Registrars with free DynDNS services of my own domains.

Chuck Swiger cswiger at
Wed Feb 24 20:08:06 UTC 2010


On Feb 24, 2010, at 12:17 AM, Marcin M. Jessa wrote:
> I actually figured out I can run my own services for all my domains
> on a dynamic IP without breaking any DNS related RFC.

Running an authoritative nameserver off of a dynamic IP is a terrible idea.  Even if your dynamic IP doesn't change that often, and you adjust your TTLs and expire times in the SOA accordingly....whenever the IP does move, you are blindly hoping that the former IP will not be given to a malicious or compromised machine.

Remember that random nameservers will be caching your nameserver records for up to expiry, and will continue to send queries to the old IP.  It's a trivial matter for it to continue to answer authoritatively, and redirect mail, webserver requests, etc to anywhere at all-- a localhost proxy scanning for login attempts, bank info, etc would make a wonderful man-in-the-middle attack.

You might think that with two nameservers listed, that the odds are fifty-fifty whether queries go to your primary at a static IP or the old secondary, but I've seen spamming domains which return DNS queries stuffed with as many NS and A records as will fit in a UDP packet (about 20) pointing to IPs all over the place in order to make them harder to take down.  It also means that caching nameservers and clients are less likely to send a request to a legitimate nameserver for the domain (assuming one exists), depending on how smart the clients are.


More information about the freebsd-isp mailing list