From owner-freebsd-isp@FreeBSD.ORG Wed Feb 24 20:08:06 2010 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C46C106566B for ; Wed, 24 Feb 2010 20:08:06 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout029.mac.com (asmtpout029.mac.com [17.148.16.104]) by mx1.freebsd.org (Postfix) with ESMTP id 063988FC14 for ; Wed, 24 Feb 2010 20:08:05 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=us-ascii Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp029.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008; 32bit)) with ESMTPSA id <0KYD0061R3X39T60@asmtp029.mac.com> for freebsd-isp@freebsd.org; Wed, 24 Feb 2010 12:07:52 -0800 (PST) X-Proofpoint-Spam-Details: rule=notspam policy=default score=7 spamscore=7 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0908210000 definitions=main-1002240158 From: Chuck Swiger In-reply-to: <4B84E0B0.8070904@yazzy.org> Date: Wed, 24 Feb 2010 12:07:51 -0800 Message-id: References: <4B82F976.8020308@yazzy.org> <4B84E0B0.8070904@yazzy.org> To: lists@yazzy.org X-Mailer: Apple Mail (2.1077) Cc: 'FreeBSD-ISP' Subject: Re: Registrars with free DynDNS services of my own domains. X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2010 20:08:06 -0000 Hi-- On Feb 24, 2010, at 12:17 AM, Marcin M. Jessa wrote: > I actually figured out I can run my own services for all my domains > on a dynamic IP without breaking any DNS related RFC. Running an authoritative nameserver off of a dynamic IP is a terrible idea. Even if your dynamic IP doesn't change that often, and you adjust your TTLs and expire times in the SOA accordingly....whenever the IP does move, you are blindly hoping that the former IP will not be given to a malicious or compromised machine. Remember that random nameservers will be caching your nameserver records for up to expiry, and will continue to send queries to the old IP. It's a trivial matter for it to continue to answer authoritatively, and redirect mail, webserver requests, etc to anywhere at all-- a localhost proxy scanning for login attempts, bank info, etc would make a wonderful man-in-the-middle attack. You might think that with two nameservers listed, that the odds are fifty-fifty whether queries go to your primary at a static IP or the old secondary, but I've seen spamming domains which return DNS queries stuffed with as many NS and A records as will fit in a UDP packet (about 20) pointing to IPs all over the place in order to make them harder to take down. It also means that caching nameservers and clients are less likely to send a request to a legitimate nameserver for the domain (assuming one exists), depending on how smart the clients are. Regards, -- -Chuck