Invoking nsupdate

If one just types “nsupdate” one arrives in a basic command-line environment for sending “update” commands to DNS, but there are two options that you probably want to use when you invoke nsupdate.

The first option “-v” is to specify that communication with the DNS is to be done with TCP, not UDP. This is a good idea if the update requests are potentially longer than 512 bytes, which is often the case.

The second option “-k” is to specify where the encryption key files are to be found. A securely-configured DNS will not accept updates from just anyone – the update requests must be cryptographically signed with an appropriate key. There may be several keys that permit one to update a DNS. One may have created a root-readable key for manual administration of the DNS contained in the files /etc/bind/admin-updater.{key,private}. Note that it is important that the “key” file and “private” file have the same stem path since one cannot be used without the other.

Therefore, the way to invoke nsupdate is:

nsupdate -v -k /etc/bind/admin-updater.key

To quit an nsupdate session, just hit CTRL-D or type “quit” and hit RETURN.

Deleting a record

Unconditionally deleting a DNS record (eg. the CNAME record www.example.com) is straight-forward. At the nsupdate prompt, type:

> update delete www.example.com cname
> send

When one types “send” and hits RETURN, the update request is built, signed, and sent to the appropriate DNS server. If your key was authorised to make the request, the DNS will update its database, update its journal files, increment the serial number of the SOA record, and send a change notification to any slave DNSes. The slaves will start AXFRs (or IXFRs) to collect the updates from the master DNS.

Multiple updates

To save time and reduce DNS traffic (due to excessive slave DNS AXFR/IXFR requests), multiple update requests can be sent simultaneously in one batch:

> update delete www.example.com cname
> update delete www1.example.com a
> update delete www2.example.com a
> update delete www3.example.com a
> send

There are a couple of points to keep in mind. All updates in one “send” batch must be for the same zone. For example, one cannot mix changes for example.com and 1.16.172.in-addr.arpa in the same “send“.

In addition, there seems to be an undocumented limit in nsupdate of how many updates can be in one batch, probably due to a fixed input buffer. I have found that 2000 requests at a time sometimes do not pass. I no longer attempt more than 1000 for every “send“, just to be safe.

Adding records

Here are examples of how to add A, CNAME, and PTR records. One must specify the TTL (time-to-live) of records (in seconds) when they are added.

> update add www1.example.com 86400 a 172.16.1.1
> update add www.example.com 600 cname www1.example.com.
> send

> update add 1.1.16.172.in-addr.arpa 86400 ptr www1.example.com.
> send

Note that I have taken care to use two separate “send” commands to handle the A and PTR updates of www1.example.com since the changes apply to two different zones, example.com and 1.16.172.in-addr.arpa.

Conditional updates

It is possible to program an update conditional on the presence or absence of DNS records (prerequisites), but I have never needed this for manual administration of a DNS. See “man nsupdate” and/or RFC2136 for more information on the possibilities.

Non-interactive usage

One of the most interesting ways of using nsupdate is non-interactive, by specifying a file containing a batch of commands or simply piping them in on STDIN. For example, one could use a text editor or a script to create a file “batch.txt” with the contents:

update delete www.example.com cname
update delete www1.example.com a
update delete www2.example.com a
update delete www3.example.com a
send

and then run it by doing:

nsupdate -v -k /etc/bind/admin-updater.key batch.txt

Here is another non-interactive example using pipelines. Suppose that we want to delete all of the A records in example.com starting with “www”. We could do:

( host -t a -l example.com | grep -i '^www' | 
   awk '{ print "update delete "$1" a" }' ; echo send ) | 
   nsupdate -v -k /etc/bind/admin-updater.key

By:Rossen

adduser --encrypt-home username

By: desgua

At the root session, execute command, mount -o remount,rw /


By: Gaurav_Java

sudo passwd root
sudo sh -c 'echo "greeter-show-manual-login=true" >> /etc/lightdm/lightdm.conf'

Root won’t show up as a user, but “Login” will, which is how you manually log in with users not shown in the greeter.

Rebooted and then you should be able to login as root.

By: reverendj1 and gertvdijk

First things first:

Before we begin, let us stop network manager or wicd so as not to have interference:

sudo service network-manager stop
sudo service wicd stop
pkill nm-applet

Or, if you’re using systemd instead of init:

sudo systemctl stop network-manager.service
sudo systemctl stop wicd.service
pkill nm-applet

Manual configuration, no encryption, WEP, and WPA

If you want to try the manual config before you dwell into the whole interfaces thing, here’s how. First we will bring our interface up:

sudo ip link set wlan0 up

Now we will proceed as though there’s no encryption, with iwconfig:

sudo iwconfig wlan0 essid YOURSSID

If we want to add WEP encryption:

sudo iwconfig wlan0 key KEY

for the hex key or for ASCI:

sudo iwconfig wlan0 key s:KEY

Make sure the connection is made:

sudo iwconfig wlan0

And run

sudo dhclient wlan0

WPA is slightly different. After bringing the interface up with ip, we will add this to /etc/wpasupplicant/wpa_supplicant.conf

# WPA-PSK/TKIP
update_config=1
ctrl_interface=/var/run/wpa_supplicant

network={
ssid=”your-ssid”
psk=”your-psk-key”
}

Run

sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf

Proceed with dhclient.

