entries as you will be prompted for an ID number that is not currently in use...
Select "New"
Enter an unused ID number (1 is fine if you have no existing entries)
Set server type to "dyndns"
Set server name to "ipv4.tunnelbroker.net"
Defaults for update intervals should be fine
Leave "Clear text" unchecked - that is why we added the cert!
Enter your account name in "Username"
Enter your "Update Key" in Password
Leave Agent blank - it will auto-populate with your OS version, unless you want to put something else here
Bind to Interface - Select your WAN/untrust interface your tunnel is on
For "Hostname", enter your tunnel name - e.g. username-1.tunnel.tserv3.xxx1.ipv6.he.net
For Service, leave default of "dyndns"
Select OK!

Option #2: CLI:
get dns ddns  - take note of any existing entries as they must each have a unique ID number
set dns ddns id X server "ipv4.tunnelbroker.net"server-type dyndns
set dns ddns id X username USERNAME password UPDATEKEY
set dns ddns id X src-interface ethernet0/0 host-name username-1.tunnel.tserv3.xxx1.ipv6.he.net
set dns ddns enable


To view status:
-> get dns ddns
status: enable  usage: 1/8
id type   state server          username   interface  nextupdate   lastresp
--------------------------------------------------------------------------------
 1 dyndns     1 ipv4.tunnelbrok username   eth0/0     6d;23:24:00  nochg

To view detailed status:
-> get dns ddns id X
Id:                     1
State:                  Init
Socket:                 -1
Type:                   dyndns
Server:                 ipv4.tunnelbroker.net
Clear-text:             no
Refresh-int:            7 days 0 hours 0 minutes 0 seconds
Min-update-int:         1 hours 0 minutes 0 seconds
Next-update:            6 days 23 hours 24 minutes 0 seconds
Username:               username
Password:               **********
Agent:                  Netscreen-6.X-00000
Src-interface:          ethernet0/0
Host-name:              username-1.tunnel.tserv3.xxx1.ipv6.he.net (dyndns)
Last-response:          nochg
Last-response-ip:       0.0.0.0
Last-Updated:           before 36 minutes 8 seconds

Counters
--------------------------------------------------------------------------------
Successful updates:     3
Failed updates:         0
Server lookup failures: 5
Socket creation errors: 0
Socket connect errors:  3
Socket send errors:     0
Update retries:         0


To debug / troubleshoot:
From CLI:
Cancel debugging / clear buffer:
-> undebug all   (or press <ESC>)
-> clear dbuf

Enable DDNS debugs:
-> debug dns ddns

View dbuf:
-> get dbuf stream

Errors that show DNS is working:
ddns: server ipv4.tunnelbroker.net resolved to 64.62.200.2

Errors that show SSL issue:
DDNS: connect error
socket creation failed

Successful update:
ddns: server ipv4.tunnelbroker.net resolved to 64.62.200.2
GET /nic/update?system=dyndns&hostname=username-1.tunnel.tserv3.xxx1.ipv6.he.net&myip=XXX.XXX.XXX.XXX&wildcard=OFF&mx=mail.exchanger.ext&backmx=NO&offline=NO HTTP/1.0
Accept: text/html;*.*;
Host: ipv4.tunnelbroker.net
....
nochg XXX.XXX.XXX.XXX
....
ddns: succesfully updated DYNDNS server

The "nochg" means the updated IP matches the existing one, so "no change".

Don't forget to cancel debugging with "undebug all" or pressing "<ESC>"

Brian