Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Feb 2010 12:07:51 -0800
From:      Chuck Swiger <cswiger@mac.com>
To:        lists@yazzy.org
Cc:        'FreeBSD-ISP' <freebsd-isp@freebsd.org>
Subject:   Re: Registrars with free DynDNS services of my own domains.
Message-ID:  <F076E529-2546-4758-807B-DB499A972174@mac.com>
In-Reply-To: <4B84E0B0.8070904@yazzy.org>
References:  <4B82F976.8020308@yazzy.org> <4B84E0B0.8070904@yazzy.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi--

On Feb 24, 2010, at 12:17 AM, Marcin M. Jessa wrote:
> I actually figured out I can run my own services for all my domains
> on a dynamic IP without breaking any DNS related RFC.

Running an authoritative nameserver off of a dynamic IP is a terrible idea.  Even if your dynamic IP doesn't change that often, and you adjust your TTLs and expire times in the SOA accordingly....whenever the IP does move, you are blindly hoping that the former IP will not be given to a malicious or compromised machine.

Remember that random nameservers will be caching your nameserver records for up to expiry, and will continue to send queries to the old IP.  It's a trivial matter for it to continue to answer authoritatively, and redirect mail, webserver requests, etc to anywhere at all-- a localhost proxy scanning for login attempts, bank info, etc would make a wonderful man-in-the-middle attack.

You might think that with two nameservers listed, that the odds are fifty-fifty whether queries go to your primary at a static IP or the old secondary, but I've seen spamming domains which return DNS queries stuffed with as many NS and A records as will fit in a UDP packet (about 20) pointing to IPs all over the place in order to make them harder to take down.  It also means that caching nameservers and clients are less likely to send a request to a legitimate nameserver for the domain (assuming one exists), depending on how smart the clients are.

Regards,
-- 
-Chuck




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F076E529-2546-4758-807B-DB499A972174>