1

The DNS resolving process ultimately relies on root servers located in the USA for most extensions (.com and .org root servers for example). Even if the IP addresses of these servers are cached by local DNS resolvers in my country, relying on domain name and root servers is sort of a single point of failure, and bring well known weaknesses (DNS hack, DNS poisonning etc...).

Let's say I have strong confidence in the ISP that allocated an IP address to my house/workplace, or even that I own this IP address, I know I'll always be reachable at this IP address, and I have registered for a SSL certificate for this domain.

Considering this (that you can trust IP address and certificate), is it more safe to rely solely on IP address (over SSL) to host a web service, and therefore do not register for any domain name?

Anders
  • 64,406
  • 24
  • 178
  • 215
Lamouette
  • 29
  • 1
  • *"DNS resolving process relies for most extensions, ultimately on root servers located in the USA"* - are you sure? See [Root Servers in the World](https://www.google.com/maps/d/viewer?mid=1LcHEpzl-7RzziWzDa4h3BxJcbEo&ie=UTF8&hl=en&msa=0&om=1&t=m&ll=24.846565000000112%2C22.5&spn=123.841285%2C225&z=2&source=embed). Also [Wikipedia: DNS root zone: Redundancy and diversity](https://en.wikipedia.org/wiki/DNS_root_zone#Redundancy_and_diversity). – Steffen Ullrich Dec 18 '18 at 12:44
  • Nothing stopping you from doing both IP and Domain name – CaffeineAddiction Dec 18 '18 at 13:08
  • 1
    Strongly related: [Why doesn't DNS spoofing work against HTTPS sites?](https://security.stackexchange.com/questions/94331/why-doesnt-dns-spoofing-work-against-https-sites). This covers the spoofing aspect (i.e. duplicate in this area) but it does not cover the reliability aspect. But if you personally need reliability you can also add the explicit mapping between hostname and IP address into `/etc/hosts` (or similar on Windows). – Steffen Ullrich Dec 18 '18 at 15:26
  • I'm pretty sure you can't get a SSL certificate for an IP address. – user Dec 18 '18 at 16:10
  • 1
    @aCVn: [you can get a cert for a _public_ address, but it's harder](https://stackoverflow.com/questions/2043617/is-it-possible-to-have-ssl-certificate-for-ip-address-not-domain-name) OP: the rightmost label of a FQDN is the top-level domain (TLD); it is not an 'extension'. – dave_thompson_085 Dec 19 '18 at 05:51
  • The .com root server is located in the USA, there might be mirrors servers to lighten the request load, but the source root server is in the USA – Lamouette Dec 19 '18 at 16:17
  • "root servers is sort of a single point of failure," If you speak really about the root (`.`) there are almost 1000 logical instances of this service thanks to anycasting so it is a little far from a " single" point of failure. Why part of the system may fail sometimes for errors or attacks, the whole remains working. "and bring well known weaknesses (DNS hack, DNS poisonning etc...)." 1) What is DNS hack? and 2) DNS poisoning refers to recursive nameservers, not authoritative ones – Patrick Mevzek Jan 01 '19 at 07:07

2 Answers2

2

DNS can be a point of attack, yes. DNS exists because remembering something like 198.51.100.36 is significantly harder to remember than Lamouette.com. If you want to give it a go, more power to ya but I'd caution that if it's a public web presence you're after, your visitors will not appreciate having to use your IP address over your domain name.

And if you cut your SSL cert with the IP address but you publicize your domain name for use, your users will get ugly messages from modern browsers claiming that the details of the SSL certificate (based on IP) do no match the value your visitors are using: Lamouette.com.

So while it technically is more secure, it's functionally unusuable for an internet presence. More power to ya though if you decide to try and buck the system.

user
  • 7,670
  • 2
  • 30
  • 54
thepip3r
  • 633
  • 3
  • 8
  • 1
    Never mind IPv4. Try something like 2001:db8:c94c:dad6:7e8d:31db:8b17:7c2b on for size. – user Dec 19 '18 at 07:37
  • Yes thanks for your answer, I was thinking of some professionnal web services / api (not visible to the user), not necessarly public site like sony.com for normal users. – Lamouette Dec 19 '18 at 16:16
0

which is why https://1.1.1.1 exist (just a proof of concept that SSL certs also work on IP addresses)

Viktova
  • 236
  • 1
  • 8