I'm running two servers, one with a fixed IP address and the other with a dynamic address.
This is probably a very ignorant question, but what does dyndns do that I could not do myself?
On Sat, 2014-04-12 at 15:38 +0200, Timothy Murphy wrote:
I'm running two servers, one with a fixed IP address and the other with a dynamic address.
This is probably a very ignorant question, but what does dyndns do that I could not do myself?
But what would you like to do, but can not do, at this present time ?
Always Learning wrote:
I'm running two servers, one with a fixed IP address and the other with a dynamic address.
This is probably a very ignorant question, but what does dyndns do that I could not do myself?
But what would you like to do, but can not do, at this present time ?
I would like the server with a dynamic IP address to be accessible through a fixed name.
On 04/12/2014 01:19 PM, Timothy Murphy wrote:
I would like the server with a dynamic IP address to be accessible through a fixed name.
Setup an authoritative DNS server on the server that has a fixed IP address to host records for the site(s) on the server that has a dynamic IP address.
Create a local scheme (such as a script, etc.) to periodically determine the current dynamic IP address and keep the records on the DNS server correct. You'll want to set the TTL (of the records) to a low value so caching name servers will update the information fairly often.
KevinO wrote:
I would like the server with a dynamic IP address to be accessible through a fixed name.
Setup an authoritative DNS server on the server that has a fixed IP address to host records for the site(s) on the server that has a dynamic IP address.
Create a local scheme (such as a script, etc.) to periodically determine the current dynamic IP address and keep the records on the DNS server correct. You'll want to set the TTL (of the records) to a low value so caching name servers will update the information fairly often.
But would this "home" DNS server provide records accessible to others? If in fact it is straightforward surely it must be set out explicitly somewhere?
Incidentally, I do already check every 15 minutes if the IP address of the dynamic-address server has changed - it changes every few days - and if it has the remote server sends me email.
Timothy Murphy <gayleard@...> writes:
KevinO wrote:
I would like the server with a dynamic IP address to be accessible through a fixed name.
Setup an authoritative DNS server on the server that has a fixed IP address to host records for the site(s) on the server that has a dynamic IP address.
Create a local scheme (such as a script, etc.) to periodically determine the current dynamic IP address and keep the records on the DNS server correct. You'll want to set the TTL (of the records) to a low value so caching name servers will update the information fairly often.
But would this "home" DNS server provide records accessible to others? If in fact it is straightforward surely it must be set out explicitly somewhere?
Incidentally, I do already check every 15 minutes if the IP address of the dynamic-address server has changed - it changes every few days - and if it has the remote server sends me email.
Be aware that the actual "owner" of the dynamic IP address is still authoritative for reverse look ups. This means that some uses of a system with a dynamic IP address are problematic (e.g., mail server) since the reverse look up fails. Other uses (sshd) in theory work but folks have to continually update their ssh saved keys for that system whenever the IP address changes.
Cheers, Dave
On Sun, Apr 13, 2014 at 02:06:42PM +0000, David G. Miller wrote:
Be aware that the actual "owner" of the dynamic IP address is still authoritative for reverse look ups. This means that some uses of a system with a dynamic IP address are problematic (e.g., mail server) since the reverse look up fails. Other uses (sshd) in theory work but folks have to
Not necessarily fail. eg I do my own dynamic DNS so that "xxx.my.domain" has an A record to my home. But if I do an rDNS for that IP then it returns a verizon.net record. However this is not a problem as long as a forward lookup for that name returns an A record which matches.
Anyone who does "xxx.my.domain -> A -> IP -> rDNS -> verizon" and thinks that is broken is doing DNS wrong wrong wrong.
You either do xxx.my.domain -> A -> IP OR IP -> rDNS -> verizon -> A -> IP (note: dynamic DNS doesn't even show up here).
You never do xxx.my.domain -> A -> IP -> rDNS -> verizon. because that's a misunderstanding of how DNS works and what the rDNS lookup is meant to validate.
Where it can fail is if the owner of the IP doesn't have rDNS or the rDNS doesn't match a further A lookup. That's irrelevant to the dynamic DNS record, though.
