Custom DynDNS providers on Sophos Firewalls

English translations

This post was translated with the help of a translation tool. Therefore, occasional errors are possible. An error-free version is available in German

This page is also available in: Deutsch (German)

In this article we will introduce you to a way of using user-defined DynDNS providers on Sophos firewalls.

Introduction

Sophos has unfortunately not yet (SFOS <= 20.0.0) created the possibility to offer user-defined DynDNS providers on Sophos firewalls. Actually very strange when you consider that most providers work with a common standard and actually only a dialog would have to be added in the web interface. But now then… You don’t have to understand everything. 🤷‍♂️

In this HowTo we present a solution on how to get additional providers into the web interface and how to use them successfully.

Attention

This HowTo inserts an additional entry in the PostgreSQL database. We have not been able to detect any problems with this in several tests. Nevertheless, it should be noted that such changes can also have undesirable side effects such as crashes or instability. Customization should also always be carried out by experienced people in the advanced shell and SQL.

Also: Always test in a demo environment first!

Prerequisites

You will need the following information for successful implementation:

  • SFOS 19.5.x to 20.0.x (earlier and later versions may need to be tested)
  • Shell access to the firewall
  • Data for the DynDNS provider
    • DynDNS address
    • FQDN of the update server
    • User name
    • Password
  • The DynDNS provider must support one of these protocols.
    Others will not work!
    • dyndns2 (yes, with “2”)
    • zoneedit1 (yes, with “1”)
    • namecheap
    • freedns
    • noip

Add provider

Execute the following command in the advanced shell. The VALUES (in the rear brackets!) are to be set as follows:

  • serviceproviderid
    The ID is best chosen somewhere above 50. The existing providers have the IDs 1-11. The gap prevents Sophos from overwriting your entry (even if this is unlikely to happen).
  • displayname
    The name of the entry in the web interface. For security reasons, please do not use umlauts or special characters. Experienced users will know that special characters are sometimes a thing with Sophos 😉
  • protocol
    Choose between the protocols: dyndns2, zoneedit1, namecheap, freedns, noip
    You have to find the right protocol for your provider yourself. dyndns2 should work in most cases.
  • serverstring
    The update server from your provider without any paths – just the FQDN! Here are some examples:
    Strato: dyndns.strato.com
    All-Inkl: dyndns.kasserver.com
JavaScript
psql -U nobody -d corporate -c "INSERT INTO tblddnsserviceprovider (serviceproviderid, displayname, protocol, serverstring) VALUES ('50', 'Strato', 'dyndns2', 'dyndns.strato.com');"
“INSERT 0 1” means successfull

After you have adapted the command to your requirements and sent it, the new provider can be configured in the web interface.

Custom DynDNS providers on Sophos Firewalls
New provider: Strato
Custom DynDNS providers on Sophos Firewalls
Provider All-Inkl was updated successfully

Did it work for you? Share your experiences with us in the comments!

Have fun testing!

Debugging

You have added everything, but it won’t work? Look in the log file “/log/ddc.log”. If necessary, turn on debugging to see more in the log file. Afterwards, please deactivate with the same command!

Deactivate/activate debugging for DynDNS Service
service ddc:debug -ds nosync

Questions

Boot and update-proof?

In my tests, the configuration was boot-proof. The configuration has also successfully survived an update from 19.5.x to 20.0.0.

Backup Consistent?

In fact, the whole thing is not backup consistent. I have noticed the following:

Configuration backup / XML:
The settings are exported, but there is no reference to the provider you created yourself. The configuration is therefore not backed up.

Complete backup:
At least the new provider is included in the complete backup and is backed up. However, the settings in the web interface are also missing here and must be entered manually.

How to undo?

If you want to undo the customization, you must first delete the configuration in the web interface. The entry can then be deleted from the database. Not the other way around!

Attention

Incorrect SQL commands could delete too much! So it’s better to double and triple check. Please only ever delete the entry you have added yourself and never any predefined ones from Sophos!

First, find the ID of the entry to be deleted in the database.

DynDNS – read serviceproviderid
psql -U nobody -d corporate  -c "select * from tblddnsserviceprovider;" -x
In this example, it is serviceproviderid=”50″ for the user-defined entry Strato.

You then use this ID to assemble the SQL command for deletion and send it.

Delete the entry with serviceproviderid=50
psql -U nobody -d corporate -c "DELETE FROM tblddnsserviceprovider where serviceproviderid='50';"

You can use the first command to read out the ID to test whether the deletion was successful. If yes -> done.


Factory reset

A factory reset undoes everything. No traces remain here.

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


WordPress Cookie Plugin by Real Cookie Banner