I’m running two servers, one with a fixed IP address and the other with a dynamic address.
This is probably a very ignorant question, but what does dyndns do that I could not do myself?
18 thoughts on - Death Of Dyndns
But what would you like to do, but can not do, at this present time ?
As a replacement http://www.duckdns.org/ seems the easiest to setup/use. Maybe check if you can do the same yourself?
best regards,
Florian La Roche
Always Learning wrote:
I would like the server with a dynamic IP address to be accessible through a fixed name.
Setup an authoritative DNS server on the server that has a fixed IP address to host records for the site(s) on the server that has a dynamic IP address.
Create a local scheme (such as a script, etc.) to periodically determine the current dynamic IP address and keep the records on the DNS server correct. You’ll want to set the TTL (of the records) to a low value so caching name servers will update the information fairly often.
There are probably dozens of ddns providers out there. Here’s a list I
found in about one minute:
But would this “home” DNS server provide records accessible to others?
If in fact it is straightforward surely it must be set out explicitly somewhere?
Incidentally, I do already check every 15 minutes if the IP address of the dynamic-address server has changed – it changes every few days –
and if it has the remote server sends me email.
If you are interested in DIY you could just run your own dns server
(refer to [0]) on your server (the one with the static ip address) and implement dyndns with your own domain.
Be aware that the actual “owner” of the dynamic IP address is still authoritative for reverse look ups. This means that some uses of a system with a dynamic IP address are problematic (e.g., mail server) since the reverse look up fails. Other uses (sshd) in theory work but folks have to continually update their SSH saved keys for that system whenever the IP
address changes.
Cheers, Dave
Not necessarily fail. eg I do my own dynamic DNS so that “xxx.my.domain”
has an A record to my home. But if I do an rDNS for that IP then it returns a verizon.net record. However this is not a problem as long as a forward lookup for that name returns an A record which matches.
Anyone who does “xxx.my.domain -> A -> IP -> rDNS -> verizon” and thinks that is broken is doing DNS wrong wrong wrong.
You either do
xxx.my.domain -> A -> IP
OR
IP -> rDNS -> verizon -> A -> IP
(note: dynamic DNS doesn’t even show up here).
You never do
xxx.my.domain -> A -> IP -> rDNS -> verizon. because that’s a misunderstanding of how DNS works and what the rDNS
lookup is meant to validate.
Where it can fail is if the owner of the IP doesn’t have rDNS or the rDNS
doesn’t match a further A lookup. That’s irrelevant to the dynamic DNS
record, though.
What does confuse some people is a second misunderstanding of DNS;
eg “I have xxx.my.domain” but mail is being rejected from it. That’s, again, because the dynamic DNS isn’t in the question; it’s a pure IP->rDNS->A->IP
check and you don’t own the IP.
ssh client should manage that for you automatically. It’ll know you’re connecting to “xxx.my.domain” and the host key will match and it should automatically add a new record to known_hosts for the IP address. (Or you can configure ssh_config to not care).
Yes. But, you have to set the name server entry with your domain registration. Requests for a look up will first go to your domain registrar to find out what name sever to query. (I presume you have been using dyndns for this…)
Timothy Murphy wrote:
Be aware of DND DDoS Amplification attack *[0]* if you are running this DNS at home as it can quickly deplete your bandwidth (if your ISP gives you quotas per month). I use the following *[1]* to help stop these queries. However, since I’m dropping these when they hit my router, I’m still losing bandwidth but not at a terribly fast pace!
Although the ISP can definitely stop such queries from getting to you, it is not in their best interests and hence do nothing about it! I’ve been hit by this type of DDoS and the only option the ISP offered was to change my static IP address; being that I run a mail server, I declined and now just cope with the wasted DROP queries – ~11GB per month. The DDoS has been happening for the last 2 months and doesn’t seem to be letting up! Maybe it is time to consider an IP address change!!!
How is it not in their best interests? They still have to waste their bandwidth and routing to route the packets across their network. If it’s a particularly persistent attack I imagine they’d rather block them at their border.
…well, unless they get to charge you by the MB/GB. Last I heard that was more common outside the US. In that case I suppose they might prefer to get money from you rather than block the nuisance packets.
(Even in this case I imagine they’d prefer to block a very large-scale DDoS, but those are probably rare against a typical home server.)
–keith
Yup, I’m in Australia and here they have a quota that counts up for both downloads and uploads. We are actually getting DDoS’d at the office and the only solution they offered was to change our static IP; a no go since we host our own email! Once the quota is gone, we are throttled down to 256kbps for both upload and download unless we pay for extra data blocks @ ~AU$15 per 20GB block.
Cheers, ak.
