Azure DNS Updater

Problem: Domains are handled by Azure DNS. One (or multiple) subdomains are pointing to a dynamic (public) IP and need to be updated on IP change.

Solution: An Azure Function that can be triggered by any authorized ddclient, basically DynDNS on Azure. ddclient is not required, as long as the dynDNS API-specs are followed.

Use-Case: Ubiquiti USG / Ubiquiti UDM dynamic DNS feature.

note: I recently migrated from my trusty old USG to a new UDM-SE and had to set the server to yourdyndns.azurewebsites.net/\/nic/update?hostname=%h&myip=%i. For unknown reasons the UDM is always creating a custom inadyn profile without a ddns-path, regardless of the ddns provider profile you select in the UI.

Setup

1. Set up you DNS Zones in Azure
2. Set up your Azure Function App (v4/.NET6, consumption plan, Application Insights enabled)

3. Deploy this Azure Function to your Function App resource and configure Application Settings accordingly

Configuration

configure a Service Principal

detailed walk-through: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

quick guide

1. Register a new application in your AAD tenant and take note of the application id (a.k.a clientId)

   1. Give it a meaningful name
   2. Select Single tenant
   3. Do not provide a Redirect URI

2. Create a client secret and copy the value for later use (a.k.a secret)

assign DNS Zone contributor permission to the Service Principal

detailed walk-through: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current

quick guide

1. Select "Access control (IAM)" in your DNS resource (or resource group if you have multiple DNS Zones that you want to modify)
2. Click on "Add role assignment"
3. Search for "DNS Zone Contributor", select it and click "Next"
4. Click "Select Members" and search for your Service Principal (either by name or object id) and select it
5. Click "Next" and then "Review + assign"

You can double check the success of your operation by providing your Service Principal name to the "Check access" form

getting the remaining configuration items

• tenantId - you can get this from your AAD Overview page
• subscriptionId - the GUID of your subscription, can be found in the overview page of any resource
• rgName - the name of the resource group that holds your DNS Zone resources

local testing:

Set up your secrets.json with the following keys.

"AzureAD": {
    "tenantId": "",
    "clientId": "",
    "secret": "",
    "subscriptionId": ""
},  
"Authorization": [{
    "user": "",
    "secret": ""
}],
"rgName": ""

Note: you can provide multiple users

production:

Add the following keys to your AppSettings.

AzureAD__tenantId
AzureAD__clientId
AzureAD__secret
AzureAD__subscriptionId
Authorization__0__user
Authorization__0__secret
rgName

Note: to add multiple users, increment the array index (e.g. Authorization__0__user to Authorization__1__user)