Reliability and security concerns when using dynamic DNS

If you are using dynamic DNS or are considering implementing it at your home or business, you should take note of the potential security and reliability issues associated with it. I’ve seen dynamic DNS implemented at several small business and homes, that are using it because they are hosting a website, or other service in-house, that they need to make available on the Internet.

First off, what is Dynamic DNS?
In this context, Dynamic DNS (also referred to as DDNS or DynDNS) is a method of updating the public DNS records of a domain when the IP address of a host changes. In short, a DNS name such as www.yourname.com must always resolve to the IP address of the computer hosting it.

Why use Dynamic DNS?
Most Internet users are dynamically assigned an IP address when they connect to the Internet via their Internet Service Provider (ISP). This means that every time you reconnect, you get a different IP address. Even if you have an ‘always on’ connection like cable, ADSL or wireless, a reconnect may occur for various reasons and you almost always get a new IP address when this happens. This becomes a problem if you want to host a website, email server or other service because your IP address keeps changing! Every time your IP changes you need to update your DNS records to reflect the new IP address, and doing this manually simply isn’t practical. Dynamic DNS aims to solve this problem. Software running on your router or computer checks to see if your IP address has changed, and then automatically (dynamically) updates a DNS record to point to the new IP address. This sounds like an excellent solution but there are unfortunately some caveats.

Disadvantages of Dynamic DNS

Delays

  1. Depending on the software and method being used to “detect” that the IP address has changed, it can take anywhere from a few seconds to a minute or more for the change to be detected.
  2. Once the change has been detected, the DNS record must then be updated. This process is quick, taking only a second or two to complete, however DNS caching results in a further delay. DNS servers cache records so they don’t have to lookup the same names frequently. A Time To Live (TTL) value in seconds specifies how long another DNS server may cache the record for, and a value of 60 is usually used for records being updated frequently. This means that after the update has been made it can take up to an additional 60 seconds before the new IP address is served to clients.
  3. In some cases, although exceptionally rare, some caching servers don’t respect the TTL value and cache it for longer, resulting in an even longer time for the update to propagate.

Reliability

Until the DNS record is updated and the change has propagated, computers on the Internet will continue to use the old IP address.
There are three possible scenarios:

  1. If your previous IP address hasn’t been assigned to another customer yet, your website or service will simply be unavailable.
  2. If your old IP address is assigned to a customer who isn’t hosting the same type of service, your website or service will be unavailable.
  3. If another customer using the same ISP is also hosting the same type of service, like a web server, on their computer and they get assigned your previous IP address, customers trying to visit your website will be directed to theirs instead!

The window for the above actually happening while your IP address is being updated is generally a few seconds up to a minute or two. This short period of potential downtime might not discourage some users but what happens if your Internet connection goes down and your IP address doesn’t get updated for while? Well, point 2 and 3 become a strong possibility. Having visitors directed to another website instead of your own would certainly result in damage to your reputation.

Security concerns

One of the major problems with Dynamic DNS is that you really aren’t sure who you are communicating with. Most servers on the Internet have statically assigned (permanent IP addresses) that can be used to identify them. When you have an IP address that can change at any time and then be assigned to another user, you can never be sure that you are communicating with the correct system. You then have to concede that there is a possibility that you could provide your access credentials to a system other than you intended. If an attacker obtains the credentials you use to update your DNS records or the update process is insecure they can replace your IP address with their own and redirect traffic to a server under their control.

Monitoring

Finally, monitoring systems with dynamic IP addresses using dynamic DNS is not reliable. Example: ICMP Ping is often used to determine if a host is online. You ping the host and it responds. A few hours later there is a power outage, the Internet connection goes down and the IP address is leased to a new client a few minutes later. You see that the host has gone down but then appears to have come back online because it is responding again. Wrong. You’re now pinging a different system.

Conclusion
Dynamic DNS allows users that have Internet connections with dynamically assigned IP addresses to host websites, email servers, webcams and even remotely connect to their computers at home or work. Unfortunately it is underpinned by some serious reliability and security concerns. Additional layers of security need to be implemented if Dynamic DNS must be used. Hosting your website with a company that provides a commercial hosting services is always a better option. If you do need to host services onsite that need to be accessible remotely talk to your ISP about upgrading your Internet connectivity so that you receive one or more static IP addresses for this. If this isn’t available, consider a VPN service that can route you a static IP.

Leave a Reply

Your email address will not be published. Required fields are marked *