What does confuse some people is a second misunderstanding of DNS; eg "I have xxx.my.domain" but mail is being rejected from it. That's, again, because the dynamic DNS isn't in the question; it's a pure IP->rDNS->A->IP check and you don't own the IP.
continually update their ssh saved keys for that system whenever the IP address changes.
ssh client should manage that for you automatically. It'll know you're connecting to "xxx.my.domain" and the host key will match and it should automatically add a new record to known_hosts for the IP address. (Or you can configure ssh_config to not care).
Stephen Harris <lists@...> writes:
On Sun, Apr 13, 2014 at 02:06:42PM +0000, David G. Miller wrote:
Be aware that the actual "owner" of the dynamic IP address is still authoritative for reverse look ups. This means that some uses of a system with a dynamic IP address are problematic (e.g., mail server) since the reverse look up fails. Other uses (sshd) in theory work but folks have to
Not necessarily fail. eg I do my own dynamic DNS so that "xxx.my.domain" has an A record to my home. But if I do an rDNS for that IP then it returns a verizon.net record. However this is not a problem as long as a forward lookup for that name returns an A record which matches.
<SNIP> Interesting. I had to have my ISP add a C record to their DNS for my fixed IP address before most of my e-mails were accepted. I recently also had to add an SPF (sender policy framework) record on my DNS to get my e-mails accepted bu gmail. You could try to manage the SPF record the same way you do other dynamic IP address records but there was a couple of day lag before gmail accepted it when I put it in place.
ssh client should manage that for you automatically. It'll know you're connecting to "xxx.my.domain" and the host key will match and it should automatically add a new record to known_hosts for the IP address. (Or you can configure ssh_config to not care).
Absolutely correct but then you lose the IP checking for a man in the middle attack. This wouldn't be that bad on a fixed IP address but would seem to be a lot riskier on a dynamic IP address.
Cheers, Dave
On Mon, Apr 14, 2014 at 01:42:07PM +0000, David G. Miller wrote:
Interesting. I had to have my ISP add a C record to their DNS for my fixed IP address before most of my e-mails were accepted. I recently also had to add an SPF (sender policy framework) record on my DNS to get my e-mails accepted bu gmail. You could try to manage the SPF record the same way you do other dynamic IP address records but there was a couple of day lag before gmail accepted it when I put it in place.
Right. Here you're not running into a dynamic DNS issue (xxx.my.domain isn't involved) but into other policy questions (eg RBLs that block dynamic IPs; SPF policies). Pretty much sending email from a dynamic IP is going to be problematic at best. (Even worse when ISPs like Verizon and Comcast block outgoing port 25).
For outgoing email you either have to go through your ISP's relay or run your own relay (I have a linode for this, and have my home machines send via my linode, to take dynamic IPs out of the equation).
On 04/13/2014 03:16 AM, Timothy Murphy wrote:
But would this "home" DNS server provide records accessible to others? If in fact it is straightforward surely it must be set out explicitly somewhere?
Yes. But, you have to set the name server entry with your domain registration. Requests for a look up will first go to your domain registrar to find out what name sever to query. (I presume you have been using dyndns for this...)
Timothy Murphy wrote:
But would this "home" DNS server provide records accessible to others?
Be aware of DND DDoS Amplification attack *[0]* if you are running this DNS at home as it can quickly deplete your bandwidth (if your ISP gives you quotas per month). I use the following *[1]* to help stop these queries. However, since I'm dropping these when they hit my router, I'm still losing bandwidth but not at a terribly fast pace!
Although the ISP can definitely stop such queries from getting to you, it is not in their best interests and hence do nothing about it! I've been hit by this type of DDoS and the only option the ISP offered was to change my static IP address; being that I run a mail server, I declined and now just cope with the wasted DROP queries - ~11GB per month. The DDoS has been happening for the last 2 months and doesn't seem to be letting up! Maybe it is time to consider an IP address change!!!
Cheers, ak.
*[0]* - https://www.watchguard.com/infocenter/editorial/41649.asp *[1]* - http://www.perdichizzi.net/?p=294
On 2014-04-14, Anthony K akcentos@anroet.com wrote:
Be aware of DND DDoS Amplification attack *[0]* if you are running this DNS at home as it can quickly deplete your bandwidth (if your ISP gives you quotas per month). I use the following *[1]* to help stop these queries. However, since I'm dropping these when they hit my router, I'm still losing bandwidth but not at a terribly fast pace!
