Secure Dynamic DNS Updates to Azure with AzureDNSSync

Posted on by
Reading Time: 10 minutes

Introduction

Like many home users, my broadband connection comes with a dynamically assigned public IP address. This means that my IP can change at any time sometimes without notice, which can be a problem when I want to access services hosted at home, like a self-hosted server or VPN.

Instead of relying on a third-party Dynamic DNS (DDNS) provider, I decided to take full control and build my own secure, automated DNS updater using Azure DNS.

Why Azure DNS? I already use it to manage all my domain names. It gives me:

  • Full control over DNS records
  • Integration with Azure’s security and identity features
  • The ability to update records programmatically using tools like PowerShell or Python

To simplify things, I use a single A record (e.g., home.example.com) that points to my current public IP. All other DNS records that need to resolve to my home IP are CNAMEs pointing to this A record. That way, I only need to update one record when my IP changes.

While updating this record manually isn’t difficult, I often wouldn’t notice the IP had changed until hours, or even a day later. That’s when I realised: I could automate this.

So I built AzureDNSSync—a lightweight Python-based tool that:

  • Detects my current public IP
  • Compares it with the DNS record in Azure
  • Updates the record if needed
  • Sends me an email notification
  • Runs automatically on a schedule

This post walks you through how to set it up, including a few Azure-specific needs like creating an Enterprise Application in Entra ID, which in turn creates the App Registration that is used for authenticate from the Ubuntu server to update the record.

Whilst this guide is dependant on running on Ubuntu I will be working on a version to work on Windows soon.

Ready to dynamically update your own Azure DNS? Read on

Features at a Glance

AzureDNSSync is designed to be lightweight, secure, and easy to use. Here’s what it offers:

  • Secure Authentication
    Uses Azure AD App Registration with certificate-based authentication—no passwords or secrets stored in plain text.
  • Public IP Detection
    Automatically detects your current public IP using a reliable external service.
  • Smart DNS Syncing
    Compares your current IP with the existing Azure DNS A record and only updates when needed.
  • Email Notifications (optional)
    Sends you an email whenever your IP changes and the DNS record is updated.
  • Scheduled Updates
    Runs automatically on a schedule using cron (default: every 5 minutes).
  • Interactive Setup Wizard
    Guides you through the initial configuration no need to manually edit config files.
  • Clean Install
    Installs into a Python virtual environment to avoid polluting your system Python.
  • Logging
    Keeps a rolling 7-day log of updates and errors for easy troubleshooting.
  • Minimal Dependencies
    Just Python 3.8+, python3-venv, and a few pip packages no heavyweight frameworks.

Prerequisites

Before you get started with AzureDNSSync, make sure you have the following in place:

Azure Requirements

  • An Azure Subscription
    You’ll need access to the Azure Portal and permission to manage DNS zones and App Registrations.
  • A DNS Zone Hosted in Azure DNS
    This is where your domain’s A record will be updated.
  • Enterprise Application in Entra ID
    Create a new Enterprise Application in Microsoft Entra ID. This will automatically generate the App Registration needed for authentication.
  • App Registration with Certificate Authentication
    The install script will generate a certificate. You’ll need to upload the public certificate to the App Registration.
  • DNS Zone Contributor Role Assignment
    Assign the App Registration the DNS Zone Contributor role on the resource group that contains your DNS zone.

Local Machine Requirements

  • A Linux Machine
    Ubuntu or Debian-based systems are recommended. The script assumes apt is available.
  • Python 3.8+
    Required for running the updater script.
  • python3-venv Package
    Used to create an isolated Python environment.
  • openssl Installed
    Needed to generate the certificate and key pair.
  • curl Installed
    Used to download the install script.
  • cron Available
    For scheduling the updater to run automatically.

Azure Setup

To allow your Ubuntu server to securely update DNS records in Azure, you’ll need to configure a few things in the Azure Portal. This includes creating an Enterprise Application, uploading a certificate, and assigning the correct permissions.

