OpnSense Dynamic DNS Updates Using Amazon Route 53

#opnsense #ddns #aws #route53

Introduction

I've been using the free tier of no-ip for my ddns service for several years. While it's worked fine the monthly manual check-in to keep my service was getting old. Since I'd recently moved my public DNS over to Route 53 I figured I'd try moving my ddns over there.

I couldn't find any documentation online so here you go.

Configuring AWS

Create an IAM User

The first thing you'll need to do is create an IAM user with rights to update your dynamic DNS record.

Logon to AWS and select the IAM service. IAM Service

Create a new user. Do not grant it access to the AWS console. New User

On the next page select Attach policies directly and then Create Policy. Attach policies directly

Click on JSON. Policy Editor

Paste the following code replacing Resource with the Hosted Zone ID of the domain your DDNS record will be in and hostname.domain.com with the FQDN of the DDNS record.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "route53:ChangeResourceRecordSets",
			"Resource": "arn:aws:route53:::hostedzone/Z11111222223333344444",
			"Condition": {
				"ForAllValues:StringEquals": {
					"route53:ChangeResourceRecordSetsNormalizedRecordNames": "hostname.domain.com"
				}
			}
		}
	]
}

On the next page give the policy a name and create the policy. Policy Details

Once that is done, go back to the create user tab in your browser. Click the refresh button under Permission Policies and then type the name of the policy you just created in the search bar. Permission Policies

Check the box next to your new policies to select it. Next search for the AmazonRoute53ReadOnlyAccess policy and check that as well.

On the next page confirm the details for the new account. You should see both policies listed. Then click Create User. Example

Create an Access Key

Under the user summary click on Create access key. User Summary

Select a use case of Other and click Next.

Enter an optional description and click Create access key.

Make note of the Access Key and Secret Access Key as you will need that information later and then click Done.

Configure OpnSense

These steps require the os-ddclient plugin to be installed. If it's not already installed you can find it in System > Firmware > Plugins.

Open Services > Dynamic DNS > Settings and then click the plus to add a new account. Add Account

Enter the following values and click Save.

Enabled: Checked Description: You can put anything here, I usually put the fqdn. Service: aws Username: IAM User Access Key Password: IAM User Secret Access Key Zone: Route 53 Host Zone ID Hostname(s): The FQDN of the DDNS record TTL: 300 (default) Check ip method: Interface [IPv4] Interface to monitor: WAN Check ip timeout: 10 (default) Force SSL: checked (default)

If everything was configured properly, within 10 minutes the DDNS record should be updated.


Questions or comments? Contact me at @SeeJayEmm@noc.social or @SeeJayEmm@lemmy.procrastinati.org