Stephen Harris writes:
Interesting. I had to have my ISP add a C record to their DNS for my fixed IP address before most of my e-mails were accepted. I recently also had to add an SPF (sender policy framework) record on my DNS to get my e-mails accepted bu gmail. You could try to manage the SPF record the same way you do other dynamic IP address records but there was a couple of day lag before gmail accepted it when I put it in place.
Absolutely correct but then you lose the IP checking for a man in the middle attack. This wouldn’t be that bad on a fixed IP address but would seem to be a lot riskier on a dynamic IP address.
Cheers, Dave
Right. Here you’re not running into a dynamic DNS issue (xxx.my.domain isn’t involved) but into other policy questions (eg RBLs that block dynamic IPs; SPF policies). Pretty much sending email from a dynamic IP
is going to be problematic at best. (Even worse when ISPs like Verizon and Comcast block outgoing port 25).
For outgoing email you either have to go through your ISP’s relay or run your own relay (I have a linode for this, and have my home machines send via my linode, to take dynamic IPs out of the equation).
Quoting Timothy Murphy :
In principle, nothing. But you aren’t their use case. At wikipedia’s
page on dyn is, “Dyn was conceived as an open source, community-led
student project back by Jeremy Hitchcock, Tom Daly, Tim Wilde and
Chris Reinhardt while pursuing undergraduate studies at Worcester
Polytechnic Institute.[2] In the beginning, Dyn enabled students to
access lab computers and print documents remotely. The project quickly
outgrew its original purpose and soon gravitated towards domain name
system (DNS) services. The first iteration was a free dynamic DNS
service known as DynDNS, which allowed users to register a subdomain
that points to a computer with regularly changing IP addresses, such
as those served by many consumer-level Internet service providers. An
update client installed on the user’s computer, or built into a
networked device, such as a router or webcam, keeps the hostname up to
date with its current IP address.
“This free service eventually became costly for the founders to
support. Looking to gauge interest, the project was set to be shut
down unless users were able to reach a $25,000 fundraising goal. They
ended up raising over $40,000.” There’s more.
So with sufficient free time and education and resources anyone could
do what dyn did. They commodified it and made it easy for
non-specialists, that’s all.
18 thoughts on - Death Of Dyndns
But what would you like to do, but can not do, at this present time ?
As a replacement http://www.duckdns.org/ seems the easiest to setup/use. Maybe check if you can do the same yourself?
best regards,
Florian La Roche
Always Learning wrote:
I would like the server with a dynamic IP address to be accessible through a fixed name.
Setup an authoritative DNS server on the server that has a fixed IP address to host records for the site(s) on the server that has a dynamic IP address.
Create a local scheme (such as a script, etc.) to periodically determine the current dynamic IP address and keep the records on the DNS server correct. You’ll want to set the TTL (of the records) to a low value so caching name servers will update the information fairly often.
There are probably dozens of ddns providers out there. Here’s a list I
found in about one minute:
http://www.dmoz.org/Computers/Internet/Protocols/DNS/Service_Providers/Dynamic_DNS/
–keith
Keith Keller wrote:
http://www.dmoz.org/Computers/Internet/Protocols/DNS/Service_Providers/Dynamic_DNS/
Thank you, that is a useful list. However, that is not what I was asking –
I was asking if it is feasible to set up one’s own “dyndns”.
I haven’t tried that yet, but there are many howtos on the net, for example: http://andrwe.org/linux/own-ddns
– Chris
KevinO wrote:
But would this “home” DNS server provide records accessible to others?
If in fact it is straightforward surely it must be set out explicitly somewhere?
Incidentally, I do already check every 15 minutes if the IP address of the dynamic-address server has changed – it changes every few days –
and if it has the remote server sends me email.
If you are interested in DIY you could just run your own dns server
(refer to [0]) on your server (the one with the static ip address) and implement dyndns with your own domain.
[0] http://doc.powerdns.com/html/rfc2136-howto.html#rfc2136-howto-powerdns
Regards,
Armin Fisslthaler
Timothy Murphy writes:
Be aware that the actual “owner” of the dynamic IP address is still authoritative for reverse look ups. This means that some uses of a system with a dynamic IP address are problematic (e.g., mail server) since the reverse look up fails. Other uses (sshd) in theory work but folks have to continually update their SSH saved keys for that system whenever the IP
address changes.
Cheers, Dave
Not necessarily fail. eg I do my own dynamic DNS so that “xxx.my.domain”
has an A record to my home. But if I do an rDNS for that IP then it returns a verizon.net record. However this is not a problem as long as a forward lookup for that name returns an A record which matches.
Anyone who does “xxx.my.domain -> A -> IP -> rDNS -> verizon” and thinks that is broken is doing DNS wrong wrong wrong.
You either do
xxx.my.domain -> A -> IP
OR
IP -> rDNS -> verizon -> A -> IP
(note: dynamic DNS doesn’t even show up here).
