#Cambio
Keeps a DNS record up-to-date when your external IP address changes, as is common with domestic broadband connections.
##Instructions
Assuming you have an Amazon AWS account, a domain pointed at Route53, and a hosted zone configured:
- Create a restricted IAM account (see below), unused by anything else and download the credentials.
- Configure your AWS shared credentials file
- Run
cambio -zone <hosted-zone-id> -domain <vpn.example.com.>
perodically via cron or the likes.
Note: If the record doesn't exist, it will be created automatically.
##Advanced
You can configure cambio to use different AWS profiles, set different DNS time-to-live values (default 5 minutes), or create/update different record types with the following arguements:
-profile string
AWS Credential profile name (default "default")
-record-type string
Record type (default "A")
-region string
Region (default "eu-west-1")
-ttl int
Time-to-live value (default 300)
###Seperate those privilages! (Restricted IAM Account)
Please only grant the bare minimum permissions to this IAM account, there's really no need to grant privileges to spin up thirty d2.8xlarge instances to something that changes a DNS record.
Anywhoo:
- Create a new IAM user with a descriptive name like
home-dns-updater
- use something you'll recognise in 6 months!
- Create an access key (on the
Security Credentials
tab), and save it for the next step.
- Add the access key to the AWS shared credentials file (defaults to ~/.aws/credentials)
- Grant restricted permissions to the IAM account:
- Under the
Permissions
tab, click Inline Policies
to expand the container, and click create a new policy
- Select
Custom Policy
- Give the policy a descriptive name, like
UpdateHomeDNSRecords
- Paste the policy below, making sure you replace
<zone-id>
with your actual hosted zone ID
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1452005095000",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/<zone-id>"
]
}
]
}
- Click
Apply Policy
Alternatively if you're on a EC2 instance you can use an IAM role for authentication (but if you're on EC2 you probably don't need this).