Configuring Cisco Routers with HTTPS

Forumgoer ryanlin2002 was kind enough to provide the following instructions for configuring Cisco devices to perform dynamic DNS updates over HTTPS.

Disclaimer: I will not be held responsible if this config messes up your router or impacts your production. It's not officially supported by Cisco. Use it at your own risk. I am not affiliated with DynDNS.com or Cisco in any way.

DynDNS.com's frontend server supports both HTTP and HTTPS. In order to take advantage of HTTPS, you have to use the DynDNS update client. However, this requires you to keep a computer on at all times, which I can't afford to do. Hence, myself and a very talented Cisco TAC engineer came up with this solution.

First, you will need to install the latest root CA certificate onto your device, whicn can be found here.

With the updated cert, perform the following:

int <interface>
ip ddns update hostname example.dyndns.org
ip ddns update example_dyndns
!
ip ddns update method example_dyndns
HTTP
add https://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
crypto pki trustpoint example
revocation check none
enroll term pem
!
crypto pki certificate chain example
certificate ca 35DEF4CF
30820320 30820289 A0030201 02020435 DEF4CF30 0D06092A 864886F7 0D010105
0500304E 310B3009 06035504 06130255 53311030 0E060355 040A1307 45717569
66617831 2D302B06 0355040B 13244571 75696661 78205365 63757265 20436572
74696669 63617465 20417574 686F7269 7479301E 170D3938 30383232 31363431
35315A17 0D313830 38323231 36343135 315A304E 310B3009 06035504 06130255
53311030 0E060355 040A1307 45717569 66617831 2D302B06 0355040B 13244571
75696661 78205365 63757265 20436572 74696669 63617465 20417574 686F7269
74793081 9F300D06 092A8648 86F70D01 01010500 03818D00 30818902 818100C1
5DB15867 0862EEA0 9A2D1F08 6D911468 980A1EFE DA046F13 846221C3 D17CCE9F
05E0B801 F04E34EC E28A9504 64ACF16B 535F05B3 CB6780BF 42028EFE DD0109EC
E100144F FCFBF00C DD43BA5B 2BE11F80 70991557 9316F10F 976AB7C2 68231CCC
4D5930AC 511E3BAF 2BD6EE63 457BC5D9 5F50D2E3 500F3A88 E7BF14FD E0C7B902
03010001 A3820109 30820105 30700603 551D1F04 69306730 65A063A0 61A45F30
5D310B30 09060355 04061302 55533110 300E0603 55040A13 07457175 69666178
312D302B 06035504 0B132445 71756966 61782053 65637572 65204365 72746966
69636174 65204175 74686F72 69747931 0D300B06 03550403 13044352 4C31301A
0603551D 10041330 11810F32 30313830 38323231 36343135 315A300B 0603551D
0F040403 02010630 1F060355 1D230418 30168014 48E668F9 2BD2B295 D747D823
20104F33 98909FD4 301D0603 551D0E04 16041448 E668F92B D2B295D7 47D82320
104F3398 909FD430 0C060355 1D130405 30030101 FF301A06 092A8648 86F67D07
4100040D 300B1B05 56332E30 63030206 C0300D06 092A8648 86F70D01 01050500
03818100 58CE29EA FCF7DEB5 CE02B917 B585D1B9 E3E095CC 25310D00 A6926E7F
B692639E 5095D19A 6FE411DE 63856E98 EEA8FF5A C8D355B2 667157DE C021EB3D
2AA72349 01048642 7BFCEE7F A21652B5 6767D340 DB3B2658 B228773D AE147761
D6FA2A66 27A00DFA A7735CEA 70F19421 65445FFA FCEF2968 A9A28779 EF79EF4F
AC077738
quit

That's it! Now here are the results:

.Dec 16 00:10:46: DYNDNSUPD: Adding DNS mapping for example.dyndns.org <=> x.x.x.x
.Dec 16 00:10:46: HTTPDNS: Update add called for example.dyndns.org <=> x.x.x.x
.Dec 16 00:10:46: HTTPDNSUPD: Session ID = 0xB
.Dec 16 00:10:46: HTTPDNSUPD: URL = 'https://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=example.dyndns.org&myip=x.x.x.x'
.Dec 16 00:10:46: HTTPDNSUPD: Sending request
.Dec 16 00:10:48: HTTPDNSUPD: Response for update example.dyndns.org <=> x.x.x.x
.Dec 16 00:10:48: HTTPDNSUPD: DATA START
good x.x.x.x
.Dec 16 00:10:48: HTTPDNSUPD: DATA END, Status is Response data recieved, successfully
.Dec 16 00:10:48: HTTPDNSUPD: Call returned SUCCESS, update of example.dyndns.org <=> x.x.x.x succeeded
.Dec 16 00:10:48: DYNDNSUPD: Another update completed (outstanding=0, total=0)
.Dec 16 00:10:48: HTTPDNSUPD: Clearing all session 11 info
Dec-16 00:10:48 hostname=example.dyndns.org myip=x.x.x.x system=dyndns
cisco-IOS (using SSL) good x.x.x.x

I've tested this on the 12.4 advanced IP services and advanced security. The DynDNS update client feature was first introduced in 12.3(14)T. The certificate that's associated with the configuration template above is the Equifax Secure Global eBusiness CA-1. You can obtain the Base64 certificate here.