You never do
xxx.my.domain -> A -> IP -> rDNS -> verizon. because that’s a misunderstanding of how DNS works and what the rDNS
lookup is meant to validate.
Where it can fail is if the owner of the IP doesn’t have rDNS or the rDNS
doesn’t match a further A lookup. That’s irrelevant to the dynamic DNS
record, though.
What does confuse some people is a second misunderstanding of DNS;
eg “I have xxx.my.domain” but mail is being rejected from it. That’s, again, because the dynamic DNS isn’t in the question; it’s a pure IP->rDNS->A->IP
check and you don’t own the IP.
ssh client should manage that for you automatically. It’ll know you’re connecting to “xxx.my.domain” and the host key will match and it should automatically add a new record to known_hosts for the IP address. (Or you can configure ssh_config to not care).
Yes. But, you have to set the name server entry with your domain registration. Requests for a look up will first go to your domain registrar to find out what name sever to query. (I presume you have been using dyndns for this…)
Timothy Murphy wrote:
Be aware of DND DDoS Amplification attack *[0]* if you are running this DNS at home as it can quickly deplete your bandwidth (if your ISP gives you quotas per month). I use the following *[1]* to help stop these queries. However, since I’m dropping these when they hit my router, I’m still losing bandwidth but not at a terribly fast pace!
Although the ISP can definitely stop such queries from getting to you, it is not in their best interests and hence do nothing about it! I’ve been hit by this type of DDoS and the only option the ISP offered was to change my static IP address; being that I run a mail server, I declined and now just cope with the wasted DROP queries – ~11GB per month. The DDoS has been happening for the last 2 months and doesn’t seem to be letting up! Maybe it is time to consider an IP address change!!!
Cheers, ak.
*[0]* – https://www.watchguard.com/infocenter/editorial/41649.asp
*[1]* – http://www.perdichizzi.net/?p)4
How is it not in their best interests? They still have to waste their bandwidth and routing to route the packets across their network. If it’s a particularly persistent attack I imagine they’d rather block them at their border.
…well, unless they get to charge you by the MB/GB. Last I heard that was more common outside the US. In that case I suppose they might prefer to get money from you rather than block the nuisance packets.
(Even in this case I imagine they’d prefer to block a very large-scale DDoS, but those are probably rare against a typical home server.)
–keith
Yup, I’m in Australia and here they have a quota that counts up for both downloads and uploads. We are actually getting DDoS’d at the office and the only solution they offered was to change our static IP; a no go since we host our own email! Once the quota is gone, we are throttled down to 256kbps for both upload and download unless we pay for extra data blocks @ ~AU$15 per 20GB block.
Cheers, ak.
Stephen Harris writes:
Interesting. I had to have my ISP add a C record to their DNS for my fixed IP address before most of my e-mails were accepted. I recently also had to add an SPF (sender policy framework) record on my DNS to get my e-mails accepted bu gmail. You could try to manage the SPF record the same way you do other dynamic IP address records but there was a couple of day lag before gmail accepted it when I put it in place.
Absolutely correct but then you lose the IP checking for a man in the middle attack. This wouldn’t be that bad on a fixed IP address but would seem to be a lot riskier on a dynamic IP address.
Cheers, Dave
Right. Here you’re not running into a dynamic DNS issue (xxx.my.domain isn’t involved) but into other policy questions (eg RBLs that block dynamic IPs; SPF policies). Pretty much sending email from a dynamic IP
is going to be problematic at best. (Even worse when ISPs like Verizon and Comcast block outgoing port 25).
For outgoing email you either have to go through your ISP’s relay or run your own relay (I have a linode for this, and have my home machines send via my linode, to take dynamic IPs out of the equation).
Quoting Timothy Murphy:
In principle, nothing. But you aren’t their use case. At wikipedia’s
page on dyn is, “Dyn was conceived as an open source, community-led
student project back by Jeremy Hitchcock, Tom Daly, Tim Wilde and
Chris Reinhardt while pursuing undergraduate studies at Worcester
Polytechnic Institute.[2] In the beginning, Dyn enabled students to
access lab computers and print documents remotely. The project quickly
outgrew its original purpose and soon gravitated towards domain name
system (DNS) services. The first iteration was a free dynamic DNS
service known as DynDNS, which allowed users to register a subdomain
that points to a computer with regularly changing IP addresses, such
as those served by many consumer-level Internet service providers. An
update client installed on the user’s computer, or built into a
networked device, such as a router or webcam, keeps the hostname up to
date with its current IP address.
“This free service eventually became costly for the founders to
support. Looking to gauge interest, the project was set to be shut
down unless users were able to reach a $25,000 fundraising goal. They
ended up raising over $40,000.” There’s more.
So with sufficient free time and education and resources anyone could
do what dyn did. They commodified it and made it easy for
non-specialists, that’s all.
Dave