DDNS Dynamic DNS

DDNS– Dynamic DNS- is used to track by name a changing IP address at, for example, your home or office equipment.
It could be used to reach into equipment at home while away, Etc.
office.mysite.com is easier than 206.171.54.21

Security implications are detailed elsewhere

YOu might try any number of services like https://www.noip.com/free  to do this for you but I always prefer to Roll my Own. Plus, it’s hard to find reliable free ones any more

My particular solution involves use of the domains.google Google Domain Registry (Currently $12 a year) to do so-
They give you FULL control over all of your DNS entries, and are, naturally, super-reliable and do not bug you with confusing up-sells.

You could move your Domain Name Registration to their service
(very useful in itself!) or, well,
just register some name just  for this purpose alone : )

Most ISPs (Internet Service Providers) issue you a single “Public IP address”– a number drawn from a huge pool of unique addresses assigned to things connected to the internet,

Your router will perform Magic so multiple private addresses and machines show up ‘behind’ this address- But we are concerned with the Public-pointing WAN (Wide Area Network) facing single IP address, not the LAN (Local Area Network) things going on behind, 

The ISP does not guarantee that you will maintain the same IP address over any period of time.
You could pay (usually a lot) of money to get a fixed IP address but there is no need,

This may be like returning to your same favorite campsite regularly  and finding you have a different spot assigned to you- or not- Each time. You may even be moved while staying there.

Somehow there needs to be a way to give you an easily identifiable way for this changing numeric address to be published so friends and outsiders can find you as a fixed name
It’s easy to assign a fixed name to a fixed address for a server like 
www.artoflogic.com but- when the IP address changes randomly…?

It’s pretty easy to find out what your “Public IP address” is and even who gave it to you with sites like this one 
https://whatismyipaddress.com which you could then note down in hopes it does not change,- But we need an automated way.

So that’s the first step- some scripted way to catch the current IP address. The second step is to “publish” it to DNS in some way,

I’ll mention just one very reliable solution  I have found using domains.google

You will then need to follow the steps here to create a DDNS entry.
https://support.google.com/domains/answer/6147083

Registered Name Example: site.com, dynamic DNS entry home.site.com. YOu will end up with a Very Ugly Username and Password (which, for Security, you cannot pick yourself!)

The instructions above will list potential “DDNS Clients” but here’s where it gets Interesting- I found several listed there simply did not work because the HTTP protocol many of them use is deprecated in favor of the HTTPS used to discover your IP address.
DD-WRT.COM (More Later) has a config DDNS setting that does not work for this very reason 

What about if you have a Linux box? there’s a PERL script called DDCLIENT but as of writing it did NOT seem to enjoy configurations for Google

Try This (on One Line). It requires “curl” to “get” the current IP address using the given ugly username/password pair from above,
seperated by a colon, that were generated by the Google Dynamic Dns Configuration above. You could adjust or remove the final
” | /usr/bin/logger -s -t ddns”
whose only purpose it to log the update to something like /var/log/messages

0,15,30,45 * * * * root /usr/bin/curl -4 –user-agent curl -s -get https://Given-Ugly-Username:Given-Ugly-Pasword@domains.google.com/nic/update?hostname=home.site.com | /usr/bin/logger -s -t ddns

Troubleshooting!
Note: If you visit the URL given above in a web page  you will see the web page wants a proper working username/password pair
in order to
1) Locate the IP request address the user was using
2) Update the Google Dynamic DNS address within Google
for home.site.com from the address found in 1)
All of which must exist and be valid : )

Therefore, when done, “Outside On the Internet and Elsewhere” your Home or Office current IP address (Updated in this case every 15 mins by the CRON job that triggers the script)
can be known by name

If you do nothing else, this in no way changes your Security- Hackers typically will scan address blocks not names,
so simply getting a Name assigned achives nothing for them.

Now when you configure your Router to permit “Holes” in your Firewall (think VPN Inbound) etc, that situation changes completely.

Note the script DOES NOT need to be run inside your Router (although it naturally would be if you use for example, Linux Firmware in your router like http://dd-wrt.com) and can be run on any machine “Behind” your firewall as it reaches “out” onto the Internet– Nothing reaches “In”

Notes:
– Every 15 mins. Cron Update should be Fine, Any more often than that may annoy Google to the extent they stop listening
– Google  typically spots if there is no change in address from the previous check and does not touch the DNS entry (no need)
95% of Queries are like this,
My home office IP address has remained fixed for months even after router re boots but is NOT guaranteed to be so by my ISP : )

To make a Hot/Office PC now reachable by name OUTSIDE from the Internet you will need to ue your Router’s “Port Forwarding”: Feature. This is where security implications come in. 
For starters avoid using “DMZ” which means EVERYTHING reaching the router on all ports goes to a particular machine
Forward ONE thing at a time. Be VERY clear about the Security Implications of what you will do next- and also consider it may not be necessary anyway to remotely reach your home/office PC if you use something like http://www.teamviewer.com which achieves its functionality by the Remote and Host machine both logging in “forwards” through a Proxy Server managed by TeamViewer.
 
A great easy to do the port forwarding correctly is listed here:
https://portforward.com

Personally: I use a SINGLE ssh Port, normally over Port #22 but moved to a non-well-known Port number higher than 1024,
like 2468, though which all my access is “tunneled” to machines inside my Network.
This is what you might call a Single Point of Failure for everything.

YOu can google some of the wording above to make more sense of it– the subject of a whole other article in itself!

best of Luck!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.