There are two ways to manually enroll a certificate, through tftp or copy and paste. I used the "copy-and-paste" method to enroll this certificate. As follows:

crypto pki trustpoint example
enroll term perm
revocation check none
crypto pki authenticate example
-------------------------------
-----BEGIN CERTIFICATE-----
MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJVUzEc
MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEtMCsGA1UEAxMkRXF1aWZheCBT
ZWN1cmUgR2xvYmFsIGVCdXNpbmVzcyBDQS0xMB4XDTk5MDYyMTA0MDAwMFoXDTIw
MDYyMTA0MDAwMFowWjELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0VxdWlmYXggU2Vj
dXJlIEluYy4xLTArBgNVBAMTJEVxdWlmYXggU2VjdXJlIEdsb2JhbCBlQnVzaW5l
c3MgQ0EtMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuucXkAJlsTRVPEnC
UdXfp9E3j9HngXNBUmCbnaEXJnitx7HoJpQytd4zjTov2/KaelpzmKNc6fuKcxtc
58O/gGzNqfTWK8D3+ZmqY6KxRwIP1ORROhI8bIpaVIRw28HFkM9yRcuoWcDNM50/
o5brhTMhHD4ePmBudpxnhcXIw2ECAwEAAaNmMGQwEQYJYIZIAYb4QgEBBAQDAgAH
MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1dr
aGwwHQYDVR0OBBYEFL6ooHRyUGtEt8kj2Puo/7NXa2hsMA0GCSqGSIb3DQEBBAUA
A4GBADDiAVGqx+pf2rnQZQ8w1j7aDRRJbpGTJxQx78T3LUX47Me/okENI7SS+RkA
Z70Br83gcfxaz2TE4JaY0KNA4gGK7ycH8WUBikQtBmV1UsCGECAhX2xrD2yuCRyv
8qIYNMR1pHMc8Y3c7635s3a0kr/clRAevsvIO1qEYBlWlKlV
-----END CERTIFICATE-----
quit
-------------------------------
crypto pki enroll example

Answer the questions at the end (include the serial number/ip address, etc) to finish.

User seekrtz also provided some helpful information about Cisco routers:

Most people use no ip domain-lookup, if you do then you need to manually identify the ip for members.dyndns.org.

ip host members.dyndns.org 63.208.196.96

The WAN interface must allow members.dyndns.org in from the outside.

permit tcp host 63.208.196.96 eq 443 any established

The access-list entry is very much necessary. I do use CBAC (e.g. ip inspect <name>). CBAC is applied to the outgoing interface of the WAN link and allows ports to open up on the outside dynamically, so that traffic originating from the inside network can communicate. This in turn allows me to initially block everything from the outside and selectively allow only certain and potentially very defined traffic inside my network. DynDNS.com always responds using a random port number when it answers back for a successful response. If I wasn't using CBAC, then the access-list would not be needed, but I would also essentially have a very insecure network that allows pretty much all traffic inside my network too.

So, using CBAC (ip inspect <name>) really means that an access-list permitting members.dyndns.org is absolutely necessary. Otherwise, it will be blocked. I cannot comment on ASA devices, as I do not have one for testing. I really have been wanting to pickup a 5505 just for playing around with one of these days.

This is the entry I use. Without it, the update always times out.

*permit tcp host members.dyndns.org eq 443 any established log

Here is a log of a success update using the ACL, without it, the update times out. I only removed the timestamp information and my username/password.

DYNDNSUPD: Adding DNS mapping for example.dnsalias.net <=> 66.227.209.224 server 63.208.196.96
HTTPDNS: Update add called for example.dnsalias.net <=> 66.227.209.224
HTTPDNSUPD: Session ID = 0x20
HTTPDNSUPD: URL = 'https://username:password@members.dyndns.org/nic/update?hostname=example.dnsalias.net&myip='
HTTPDNSUPD: Sending request
%SEC-6-IPACCESSLOGP: list firewall permitted tcp 63.208.196.96(443) -> 66.227.209.224(54529), 1 packet
HTTPDNSUPD: Response for update example.dnsalias.net <=> 66.227.209.224
HTTPDNSUPD: DATA START
nochg 66.227.209.224
HTTPDNSUPD: DATA END, Status is Response data recieved, successfully
HTTPDNSUPD: Call returned SUCCESS, update of example.dnsalias.net <=> 66.227.209.224 succeeded
DYNDNSUPD: Another update completed (outstanding=0, total=0)
HTTPDNSUPD: Clearing all session 32 info

Again, big thanks to ryanlin2002 and seekrtz for the information. You can find this thread and more customized router configurations on the Router Update Clients board in the DynDNS.com Community Forum.