Dynamic DNS

Dynamic DNS , DDNS or DynDNS is a technique for dynamically updating domains in the Domain Name System (DNS). The purpose is for a computer (e.g. a PC or a router ) to automatically and quickly change the associated domain entry after changing its IP address . This means that the computer can always be reached under the same host name, even if the current IP address is unknown to the user.

There are two common mechanisms that arise from different use cases. On the one hand, the update can take place via HTTP or HTTPS . This is popular with providers such as B. DynDNS . In addition, the update can be carried out using a message protocol based on DNS. This protocol is specified in RFC 2136 and RFC 3007 and is used, for example, by the nsupdate program , which is part of the widespread open source DNS program package BIND .

DDNS over HTTP

A typical use case for dynamic DNS via HTTP or HTTPS is the computer of a home user who has access to the Internet via a dynamic IP address of the Internet service provider . For example, if the user wants to operate a game server or access the computer from the outside via remote desktop , he would have to know the constantly changing IP address. With dynamic DNS he can instead register a domain name with a DDNS provider and automatically assign the current IP address to the name. The highlight is that the computer / router, which is provided with a new IP address every few hours (e.g. by the Internet service provider), regularly reports independently to a DDNS provider and provides the current IP address announces. The DDNS provider becomes a reference point where you can always "look up" which IP is currently up-to-date.

functionality

To update a DDNS entry on the operator's name server , either client software can be installed on the computer or a corresponding function can be used in the home router . As soon as the client detects a changed IP address, it transmits this to the provider via an HTTP or HTTPS interface. The authentication takes place via user name and password. The implementation of a client is not very complex because the network protocol is simple and many software libraries are available for HTTP / HTTPS connections.

Constantly changing entries were not originally intended in the Domain Name System. To save network resources, DNS entries are cached. The lifetime of an entry ( time to live ) is specified by the name server. With dynamic DNS, a time to live of one minute is usually used to benefit from caching in the short term without obsolete entries pointing to an incorrect IP address over a longer period of time.

restrictions

If a computer is shut down or disconnected from the network, its IP address remains assigned to the domain name. If the IP address is offline, connection attempts will only result in a timeout error after a delay of several seconds . If the IP address has been assigned to another ISP customer in the meantime, this customer could try to misuse the identity of the previous DDNS user. As a solution, a client with some DDNS providers can temporarily delete the domain name during shutdown. Another approach is the use of heartbeats to recognize when a computer is offline and then to automatically remove the domain name.

Dynamic DNS is not a full replacement for a static IP address. Open network connections get stuck when disconnected from the Internet or when changing the IP address and break down after a timeout. The old IP address can be cached within the time to live of the DDNS entry so that no new connection can be established.

Immature DDNS client software can mean that the DDNS entry is not updated for a long time. This happens, for example, if the client tries to update the DDNS entry only once when dialing in, but does not try again in the event of a temporary error. The reverse case can also be problematic: if a client tries to update more often than actually necessary, this violates the terms of use with some DDNS providers , which can lead to the user account being blocked. This occurs, for example, with home routers that do not save the assigned IP address and therefore send an update each time they are restarted, for example after being disconnected from the power supply. If the ISP assigns the same IP address again after the restart, such an unnecessary DDNS update is carried out. Therefore, it can sometimes take a long time for this problem to appear. However, this could be prevented by the router by first performing a DNS query for the dynamic domain name to be updated and thus determining the last IP address used.

DDNS over RFC 2136

1. The client requests an IP address from the DHCP server.
2. The DHCP server assigns an IP address to the client.
3. The IP address and the host name are transferred from the DHCP server to the DNS for registration.

RFC 2136 specifies a method for dynamic DNS known as DNS update . A typical application for DNS updates is a DHCP server that registers the name of the client with the name server in the local network after an IP address has been assigned . DNS Update uses UDP or TCP and the normal message format in DNS, but with different content, which is announced in the header .

A name server that receives a dynamic update request first saves it before modifying the entries in the zone file . On the one hand, this avoids inconsistencies when the server crashes, and on the other hand, updates can be collected first, which improves throughput. With the BIND name server, a journal file is created for each zone file, which has a similar function to a journaling file system . The collection phase can take several minutes, so that dynamic updates are not immediately passed on to any slave name servers that may be present that keep a copy of the zone file. DNS update is only used to change the data on the master name server. In order to transfer changes to slave name servers, the common mechanisms for zone transfer should be used.

RFC 2137 and the revised version RFC 3007 add authentication through digital signatures to DNS update . You can choose between a symmetrical cryptosystem , TSIG , in which both sides have the secret key, and an asymmetrical cryptosystem , SIG (0) according to RFC 2931 , in which the DNS server only has the public key and only the DNS client the secret key Has. Without reliable authentication, name servers with an update function are a security risk, especially on the Internet.

The program nsupdate , which is part of the BIND package, allows client-side updates of DNS entries. There is also the option of authentication via TSIG or SIG (0). Microsoft uses GSS-TSIG, a variant of TSIG that uses Kerberos .

Individual evidence

↑ Dynamic Updates in the Domain Name System (DNS UPDATE) . Internet Engineering Task Force . S. April 3, 1997. Retrieved September 25, 2014: “The Header Section specifies that this message is an UPDATE,…. An update transaction may be carried in a UDP datagram, if the request fits, or in a TCP connection…. UPDATE uses the same fields, and the same section formats, but the naming and use of these sections differs ... "

Web links

Link catalog on the topic of Dynamic DNS Service Providers at curlie.org (formerly DMOZ )

[RFC_2136-1] Dynamic Updates in the Domain Name System (DNS UPDATE) . Internet Engineering Task Force . S. April 3, 1997. Retrieved September 25, 2014: “The Header Section specifies that this message is an UPDATE,…. An update transaction may be carried in a UDP datagram, if the request fits, or in a TCP connection…. UPDATE uses the same fields, and the same section formats, but the naming and use of these sections differs ... "