HTTP Poster for Dynamic DNS services (10.x)

Security Gateway Articles and How to's
Locked
jono
Posts: 85
Joined: 18 Apr 2008, 10:46
Location: Clavister HQ - Örnsköldsvik

HTTP Poster for Dynamic DNS services (10.x)

Post by jono » 06 May 2008, 14:00

This How-to applies to:
[*] Clavister CorePlus 9.x [*] Clavister cOS Core 10.x
HTTP Post basics

A HTTP Post string (see examples below) looks quite a lot like a URL, but it contains additional information as parameters and the receiving web server, in this case, uses them to update your DNS entry.

A HTTP Poster is a feature where you sign up for, or setup your own, solution where a DNS name is automatically updated with the current IP address of your equipment. The update is performed using a HTTP Post string, which contains the username and password to your account on that service, and the DNS name you want to update. The actual IP address you have is rarely included in the HTTP Post, rather it is extracted from the HTTP/TCP connection that contains the above information.

Of course different services are behaving in different ways, such as using HTTP GET, but the above description matches at least the most commonly used services.

Pre-defined methods
A few pre-defined services exist. You find them in Network > Network Services > Dyn DNS (10.x) or in System > Misc. Clients (9.x).

Here you will have fields where you enter your credentials etc and the HTTP Post string will automatically be generated and the re-post settings will match the requirements of that service.

Manually created HTTP Post
If you are using a service which is not pre-defined, you can create a custom HTTP Post string.

You can also control the behaviour:
Repost Delay is the number of seconds to wait before re-posting the above URL. Default value has changed over time: Pre 8.50 versions: 21600 seconds. 8.50-8.90: 604800 seconds (7 days). 9.x and 10.x: 1200 seconds. You must check with your Dyn DNS provider what they accept and at which frequency they will consider blacklisting your account.

Repost on each reconfiguration will, as the name states, perform a new HTTP Post after every reconfiguration (e.g. deploy of configuration).

HTTP POST the values
By default, an HTTP Poster object sends an HTTP GET request to the defined URL. Some servers require an HTTP POST request and to achieve this the option HTTP Post the Values should be enabled. This is usually needed when authentication parameters are being sent in the URL.


Example URLs:
  • http:// some.service.com/somecgi?param=value&param2=value2
  • http:// username:password@some.service.com:8043/
  • httppost:// some.service.com/somecgi?postparam=postvalue
DNS resolution
If you need to use host names rather than numerical IP addresses in your URLs, the Security Gateway needs to be able to look them up. Make sure you have at least one DNS server configured in System > DNS.

Keep alives
Many services are sensitive to repeated logon attempts over short periods of time. If you need some sort of keepalive, e.g. for broadband network logons, consider using the Link Monitor with a high "max loss" to accomplish the keepalives rather than lowering your HTTP Poster Repost Delay.

Note that the Clavister Security Gateway has a VPN keep alive scheme that removes the need for dynamic DNS services when only one side of the VPN tunnel is roaming.

Troubleshooting
To troubleshoot problems, use the "httpposter" CLI command to see what the HTTP Poster is doing, and what the web servers are returning.

Special characters
Some characters in user names and passwords may need to be encoded using "URL encoding". Please see KB #10040 for more information.

VPN / IPsec scenarios
Dynamic DNS is useful in VPN scenarios where one or both gateways involved have dynamic IP addresses, and, of course, for making public services reachable even though one does not have a fixed IP address.
Also: See the note under Keep alives above.

No-IP.com dynamic DNS service
No-IP.com is a free dynamic DNS service that allows registration under a number of domains: hopto.org, no-ip.biz, no-ip.org, redirectme.net...

Basic example:
http://MYUID:MYPWD@dynupdate.no-ip.com/nic/update?hostname=MYDNS.no-ip.org

Note:
MYUID is an e-mail address and you must instead of the "@" character use the characters "%40"

dyns.cx dynamic DNS service
Dyns.cx is a free dynamic DNS service that allows registration under a number of domains: dyns.cx, dyns.net, ma.cx, metadns.cx...

Basic example:
http://www.dyns.net/postscript011.php?username=MYUID&password=MYPWD&host=MYDNS.dyns.cx

For more advanced uses, see the dyns.cx update specification. (Note that it mentions a 'hostname' argument. That will not work. Use 'host'.)

cjb.net dynamic DNS service
cjb.net is a free dynamic DNS service (and more) that allows registration under cjb.net.

Basic example:
http://www.cjb.net/cgi-bin/dynip.cgi?username=MYUID&password=MYPWD
The host name is the same as the user name; multiple registrations possible.

dyndns.org dynamic DNS service
Dyndns.org is a free dynamic DNS service that allows registration under dozens of domains, e.g. "MYDNS.dyndns.org", "MYDNS.dnsalias.net", etc.

Basic example:
http://MYUID:MYPWD@members.dyndns.org/nic/update?hostname=MYDNS.dyndns.org

Note: dyndns.org will block clients that attempt to update too often. Updating more often than every 28 days is frowned upon by dyndns.org. 28 days equals 2419200 seconds in HTTPPoster_RepDelay. However, the HTTP Poster will re-post URLs when the configuration is re-read, which may or may not upset dyndns.org. We recommend dyns.cx and cjb.net over dyndns.org for these reasons.

Note for v8.20.00: Dyndns.org will not accept DNS updates from v8.20.00 Security Gateways, as they do not provide a "User-agent" string. This is fixed as of 8.20.01.

Other services

Clavister Security Gateway HTTP user authentication
In both examples, "1.2.3.4" should be replaced with the IP address of the Security Gateway.

Using form-based logon:
http://1.2.3.4/loginuser?Username=MYUID&Password=MYPWD

Using HTTP basic auth:
http://MYUID:MYPWD@1.2.3.4/

Telia ADSL / Cable network logon
To log on to Telia ADSL / Cable networks, two URLs are needed:
(Note: We have unconfirmed reports that the "&submitForm=Logga+in" parameter has to be removed in some cases.)

Locked