Date: Wed, 24 Feb 2010 14:25:17 -0600 From: eculp <eculp@encontacto.net> To: freebsd-isp@freebsd.org Subject: Re: Registrars with free DynDNS services of my own domains. Message-ID: <20100224142517.19682yqym2r7d7qc@econet.encontacto.net> In-Reply-To: <F076E529-2546-4758-807B-DB499A972174@mac.com> References: <4B82F976.8020308@yazzy.org> <4B84E0B0.8070904@yazzy.org> <F076E529-2546-4758-807B-DB499A972174@mac.com>
index | next in thread | previous in thread | raw e-mail
Quoting Chuck Swiger <cswiger@mac.com>: > Hi-- > > On Feb 24, 2010, at 12:17 AM, Marcin M. Jessa wrote: >> I actually figured out I can run my own services for all my domains >> on a dynamic IP without breaking any DNS related RFC. > > Running an authoritative nameserver off of a dynamic IP is a > terrible idea. Even if your dynamic IP doesn't change that often, > and you adjust your TTLs and expire times in the SOA > accordingly....whenever the IP does move, you are blindly hoping > that the former IP will not be given to a malicious or compromised > machine. > > Remember that random nameservers will be caching your nameserver > records for up to expiry, and will continue to send queries to the > old IP. It's a trivial matter for it to continue to answer > authoritatively, and redirect mail, webserver requests, etc to > anywhere at all-- a localhost proxy scanning for login attempts, > bank info, etc would make a wonderful man-in-the-middle attack. > > You might think that with two nameservers listed, that the odds are > fifty-fifty whether queries go to your primary at a static IP or the > old secondary, but I've seen spamming domains which return DNS > queries stuffed with as many NS and A records as will fit in a UDP > packet (about 20) pointing to IPs all over the place in order to > make them harder to take down. It also means that caching > nameservers and clients are less likely to send a request to a > legitimate nameserver for the domain (assuming one exists), > depending on how smart the clients are. I basically agree, Chuck. Of course there are places, such as the country where I live where ONE STATIC IP that is listed as dynamic and obviously causes some email issues, costs one thousand dollars a year. Other solutions are with E-1's and base price is much, much higher. There are no dsl's with static IP's. I could justify it here and many folks use them even though they are not optimal. ed > > Regards, > -- > -Chuck > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100224142517.19682yqym2r7d7qc>