Step 1: Create an Enterprise Application

  1. Go to Microsoft Entra ID in the Azure Portal.
  2. Navigate to Enterprise Applications > New Application.
  3. Select “Create your own application”.
  4. Enter a name (e.g. AzureDNSSync) and choose “Integrate any other application you don’t find in the gallery”.
  5. Click Create.

This step automatically creates an App Registration behind the scenes, which is what AzureDNSSync uses to authenticate.

Step 2: Upload the Certificate

Once you’ve run the install script on your server, it will generate a certificate and display the public certificate block. So we will do that once we’ve installed AzureDNSSync.

Step 3: Assign DNS Permissions

To allow the app to update DNS records:

  1. Go to the Resource Group that contains your DNS Zone.
  2. Click Access control (IAM).
  3. Click Add > Add role assignment.
  4. Choose the DNS Zone Contributor role.
  5. Assign access to the App Registration created earlier.

This gives the app permission to read and update DNS records in the zone., if you want to be really restrictive you can even go to the Access Control (IAM) on the DNS Zone itself.

Once these steps are complete, your Azure environment is ready for AzureDNSSync to securely authenticate and manage DNS updates.

Installation

With your Azure environment ready, you can now install AzureDNSSync on your Linux machine. The installation process is fully automated and takes just a few minutes.

Step 1: Run the One-Line Installer

Open a terminal on your Ubuntu or Debian-based system and run:

sudo bash -c "curl -fsSL https://raw.githubusercontent.com/andrew-kemp/AzureDNSSync/main/install.sh | bash"

This command will:

  • Install required system packages (python3, python3-venv, openssl)
  • Create a secure installation directory at /etc/azurednssync
  • Set up a Python virtual environment
  • Download the latest version of the azurednssync.py script
  • Generate a private key and self-signed certificate
  • Combine the key and certificate into a .pem file for Azure authentication
  • Display the public certificate block for you to copy into Azure
  • Launch the configuration wizard

Note: You do not need to clone the GitHub repository or download any files manually—the script handles everything for you.

Step 2:Upload the Certificate to Azure

During installation, the script will display a certificate block like this:

—–BEGIN CERTIFICATE—–
MIID…<snipped>…IDAQAB
—–END CERTIFICATE—–

Copy this block and paste it into note pad and save as AzureDNSSync.cer. Then upload the Certificate:

  1. Go to Microsoft Entra ID > App registrations.
  2. Select the app created in the previous step.
  3. Navigate to Certificates & secrets > Certificates.
  4. Click Upload certificate.

Step 3: Complete the Configuration Wizard

After installation, the script will launch an interactive setup wizard. You’ll be prompted to enter:

  • Azure Tenant ID, Client ID, and Subscription ID
  • DNS zone name and record set name
  • Email settings (if you want notifications)
  • How often the script should run (in minutes)

Once complete, the script will:

  • Save your configuration securely
  • Set up a cron job to run the updater automatically

How It Works

Once installed and configured, AzureDNSSync quietly runs in the background, keeping your Azure DNS records in sync with your current public IP address. Here’s what happens during each scheduled run:

  1. Detects Your Public IP
    The script uses a reliable external service (https://api.ipify.org) to determine your current public IP address.
  2. Checks the DNS Record
    It performs a DNS lookup on the configured A record (e.g. home.example.com) to see what IP address it currently resolves to.
  3. Queries Azure DNS
    Using secure certificate-based authentication, the script connects to Azure and checks the IP address stored in the DNS zone for the same A record.
  4. Compares the IPs
    • Your current public IP
    • The IP in the DNS record
    • The IP stored in Azure DNS
    • If all three match, nothing happens. If there’s a mismatch, it proceeds to update the Azure DNS record.
  5. Updates Azure DNS
    If needed, the script updates the A record in Azure DNS with your current public IP. This ensures that all CNAME records pointing to it remain accurate.
  6. Sends an Email Notification (optional)
    If you’ve configured email settings, the script sends a notification whenever the IP changes and the DNS record is updated.
  7. Logs the Activity
    Each run is logged to /etc/azurednssync/update.log, including timestamps, IP addresses, and any errors encountered.