Although the ISP can definitely stop such queries from getting to you, it is not in their best interests and hence do nothing about it!
How is it not in their best interests? They still have to waste their bandwidth and routing to route the packets across their network. If it's a particularly persistent attack I imagine they'd rather block them at their border.
...well, unless they get to charge you by the MB/GB. Last I heard that was more common outside the US. In that case I suppose they might prefer to get money from you rather than block the nuisance packets. (Even in this case I imagine they'd prefer to block a very large-scale DDoS, but those are probably rare against a typical home server.)
--keith
On 14/04/14 14:18, Keith Keller wrote:
...well, unless they get to charge you by the MB/GB. Last I heard that was more common outside the US.
Yup, I'm in Australia and here they have a quota that counts up for both downloads and uploads. We are actually getting DDoS'd at the office and the only solution they offered was to change our static IP; a no go since we host our own email! Once the quota is gone, we are throttled down to 256kbps for both upload and download unless we pay for extra data blocks @ ~AU$15 per 20GB block.
Cheers, ak.
On 2014-04-12, Timothy Murphy gayleard@eircom.net wrote:
I would like the server with a dynamic IP address to be accessible through a fixed name.
There are probably dozens of ddns providers out there. Here's a list I found in about one minute:
http://www.dmoz.org/Computers/Internet/Protocols/DNS/Service_Providers/Dynam...
--keith
Keith Keller wrote:
I would like the server with a dynamic IP address to be accessible through a fixed name.
Here's a list I found in about one minute:
http://www.dmoz.org/Computers/Internet/Protocols/DNS/Service_Providers/Dynam...
Thank you, that is a useful list. However, that is not what I was asking - I was asking if it is feasible to set up one's own "dyndns".
On 04/13/2014 12:08 PM, Timothy Murphy wrote:
Thank you, that is a useful list. However, that is not what I was asking - I was asking if it is feasible to set up one's own "dyndns".
I haven't tried that yet, but there are many howtos on the net, for example: http://andrwe.org/linux/own-ddns
- Chris
Quoting Timothy Murphy gayleard@eircom.net:
I'm running two servers, one with a fixed IP address and the other with a dynamic address.
This is probably a very ignorant question, but what does dyndns do that I could not do myself?
In principle, nothing. But you aren't their use case. At wikipedia's page on dyn is, "Dyn was conceived as an open source, community-led student project back by Jeremy Hitchcock, Tom Daly, Tim Wilde and Chris Reinhardt while pursuing undergraduate studies at Worcester Polytechnic Institute.[2] In the beginning, Dyn enabled students to access lab computers and print documents remotely. The project quickly outgrew its original purpose and soon gravitated towards domain name system (DNS) services. The first iteration was a free dynamic DNS service known as DynDNS, which allowed users to register a subdomain that points to a computer with regularly changing IP addresses, such as those served by many consumer-level Internet service providers. An update client installed on the user's computer, or built into a networked device, such as a router or webcam, keeps the hostname up to date with its current IP address.
"This free service eventually became costly for the founders to support. Looking to gauge interest, the project was set to be shut down unless users were able to reach a $25,000 fundraising goal. They ended up raising over $40,000." There's more.
So with sufficient free time and education and resources anyone could do what dyn did. They commodified it and made it easy for non-specialists, that's all.
Dave
-- Timothy Murphy e-mail: gayleard /at/ eircom.net School of Mathematics, Trinity College, Dublin 2, Ireland
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Sat, Apr 12, 2014 at 03:38:32PM +0200, Timothy Murphy wrote:
I'm running two servers, one with a fixed IP address and the other with a dynamic address.
This is probably a very ignorant question, but what does dyndns do that I could not do myself?
As a replacement http://www.duckdns.org/ seems the easiest to setup/use. Maybe check if you can do the same yourself?
best regards,
Florian La Roche
If you are interested in DIY you could just run your own dns server (refer to [0]) on your server (the one with the static ip address) and implement dyndns with your own domain.
[0] http://doc.powerdns.com/html/rfc2136-howto.html#rfc2136-howto-powerdns
Regards, Armin Fisslthaler
-
Always Learning -
Anthony K -
Armin Fisslthaler -
Chris -
Dave Stevens -
David G. Miller -
Florian La Roche -
Keith Keller -
KevinO -
Stephen Harris -
Timothy Murphy