Configuration with ifupdown

Let/s edit the /etc/network/interfaces file and set our options to a static or roaming connection:

sudo nano /etc/network/interfaces

or if you prefer graphical:

gksudo geany /etc/network/interfaces

Obviously, replace nano and geany with your terminal or GUI editor of choice.

Static connection, WEP or WPA

WEP is the old and unsecure encryption algorithm for routers and clients, though some manufacturers still supply routers with WEP set as default. WPA is basically unbreakable. If you do decide to use WEP, this is what you need to add to the file:

allow-hotplug wlan0
iface wlan0 inet dhcp
wireless-mode managed
wireless-essid YOURSSID
wireless-key YOURKEY

If you want ifupdown to call on iwconfig and dhclient, or if you want it to call wpasupplicant:

allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-key-mgmt NONE
wpa-ssid SSID
wpa-wep-key0 PSSKEY (in ASCI)
wpa-wep-tx-keyidx 0

For the first configuration, take note: when entering the key you can either use its hex value (if you look it up in your router, you’ll see the hex value, or the key in ASCI. If you use ASCI, you have to prepend “s:” to the key, like this

wireless-key s:ASCIKEY

A WPA network is not only more secure, but also easier to manage. the contents of /etc/network/interfaces should look thus:

allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-ssid YOURSSID
wpa-key YOURKEY (in ASCI)

Once you’re entered all the values, bring the network interface up with:

sudo ifdown wlan0 && sudo ifup wlan0

Roaming configuration, helpers:

For people who actually take their laptops with them, constantly editing a text file isn’t the best of options. Luckily, wpasupplicant is perfectly capable of roaming (connecting to a list of known networks, and if you so choose, unencrypted ones). The /e/n/i config would then look like this:

allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa-roam.conf

We will create the /etc/wpa_supplicant/wpa-roam.conf file, and add some options and out networks:

update_config=1
ctrl_interface=DIR=/var/run/wpa_supplicant
GROUP=netdev

# This one is for connecting to any unsecured network your machine comes into contect with, just comment out if you don’t like this:

network={
key_mgmt=NONE
}

# The actual roaming settings go here:

network={
ssid=”YOUR SSID AT HOME”
psk=”PASSOWRD”
id_str=”home”
}

network={
ssid=”YOUR SSID AT WORK”
psk=”PASSOWRD”
id_str=”work”
}

Edit: as daggoth pointed out, once you’ve started adding interfaces to wpa-roam.conf, /e/n/i also needs to be modified:

When I first tried to connect to wifi with ifupdown and wpa-roam/wpa_gui, the network connected okay, but without the config of an IP address. So had to type in ‘dhclient wlan0’ just to make it usable. The reason why that happened is because after wpa_supplicant has established an encrypted connection, it will then again call ifup, and requests it to map the physical interface ‘wlan0’ onto some other logical interface, which in most cases is named ‘default’.

But if that logical interface ‘default’ isn’t defined in the /e/n/i, then when the wpa_supplicant script requests ifup to map ‘wlan0’ onto ‘default’, then the ifup will just exit with an error, becos the ‘default’ interface is undefined. Such that the dhcp/static config of an IP address will never occur. So to prevent that, we need to append this line to the /e/n/i

iface default inet dhcp

And similarly, for each id_str=”some_name” entry contained within the network stanzas defined in your /etc/wpa_supplicant/wpa-roam.conf file, another logical interface needs to be declared in you /e/n/i. And these multiple logical interface declarations can each specify a different kinds of dhcp/static configuration, as required. So yes, it is very flexible…

I hope that all makes sense. Clear as mud, huh? But if not, then I think this manpage entry here may help…

$ man wpa_action |sed ’70,$ !d’

So, in the case of this tutorial, we’d add

[face default inet dhcp
iface work inet dhcp
iface home inet dhcp

There are countless further examples in /usr/share/doc/wpasupplicant/examples/. Once you’ve configured wpa roaming, bring the network up:

sudo ifdown wlan0 && sudo ifup wlan0

wpasupplicant has two helpers for roaming. wpa_cli gets installed along with wpasupplicant, and wpa_gui doesn’t. wpa-gui is a QT frontend for wpasupplicant, and is pretty easy to operate. I have yet to understand how wpa_cli works exactly, will let you know if I ever do. To install wpa_gui:

sudo apt-get install wpagui

and start it from a root shell or with gksudo.

Ceni to make your life easier

You don’t have to do all the file editing by hand. Aptosid has an excellent utility for configuring /e/n/i for you, called ceni. You can obtain it via smxi or directly from aptosid. Create a file /etc/apt/sources.list.d/aptosid.list and add this in:

deb ftp://ftp.spline.de/pub/aptosid/debian/ sid main fix.main

Then run:

sudo apt-get update && sudo apt-get install ceni

You can remove the aptosid list from sources after that. If you use ceni, it will automatically change permissions on your /e/n/i so only root can read it, if you’re doing stuff manually:

sudo chmod 0600 /etc/network/interfaces
sudo chmod 0600 /etc/wpa_supplicant/wpa-roam.conf

Now disable network manager or wicd:

sudo update-rc.d network-manager remove
sudo update-rc.d wicd remove

Or, for systemd

sudo systemctl disable network-manager.service
sudo systemctl disable wicd.service

And that should be it.

By: Ed