Date: Wed, 24 Feb 2010 22:16:47 +0100 From: "Marcin M. Jessa" <lists@yazzy.org> To: Chuck Swiger <cswiger@mac.com> Cc: 'FreeBSD-ISP' <freebsd-isp@freebsd.org> Subject: Re: Registrars with free DynDNS services of my own domains. Message-ID: <4B85973F.6030007@yazzy.org> In-Reply-To: <F076E529-2546-4758-807B-DB499A972174@mac.com> References: <4B82F976.8020308@yazzy.org> <4B84E0B0.8070904@yazzy.org> <F076E529-2546-4758-807B-DB499A972174@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger wrote: > Hi-- > > On Feb 24, 2010, at 12:17 AM, Marcin M. Jessa wrote: > >> I actually figured out I can run my own services for all my domains >> on a dynamic IP without breaking any DNS related RFC. >> > > Running an authoritative nameserver off of a dynamic IP is a terrible idea. Even if your dynamic IP doesn't change that often, and you adjust your TTLs and expire times in the SOA accordingly....whenever the IP does move, you are blindly hoping that the former IP will not be given to a malicious or compromised machine. > > Remember that random nameservers will be caching your nameserver records for up to expiry, and will continue to send queries to the old IP. It's a trivial matter for it to continue to answer authoritatively, and redirect mail, webserver requests, etc to anywhere at all-- a localhost proxy scanning for login attempts, bank info, etc would make a wonderful man-in-the-middle attack. > > You might think that with two nameservers listed, that the odds are fifty-fifty whether queries go to your primary at a static IP or the old secondary, but I've seen spamming domains which return DNS queries stuffed with as many NS and A records as will fit in a UDP packet (about 20) pointing to IPs all over the place in order to make them harder to take down. It also means that caching nameservers and clients are less likely to send a request to a legitimate nameserver for the domain (assuming one exists), depending on how smart the clients are. > > Regards, > I actually didn't think of that. The chance is actually very little that someone on my cable network would be able to do that. Or that someone one my IP block has ever heard of DNS :) But you're right, better safe than sorry. Thanks a lot for pointing this out Chuck! :) Marcin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B85973F.6030007>