Date: Wed, 24 Feb 2010 14:25:17 -0600 From: eculp <eculp@encontacto.net> To: freebsd-isp@freebsd.org Subject: Re: Registrars with free DynDNS services of my own domains. Message-ID: <20100224142517.19682yqym2r7d7qc@econet.encontacto.net> In-Reply-To: <F076E529-2546-4758-807B-DB499A972174@mac.com> References: <4B82F976.8020308@yazzy.org> <4B84E0B0.8070904@yazzy.org> <F076E529-2546-4758-807B-DB499A972174@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Chuck Swiger <cswiger@mac.com>: > Hi-- > > On Feb 24, 2010, at 12:17 AM, Marcin M. Jessa wrote: >> I actually figured out I can run my own services for all my domains >> on a dynamic IP without breaking any DNS related RFC. > > Running an authoritative nameserver off of a dynamic IP is a =20 > terrible idea. Even if your dynamic IP doesn't change that often, =20 > and you adjust your TTLs and expire times in the SOA =20 > accordingly....whenever the IP does move, you are blindly hoping =20 > that the former IP will not be given to a malicious or compromised =20 > machine. > > Remember that random nameservers will be caching your nameserver =20 > records for up to expiry, and will continue to send queries to the =20 > old IP. It's a trivial matter for it to continue to answer =20 > authoritatively, and redirect mail, webserver requests, etc to =20 > anywhere at all-- a localhost proxy scanning for login attempts, =20 > bank info, etc would make a wonderful man-in-the-middle attack. > > You might think that with two nameservers listed, that the odds are =20 > fifty-fifty whether queries go to your primary at a static IP or the =20 > old secondary, but I've seen spamming domains which return DNS =20 > queries stuffed with as many NS and A records as will fit in a UDP =20 > packet (about 20) pointing to IPs all over the place in order to =20 > make them harder to take down. It also means that caching =20 > nameservers and clients are less likely to send a request to a =20 > legitimate nameserver for the domain (assuming one exists), =20 > depending on how smart the clients are. I basically agree, Chuck. Of course there are places, such as the =20 country where I live where ONE STATIC IP that is listed as dynamic and =20 obviously causes some email issues, costs one thousand dollars a year. =20 Other solutions are with E-1's and base price is much, much higher. =20 There are no dsl's with static IP's. I could justify it here and many folks use them even though they are =20 not optimal. ed > > Regards, > -- > -Chuck > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100224142517.19682yqym2r7d7qc>