Dynamic DNS security concerns

Home / News / Dynamic DNS security concerns

If you are using Dynamic DNS or are considering implementing it at your home or business, you should be aware of the potential security and reliability issues associated with it.

It’s not that Dynamic DNS in itself is a bad thing, but rather the underlying problem of having an IP address that keeps changing when you are trying to host Internet-facing services.

I’ve seen dynamic DNS implemented at several small business and homes to make some locally hosted server or service accessible via the Internet. The most common use case nowadays is to facilitate remote access to cameras or other home automation devices. Businesses generally know better, but I’ve seen a company operating their email server using dynamic DNS! Yes, there were problems running their email server this way and you should definitely not operate an email server on a connection that doesn’t have a statically assigned IP address.

What is Dynamic DNS?
In this context, Dynamic DNS (also referred to as DDNS) is a method of updating the public DNS (Domain Name System) records of a domain when the IP address of the host changes. In short, a DNS name such as www.yourname.com must always resolve to the IP address of the server hosting the service. If your public IP address changes, then you need a way of updating the DNS records on your DNS server.

Why use Dynamic DNS?
Most home Internet users are dynamically assigned an IP address when they connect to the Internet via their ISP (Internet Service Provider). This means that you get a different IP address every time you reconnect. Even if you have an ‘always on’ connection like cable, fibre, ADSL or wireless, a reconnect may occur for various reasons, and you almost always get a new IP address when this happens.

If you want to host a website or access a device on your network remotely, this is a problem because your IP address keeps changing. One of the ways to work around this is to use Dynamic DNS. Software running on your router or computer checks regularly to see if your IP address has changed and then automatically updates the DNS record of your choice to point to the new IP address.

This sounds like an excellent solution as you can have a DNS record like home.yourdomain.com always pointing to the current IP address of the connection, but there are unfortunately some caveats.

Disadvantages of Dynamic DNS

Delays

  1. Depending on the software and method used to detect the IP change, it can take anywhere from a few seconds to several minutes or more for the change to be detected.
  2. Once the change has been detected, the DNS record must then be updated. This process is relatively quick, taking only a second or two to complete; however, DNS caching results in a further delay. (DNS servers cache records, so they don’t have to look up the same names frequently. A Time To Live (TTL) value in seconds specifies how long another DNS server may cache the record. A value of 60 is usually used for records that need to be updated frequently.) This means that after the update has been made it can take an additional 60 seconds before the new IP address is served to clients.
  3. Some caching servers don’t respect the TTL value and may cache it for longer, resulting in an even longer time for the update to propagate.

The above creates some reliability problems.

Reliability

Until the DNS record is updated and the change has propagated, computers on the Internet will continue to use the old IP address.

In this event, there are three possible scenarios:

  1. If your previous IP address hasn’t been assigned to another customer yet, your website or service will be unavailable, and the visitor will be presented with an error.
  2. If your previous IP address gets assigned to a customer who isn’t hosting the same type of service, your website or service will also be unavailable, and the visitor will be presented with an error.
  3. However, suppose another customer is also hosting the same service type and gets assigned your previous IP address, visitors trying to access your website or service will be directed to theirs instead!

The window for the above occurring while your IP address is being updated is generally a few seconds up to a minute or two. Under normal conditions, this short period of potential downtime might not discourage some from using Dynamic DNS, but what happens if your Internet connection goes down and your IP address cannot be updated for minutes or even hours? In such cases, there is a strong possibility of visitors being unable to access the resources they need or ending up at a completely different website or service entirely.

Security concerns

One of the other problems with Dynamic DNS is that you can’t be sure whom you are communicating with based on IP address alone. Most servers and other equipment on the Internet have statically assigned addresses that can be used to identify them. When you have an IP address that can change at any time and simply be assigned to another Internet user, you can never be sure whom you are communicating with using the IP address alone as an identifier. If you don’t use additional identification methods, there is a possibility that you could provide your security credentials to a system other than intended.

If an attacker obtains the credentials you use to update your DNS records, because update process is insecure, someone other than you could replace your IP address with their own and redirect traffic to a server under their control and intercept or serve malicious content.

Monitoring

Monitoring systems with dynamic IP addresses using Dynamic DNS is not reliable. ICMP Ping is often used to determine if a host is online. You ping the host and it responds, simple enough. In the event that your Internet connection goes down (or during a periodic IP change) your monitoring system will reflect that host is down however, if you don’t get assigned a new IP address and the relevant DNS record isn’t updated, your previous IP address will probably be leased to a new client a few minutes later. Monitoring will reflect that the host is up again because most routers connected to the Internet respond to ping, except you’re actually pinging a different system altogether!

Conclusion

There are certainly ways to work around some of the issues mentioned above, but is all the added effort worth it? Web hosting is now more affordable than ever, and hosting your website with a company that provides commercial hosting will always be a more reliable option. For users that require remote access to their computers, services like Teamviewer and AnyDesk are easier to deploy and more secure.

If you need to self-host services that need to be accessible remotely, talk to your ISP about upgrading your Internet connectivity to have a static IP address. Many ISPs now even offer this to home users for just fractionally more.

This article was originally published by Hamish McArthu

Leave a Reply