I'm using a VPN mainly as a way of limiting access to my servers as it has a static IP address.
Is it bad practise to use a domain name to access my VPN? That is, is it fine to use vpn.example.com, or should I access it using the IP address?
Asked
Active
Viewed 1.2k times
1 Answers
5
If your IP is completely static, you could obviously use the IP address safely and reliably. But you're fine using the CNAME, as long as you trust the entity hosting your DNS zone file.
If they're not trustworthy, or if they're sloppy, it's conceivable that some third party could substitute their own DNS records for yours and redirect vpn.example.com to their own "bad guy" server instead of your legitimate one.
It's always possible that you could get DNS-hijacking malware on your computer, or malware that fills your local hosts file with bogus entries. But if that happens, it's just as likely the the malware is recording your keystrokes and mailing them home, so you're compromised anyway in that situation.
Having said all of the above, however...
Are you connecting to your VPN from a lot of potentially suspicious places (open hotspots on the rough side of town, hotels, Internet cafes, etc.)? If so, there's always a chance that those systems have been compromised and are pointing at poisoned DNS servers.
At least two mitigating factors jump to mind, though.
The first is that depending on the VPN technology you're using, you should get a warning if the server you reach isn't the one you intended to reach. OpenVPN uses assymetric encryption and your client VPN keys won't work with a rogue server unless that server has somehow been loaded with your server's private key (in which case you're already completely compromised). Microsoft's SSTP VPN (another HTTPS VPN) is protected with a SSL/TLS cert and should bark at you if the cert on the server isn't correct, and so on.
The second thing is that even if the DNS at some public WiFi hotspot has been poisoned, the owner of the poisoned DNS server would need to be specifically targeting your vpn server's CNAME in order to redirect you to a poisoned VPN server or relay. Unless you're a high-value target of some kind, that seems fairly unlikely.
EDIT: There are also anti-malware packages and other services that always redirect your machine to their own DNS servers.
Craig Tullis
- 1,483
- 10
- 13
-
Cloudflare is the DNS provider im using. Im also using openvpn is my vpn server. Its also ssl and will bark at me if the cert looks suspicious. So i seem to be safe enough? – samdunne Jan 04 '15 at 23:09
-
I think you're safe enough. I think CloudFlare is as trustworthy as anybody. We're actually using CloudFlare for our business DNS management right now, in order to get their CDN functions and have had no issues in the two years or so that we've been using them. – Craig Tullis Jan 05 '15 at 05:25