I wanted a better home router. During the learning from home phase of the 2020 pandemic I learned I could not have advanced security features of the USG (Unifi Security Gateway) turned on and get sufficient bandwidth for 3 Kids and myself to stream and zoom. So I wanted an upgrade. I went with the Unifi Dream Machine Pro.
https://store.ui.com/collections/unifi-network-routing-switching/products/udm-pro
For reals though file this post under, I need to remember what I changed in case I have to do it again.
OpenDNS
First thing that I did on my older routers was to configure opendns as the external DNS for my networks. In order for OpenDNS so apply my content filtering settings it must know the source IP for my home. This can change because most ISP’s use DHCP to assign the IP’s. Although it seems that my ISP likes to reassign the same IP, I can’t trust that will always be true.
So first, make sure you sign up for an opendns and dns-o-matic account.
Log into the UDM UI
Click on the Settings Gear…
Click on Advanced Features -> Advanced Gateway Settings
Click Create new Dynamic DNS
For DNS-o-matic the settings look like:
Hostname: all.dnsomatic.com
Username: [Your DNS-o-matic user]
Password: [Your DNS-o-matic password]
Server: updates.dnsomatic.com/\/nic/update?hostname=%h&myip=%i
Links Below were very helpful
Very helpful link for getting the server URL. Also contains a few for some other services.
https://community.ui.com/questions/UDM-DynDNS-Google-Domains/fe9ba35d-66c3-437d-8323-debe2af55879#answer/2181146e-79b8-485c-8042-eb975c291242
DDClient
Another thing I want to do, is set a DNS A record. I could probably use some form of the settings above to inform my Google Name Service to update the record with the dynamic IP. But why be boring? Lets run the DDClient perl program in a container on my K3s cluster.
First, read the google domains documentation for dynamic records. I created a dynamic record and it generates the host record along with a username and password that can be used via the API to update the IP associated to the Domain Name.
Next, why create the container if I don’t need to?
https://hub.docker.com/r/linuxserver/ddclient/tags?page=1&ordering=last_updated
My k3s is on some Raspberry Pi’s so I choose the arm image.
Then another nice person built the deployment. Check out that blog for full detail. Without getting too distracted by kubesail and setting up k8s. I skipped to the YAML:
https://kubesail.com/template/loopDelicious/ddclient
Save this as ddclient-secret.yaml changing the info necessary for your google account.
apiVersion: v1
kind: Secret
metadata:
name: ddclient-secret
labels:
app: ddclient
stringData:
ddclient.conf: |
daemon=300
syslog=yes
protocol=dyndns2
use=web
server=domains.google.com
ssl=yes
login=<google generated login>
password=<google generated password>
your.domain.record.com
Now save this as ddclient.yaml, remember to modify the image for the type of arch your Kubernetes is running on.
apiVersion: apps/v1
kind: Deployment
metadata:
name: ddclient-deployment
labels:
app: ddclient
spec:
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
replicas: 1
selector:
matchLabels:
app: ddclient
template:
metadata:
labels:
app: ddclient
spec:
volumes:
- name: ddclient-config-file
secret:
secretName: ddclient-secret
containers:
- name: ddclient
image: linuxserver/ddclient:arm64v8-version-v3.9.1
imagePullPolicy: Always
volumeMounts:
- mountPath: /config
name: ddclient-config-file
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 50m
memory: 128Mi
This deployment will use the secret for the settings and deploy the small container to update the Google Domain record with the new IP from the host.
kubectl create ns ddclient
kubectl -n ddclient apply -f ddclient-secret.yaml
kubectl -n ddclient apply -f ddclient.yaml
Some DNS stuff I might try later
This is interesting repo that updates dns with static hostnames. Unfortunately the UDM does not have this built in. I would suggest Ubiquiti to build pi-hole into the UDM Pro to integrate with its DHCP server and also provide some abilities to block bad DNS names for ads/phishing/malware.