Basic security question about ddns

Technical Support for Routers VPN, DNS, Leaks
1

Hi mates.

First of all, sorry for my English :person_facepalming:

I use to use DuckDNS before having my Flint router.

I LOVE this router and I would like to use it’s applications.

I’ve noticed that has a glddns and I wonder if this ddns is more secure than a free ddns (like duckdns) or not.

Are all the ddns equals in terms of security?

On the other hand.

Duckdns give your a token which is very useful with lets encrypt to avoid open port 80 to get the certificate.

Is it possible to get it with glddns?

Thanks in advance

2

No, not all are created equal… far from it. If ddns security is your goal, there’s only one real game ‘in town’ … fortunately they’re also a non-USA non-profit:

root@flint:~# cat /etc/config/ddns

config ddns 'global'
        option ddns_dateformat '%F %R'
        option ddns_loglines '250'
        option ddns_rundir '/var/run/ddns'
        option ddns_logdir '/var/log/ddns'
        option use_curl '1'

config service 'desec_ipv4'
        option interface 'wan'
        option service_name 'desec.io'
        option lookup_host '$myDomainHere.dedyn.io'
        option domain '$myDomainHere.dedyn.io'
        option username '$myUserNameHere.dedyn.io'
        option password '$myPasswordHere'
        option ip_source 'web'
        option use_https '1'
        option ip_url 'https://checkipv4.dedyn.io/'
        option enabled '1'

https://desec.io/

1 Like
3

Thanks!

I will try ASAP :slight_smile:

4

The hardest part is signing up. Don’t forget to opkg update; opkg install luci-app-ddns ddns-scripts ddns-scripts-services curl ca-bundle ca-certificates nano before using the above template.

1 Like
5

Thanks

I thought that I could modify the ddns file which contains the glddns information to replace with your info in order to replace the default glddns to desec.

Is it not possible?

6

Not quite. this method of ddns is more in line w/ unmodified OpenWrt using LuCI (GL GUI → System → Advanced Settings, same password as the GL GUI). You may have problems adapting GL’s customisations. It’s either/or… or in this case given desec.io.

nano is a very straightforward text editor you can use. vi is overkill for such ‘one off’ tasks.

1 Like
7

DDNS is as secure as any other Dynamic DNS service. Security is simply no question because it’s just pointing to some IP address.

So it’s fine to use it.
There are DDNS services where you have to authorize before to change the linked address. But this isn’t a question of security - more of trust.

1 Like
8

I have to vehemently disagree with you. Not all ddns providers support DNSSEC, DANE &/or Let’s Encrypt.

9

Thanks!

And is it possible to get the token like with DuckDNS?

10

deSEC supports Let’s Encypt.

1 Like
11

LE is not part of DDNS.

DNSSEC would be a matter, but we are talking about dynamic DNS for a consumer device. So this isn’t a real thing, is it?

1 Like
12

I might be wrong but LE announced that they only support HTTP check instead of DNS check? I am pretty sure that DNS only is deprecated.

1 Like
13

No but deSEC supports LE on their ddns service.

What’s your point? OP seeks ddns security. This is just that.

It absolutely is. I use it for my WG endpoint.

deSEC advertises it near ‘front & center’ on their main page. I have no need for LE myself but they’re “designed with security in mind” . Here’s their Discourse on it:

1 Like
14

Feel free to correct me but it’s not a „real“ support. They have plugins for certbot, which is great, but this is nothing about DDNS itself.

Without certbot on the Gl.inet it won’t work.
https://desec.readthedocs.io/en/latest/integrations/lets-encrypt.html

so it’s not just more secure by default.

1 Like
15

LE is an optional service deSEC supports for ddns hostnames. It is auxiliary but not mandatory.

1 Like
16

Yeah, I got this. But LE needs certbot to work - and since certbot is just the utility, you can use LE with all DDNS services.

So it’s more convenient - but that’s all.
If you only use the DDNS service without certbot … nothing is more secure then.

1 Like
17

I think you’re really overlooking what DNSSEC does & how it renders MITM like TunnelCrack moot.

1 Like
18

Thanks both of you :grinning:

I’m googling while you talk to understand everything but I’m learning a lot, THANKS :grinning:

I think i have all clear and I have to balance “life time” Vs “use desec in flint to learn things” :grinning:

Just one question remains.

Do you know if it’s possible to get the glddns token (like in duck DNS) in order to ask the let’s encrypt certificate without ope the 80?

Thanks in advance

1 Like
19

Heh, this really is just a case of “easier done than said.”

Signup for deSEC, SSH into your Flint. Install those required opkg packages. Use nano to copy the template & substitute your ddns account details accordingly (nano /etc/config/ddns). Then service ddns enable; service ddns start … & you’re done.

You can do this all fr LuCI using

  • LuCI → System → Software → [ search for ea. $packageName ] → Install → (Repeat).
  • LuCI → Services → Dynamic DNS → [ Add new service ]
    • Name: desec_ipv4
    • IP Address: IPv4
    • Provider: desec.io
      • etc., etc., etc.

… but it really is much faster to just copy that above template & updated it to your new ddns. It’s all ‘set it & forget it.’

1 Like
20

I can’t help you there. I don’t use either of those two services. deSEC or GTFO. :wink:

1 Like