This process repeats automatically at the interval you specified during setup (default: every 5 minutes), ensuring your DNS records stay up to date without manual intervention.

Troubleshooting

If something doesn’t work as expected, don’t worry—here are some common issues and how to resolve them.

The Script Doesn’t Run or Fails Silently

  • Check the logs:
    Look in /etc/azurednssync/update.log for any error messages or output from the last run.
  • Run manually for testing:
    You can run the script directly to see what it’s doing:
sudo /etc/azurednssync/venv/bin/python /etc/azurednssync/azurednssync.py

ModuleNotFoundError or Missing Python Packages

  • This usually means the install script didn’t complete successfully.
  • Re-run the installer:
sudo bash -c "curl -fsSL https://raw.githubusercontent.com/andrew-kemp/AzureDNSSync/main/install.sh | bash"

DNS Record Isn’t Updating

  • Check your Azure permissions:
    Make sure the App Registration has the DNS Zone Contributor role on the correct resource group.
  • Verify the certificate:
    Ensure the certificate block was correctly copied into the App Registration in Azure.
  • Check the config:
    Re-run the configuration wizard to confirm all values are correct:
sudo /etc/azurednssync/venv/bin/python /etc/azurednssync/azurednssync.py

No Email Notifications

  • Make sure SMTP settings were entered correctly during setup.
  • Check that your SMTP provider allows sending from the configured address.
  • Review the log file for any email-related errors.

5. Cron Job Isn’t Running

  • Check your crontab:
sudo crontab -l<br>

  • You should see a line that runs the script every few minutes. – If it’s missing, re-run the configuration wizard or manually add the cron job.

Security Notes

Security is a core part of AzureDNSSync’s design. Here are the key measures in place to help keep your credentials and infrastructure safe:

Certificate-Based Authentication

  • AzureDNSSync uses certificate authentication via Azure AD App Registration.
  • This avoids storing passwords or client secrets on disk.
  • Only the public certificate is uploaded to Azure—your private key remains securely on your server.

Secure File Storage

  • All sensitive files are stored in secure locations:
    • Configuration and logs: /etc/azurednssync/
    • Private key and certificate: /etc/ssl/private/
  • File permissions are tightly restricted:
    • Private key and PEM: chmod 600
    • Config and SMTP credentials: chmod 600

Minimal Privileges

  • The App Registration is granted only the DNS Zone Contributor role, limiting its access to just what’s needed to update DNS records.
  • No broader permissions (like full Contributor or Owner) are required.

Email Credentials

  • SMTP credentials are stored in a separate file (smtp_auth.key) with restricted access.
  • You can use an API key (e.g. from SendGrid or Mailjet) instead of a traditional password for added security.

No External Dependencies Beyond What’s Needed

  • The script uses only essential Python packages and avoids unnecessary third-party services or libraries.

These practices help ensure that AzureDNSSync operates securely and with minimal risk to your environment.

Conclusion

Managing dynamic IP addresses can be a hassle—especially when you rely on consistent DNS records to access services hosted at home. While third-party Dynamic DNS providers offer a solution, building your own gives you full control, better security, and the satisfaction of knowing exactly how it works.

AzureDNSSync provides a simple, secure, and automated way to keep your Azure DNS records up to date. By leveraging certificate-based authentication, scheduled updates, and optional email notifications, it ensures your DNS stays in sync with minimal effort.

Whether you’re hosting a home server, VPN, or any other service that depends on a stable DNS record, AzureDNSSync is a reliable tool that fits neatly into your existing Azure setup.

Ready to take control of your DNS updates?
Give AzureDNSSync a try and enjoy peace of mind knowing your records are always accurate.

Posted in Automation, Azure, GitHub, Networking, Scripting, Ubuntu and tagged , , , , , , , , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *