-1

I tried searching online but I was just flooded with bunch of irrelevant results, the thing I'm looking to achieve is basically a password-protected dynamic DNS server.

For example, let's say I own a domain example.com, I'd like to create a subdomain mypc.example.com (not just only one though) that is only resolved for those phones (Android/iOS) and PCs (Windows, Linux) that have a specific key, those machines who do not have that key mustn't be able to resolve the IP. Basically a private replacement to dynamic DNS services.

Another example, just to clarify further, take the same domain, I'd like to have my Android phone always publish it's IP under the name phone.example.com.

I thought about creating cron jobs that message my server to update certain A-records, but anyone knowing the subdomain could then spy on me :P. Solution to that would be random subdomains, but those would be impossible to remember when I really need them. And a private local DNS server could also allow this at home, but nowhere else.

Could anyone suggest how I could build such a service for myself?

(Even nicer would be if the queries were encrypted so that the replies couldn't be intercepted/tampered with)

Avamander
  • 193
  • 1
  • 11
  • 1
    What's the point of this? It sounds like a lot of work for nothing. – Michael Hampton Apr 02 '18 at 16:13
  • For the core parts, if you control the end devices, configure them with a specific IP for their DNS resolver and use views or equivalent. (but your question is basically too broad). For the part in parentheses, have a look at DNSSEC. Or if you are bold, at DNS over TLS or over HTTPS. – Patrick Mevzek Apr 02 '18 at 16:20
  • @PatrickMevzek `For the part in parentheses, have a look at DNSSEC.` Um, what exactly about it? And Android doesn't support DNSSEC? `Or if you are bold, at DNS over TLS or over HTTPS.` But how would authentication work with that? – Avamander Apr 02 '18 at 16:51
  • @MichaelHampton So that I don't have to manually grep from my server's logs the IPs of my devices when I want to connect to them and so that the entire world won't know the IPs. – Avamander Apr 02 '18 at 16:52
  • 2
    DNSSEC provides integrity against tampering on replies. Mostly relevant only if you have a validating resolver on the node doing the queries. DNS over TLS is RFC7858, DNS over HTTPS is still being drafted. But based on your other comment, I think you are going the wrong route. Trying to obfuscate the names/IPs is useless. Your question will need to be more specific as it seems you are trying to resolve multiple problems at once (like a private DNS, and also about names updates, and also integrity of exchanges, etc.) – Patrick Mevzek Apr 02 '18 at 17:25
  • 1
    On a local network you just set up a local DNS resolver configured for your needs to resolve all local names as you wish and you use private IP blocks to number your devices on the network. This solves all your problems. But if you are speaking about non local networks or networks spanning outside and through the Internet, you will need to put your requirements in a far clearer format. Have a look at VPNs to start with, including typical "road warrior" configurations. – Patrick Mevzek Apr 02 '18 at 17:28
  • `On a local network you just set up a local DNS resolver configured for your needs to resolve all local names as you wish and you use private IP blocks to number your devices on the network. This solves all your problems.` On a local network :(. But on a public network I really don't want to publish the IP addresses of everything I have. – Avamander Apr 02 '18 at 18:37
  • 3
    Your IP addresses are already public, so that doesn't really matter. Attackers try every IP address on the Internet in an automated manner regardless of whether you list it in the DNS or not. If you ran a private network, not accessible to the Internet, then you could certainly have a private DNS on it. – Michael Hampton Apr 02 '18 at 18:43
  • `Your IP addresses are already public, so that doesn't really matter.` There's a difference between an IP address and a "named" IP address though. One isn't tied to me, other can always be used to determine it's my IP address. – Avamander Apr 02 '18 at 18:52
  • 2
    That's true enough, but if targeted attacks are actually a significant part of your threat model, then security by obscurity is not going to be sufficient, and likely not very useful either. – Michael Hampton Apr 02 '18 at 21:20
  • `then security by obscurity is not going to be sufficient, and likely not very useful either.` I'd say this is more about privacy than security. If I didn't care about privacy at all I'd use OVH's own API to update a few subdomains. – Avamander Apr 02 '18 at 21:44
  • If the downvoters could be so kind and let me know what's wrong with my question that'd be really nice. – Avamander Jul 11 '18 at 20:41
  • RE: downvotes, people can be a little trigger happy around here, but I think it boils down to value perception of the problem you're trying to solve and a reluctance to stand down from it. Security professionals have long since moved on from this being a realistically sustainable security model. – Andrew B Aug 14 '18 at 00:21
  • @AndrewB Thanks for answering. The downvotes are now somewhat understandable. – Avamander Aug 14 '18 at 02:24

3 Answers3

6

For example, let's say I own a domain example.com, I'd like to create a subdomain mypc.example.com (not just only one though) that is only resolved for those phones (Android/iOS) and PCs (Windows, Linux) that have a specific key, those machines who do not have that key mustn't be able to resolve the IP. Basically a private replacement to dynamic DNS services.

Emphasis is mine. With this sentence, your question has diverged from being about DNS. You are looking for something similar to DNS that is not DNS.

The security mechanisms within DNS are focused in the following areas:

  • Authenticating changes in authoritative data, and preventing spoofed IPs from generating spurious messages between backend systems. (dynamic updates and zone transfers)
  • Authenticating the authoritative responses seen by recursive servers to prevent DNS poisoning attacks. (DNSSEC)
  • Securing the communications between stub resolvers and recursive servers to improve privacy of the end user, and prevent tampering along that path. (DNS over HTTPS, DNSCrypt, etc.)
  • Reducing the amount of network resources that can be consumed by spoofed DNS queries. (DNS Cookies)

It should be noted that privacy of individual records is not included among these initiatives. DNS over HTTPS and DNSCrypt do intend to provide a measure of privacy, but only to the stub resolvers whose traffic might be snooped on the wire. Securing individual records is not an objective being pursued to the best of my knowledge.

If I had to make an assumption, the reason individual record privacy is not anyone's priority is because it goes completely against the grain of the current design model. It is not perceived to have much value for the level of effort required to implement. (or more bluntly, it's inherently understood to be a bad fit for the original design) The client's credential would have to be passed through recursive systems to authoritative systems, and for privacy to be maintained the transport would have to be secure between all participants. It imposes many requirements on all involved parties for little perceived payoff.

In short, DNS is similar to the solution that you are looking for but it was not built with the model that you have in mind. Michael's comment is correct: your security models must assume that someone is going to learn the IP address at some point, through automated scans or social engineering. The focus on security must be on what happens when someone sends traffic to your IP address.

Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • Thank you for your answer, so you're suggesting not to worry about publishing IPs? – Avamander Apr 02 '18 at 21:51
  • 1
    @Avamander Correct: [Are DNS records private information?](https://serverfault.com/questions/579393/are-dns-records-private-information) – Andrew B Apr 02 '18 at 23:20
  • You're wrong in this case though. If I started publicly publishing all the IPs of all the devices I have, then that can be a privacy issue. – Avamander Aug 11 '18 at 23:39
  • Semantics, and a hint of straw man rebuttal. You're correct in the sense that unnecessary information disclosure should be avoided, which is why it's a best practice for authoritative servers to not enable unsecured zone transfers by default. The straw man is that no one said to publish all of your IPs so that they can be readily obtained in one place. The fallacy is that you can't achieve *zero* IP address disclosure with DNS over unsecure transport, and that in the modern InfoSec world you have to focus on what happens when they learn your IP regardless of the obfuscation efforts. – Andrew B Aug 13 '18 at 23:54
  • 1
    This isn't to say that you're solution is a bad one. It does exactly what you want it to. Most security experts would consider it to be over-engineering though, because it solves a problem that they would consider "juice not worth the squeeze". – Andrew B Aug 14 '18 at 00:10
  • `The straw man is that no one said to publish all of your IPs so that they can be readily obtained in one place.` - When using a regular DNS server it's goal is to give out IPs if you just know the domain name, isn't it? `Most security experts would consider it to be over-engineering though, because it solves a problem that they would consider "juice not worth the squeeze"` - Fair enough, thanks for explaining that. – Avamander Aug 14 '18 at 02:27
1

So, nothing really exists that does this as one product. You could maybe cobble together a few things to do something silimar, but not likely with things like iOS/Android as you're limited to what you can change (without jailbreaking/rooting etc).

If you want to protect the query from prying eyes between client and server, you can use things like DNSCrypt or DNS over TLS, but this doesn't address the concern that anyone can still query your domain.

DNSSEC only allows you to validate that the record is in-fact what is expected, but to my knowledge doesn't provide an authentication mechanism. It's goal is to sign DNS responses to indicate that the query hasn't been modified by some other entity after it was requested.

The problem with what you want to accomplish is that this isn't how DNS works. At a fundamental level, DNS is a form of a distributed service. When you configure a DNS server on your device (phone, tablet, PC, w/e) it will send all DNS queries to this box and expect a response. If this box knows what the value is, it will return it, if it doesn't, then it has to go to the next box in it's configuration and ask that box for the value; this process repeats until a response is found.

If you wanted to limit who can query your box, your best bet is firewall rules to control who can send a request to the system in the first place. This obviously isn't something that will work for mobile and dynamic clients.

What you're asking for, would like have to be a customized solution, or extension to something like DNS over TLS where authentication can be added. Maybe something like a client-certificate with a DNS over TLS connection can be used to prove the client is what you're expecting and then if that's correct, provide the DNS response. I don't think this is available with DNS over TLS now, but it seems feasible to add in.

What is your real goal here? When people ask such extremely specific questions like this one, it's because they have a goal in mind and think they've found a path to address it... often they're looking in the wrong direction for the answer.

UPDATE:

ssh'ing into my laptop based on just on a domain name would be nice

So we've already gone through why this isn't going to work with just DNS. If really want authenticated DNS, you'll have to build a custom solution as I'm not aware of anything that does this today.

In terms of accomplishing what you want (connecting to your machine despite dynamic IP's), I would look into services like TeamViewer where there is a remote server which is setup to accept a persistent connection from your client machine. This would allow you to connect to the service, then the service would be able to set up a 'tunnel' to the remote client. Another such service is things like LogMeIn.

These tools setup a persistent connection from the client to the service providers servers. This means that you can setup connections through most NAT/Firewalls since most networks don't block outbound traffic. From here, it doens't matter if your laptop were at home, or at the local coffee shop, you'd still be able to get to it.

Andrew
  • 2,057
  • 2
  • 16
  • 25
  • `The problem with what you want to accomplish is that this isn't how DNS works.` What could work this way then? Because I'm not aware of any private name resolving systems :P `What is your real goal here?` In addition to the two examples in the question itself, ssh'ing into my laptop based on just on a domain name would be nice (again, so that rest of the world won't know where it is). – Avamander Apr 02 '18 at 17:59
  • A host file is very private. The idea that you're going to publically publish what's essentially private data just isn't how DNS resolution works. – Jim B Apr 02 '18 at 18:05
  • @JimB This wouldn't be dynamic. He would have to know the IP of the host in the first place. OP wants to be able to be able to find a host when it's IP is dynamic in nature. – Andrew Apr 02 '18 at 18:12
  • not if the machine pushes the hosts file to onedrive then the client pulls it down. DNS is not the answer at all here. – Jim B Apr 02 '18 at 18:28
  • `not if the machine pushes the hosts file to onedrive then the client pulls it down.` Syncing hosts file could work for Windows, Android and Linux, but wouldn't work when there's an iOS phone in the mix. – Avamander Apr 02 '18 at 18:35
  • So basically as it can't be done with DNS by itself, I could sync hosts file between a server (+webGUI that allows a bit cumbersome lookup) and a local DNS resolver. I guess it somewhat satisfies my requirements. – Avamander Apr 02 '18 at 18:41
  • I believe that a hosts file sync is just not efficient and prone to error, where as something that is meant for remote access is a better tool for the job. – Andrew Apr 02 '18 at 18:50
  • There isn't anything else sufficiently cross-platform though? I guess if I only had Windows/Linux PCs, but I don't. It's also proprietary... – Avamander Apr 02 '18 at 18:54
0

Just for record, as there was no better solution I'm using a simple Flask/Python web-app to update IP addresses in a database and based on that I'm generating a hosts file that I sync between my devices and my local DNS resolver. This avoided the problem of publishing where I am online.

Unfortunately the iOS device can only resolve those names using a local DNS server but that's fairly okay.

Avamander
  • 193
  • 1
  • 11