Dynamic DNS

Dynamic DNS or DDNS is a technique to update dynamic domains in the Domain Name System. The purpose is that a computer after changing its IP address automatically and quickly changes the corresponding domain entry. So your computer is always available at the same domain name, even if the current IP address for the user is unknown.

There are two different mechanisms of spread, which originate different applications:

• Update over HTTP or HTTPS, popularized by providers such as DynDNS
• Update on a system modeled on DNS message log, specified in RFC 2136 and used by the program nsupdate

DDNS via HTTP

A typical use case for dynamic DNS over HTTP or HTTPS is the host of a home user who access the Internet through a dynamic IP address of the ISP has. If the user wishes to operate as a game server or access via remote desktop on the computer from the outside, it would have to know the constantly changing IP address. With dynamic DNS, it can instead from a DDNS service provider register a domain name and automatically assign the name of each current IP address.

Operation

To update a DDNS entry in the name server of the operator, can be either a client software installed on the computer, or a corresponding function to be used in the home router. Once the client detects a change of the IP address, it transmits these via an HTTP or HTTPS interface to the provider. Authentication is done through username and password. The implementation of a client is not very complicated, as the network protocol is simple and many software libraries for HTTP / HTTPS connections are available.

Constantly changing entries were not initially foreseen in the Domain Name System. To save network resources, DNS entries are cached. The lifetime of an entry (Time to Live) is predetermined by the name server. With dynamic DNS usually a time to live is used by a minute to short-term benefit from caching without obsolete entries over a longer period point to an incorrect IP address.

Limitations

Shutting down a computer or disconnected from the network, its IP address is assigned to the domain name. If the IP address is offline, lead connection attempts only after several seconds delay to a timeout error. If the IP address in the meantime another ISP customers assigned, so you could try this the identity of the previous DDNS user abuse. As a solution approach can delete the domain name at shutdown temporarily a client in some DDNS providers. Another approach is the use of heartbeats in order to recognize when a computer is off-line and then removing the domain name automatically.

Dynamic DNS is not a full replacement for a static IP address. Open network connections remain in the separation from the Internet or when changing the IP address and hang collapse after a timeout. Within the Time to Live of the DDNS entry, the old IP address to be cached so that no new connection can be established.

Due to immature DDNS client software, it may happen that the DDNS entry for a long time is not updated. This happens for example when the client attempts to update only once when dialing the DDNS entry, but not tried it again during a temporary error. The reverse case can be problematic: a client tries to update more frequently than necessary, as this is a violation of some DDNS providers to the Terms of Use, which may result in the suspension of the account. This occurs for example in home routers that do not store the assigned IP address and thus send on every reboot, for example, after the separation from the mains, an update. If the ISP after restarting the same IP address re-allocated, such unnecessary DDNS update is performed. Therefore, it can sometimes take a long time until this problem is visible. From the router but this could be prevented by the fact that this previously performs a DNS query for the domain name to be updated dynamic and determined in this way, the last used IP address.

DDNS via RFC 2136

RFC 2136 specifies a method for dynamic DNS, which is known as a DNS update. A typical application for DNS Update is a DHCP server that registers the name of the client when name server on the local network by assigning an IP address. DNS update uses a UDP-based network protocol, which is similar to the DNS message format. The idea was, with little effort to expand existing DNS software to the update functionality.

A name server that receives a dynamic update request, these stores first off, before it modifies the entries in the zone file. This avoids the one inconsistency in the crash of the server, on the other hand so updates can be first collected, whereby the throughput is improved. When BIND name server a journal file is applied to each zone file that has a function similar to a journaled file system. The collection phase can take several minutes, so that dynamic updates are not immediately propagated to any existing slave name servers that hold a copy of the zone file. DNS Update is only for changing the dataset on the master name server. To propagate changes to slave name servers that common mechanisms are to be used for zone transfer.

In the original network protocol of DNS Update no authentication was provided. If a name server at the update function for all computers on the Internet open, so this presents a security risk the protection is in the deployment of access control over IP addresses, but this can be circumvented by IP spoofing. Therefore, this protection mechanism will be only for trusted private networks in question, where a firewall shields the name servers from the unfamiliar network traffic. Better protection provide cryptographic protection mechanisms TSIG and SIG (0). TSIG (RFC 2845) uses a symmetric cryptosystem, in which a secret key must be both the DNS client and the server name known. SIG (0) ( RFC 2931 ) used an asymmetric cryptosystem, in which only the DNS client has arranged private key.

The program nsupdate, which is part of the BIND package that allows client - side updates of DNS records. You also have the possibility of authentication via TSIG or SIG (0). Microsoft uses GSS- TSIG, TSIG variant that uses Kerberos.