dld at coyote.com.au
Tue Aug 6 01:20:14 EST 2002
On Mon, Aug 05, 2002 at 02:42:59PM +1000, Howard Lowndes wrote:
> > I've been using dyndns and the ddclient software for a couple of months
> > now. To authenticate you put your dyndns username and password straight
> > into the /etc/ddclient.conf file. ddclient is a perl script.
> I hope that doesn't get sent over the net in clear, or even in encrypted
> form - very insecure.
It is very insecure, but the purpose of DNS is widespread publication and
convenience, not security. The password merely heightens the robustness
against the simplest denial of service attack. Bind can be configured
without any passwords. If you're running DNS from a permanent dialup link
there are lots of easy ways for someone to deny you service, but there are
always baseball bats. Relying on DNS for security purposes is asking to be
burned. SSL certificates do that, the DNS records merely lets you find the
appropriate machine where ever it has found itself. Ideally the
certificates would be used to sign any updates to the DNS. I think there
are draft documents covering signed updates, but no code that I'm aware of.
In practice you should sign (and encrypt if needed) any traffic from a
dynamic DNS machine (ssh with host key checking, SSL authenticated SMTP, an
apache SSL certificate, VPN tunnels, ...), which you ought to do for any
remote IP addresses, with dynamic addresses though there is no weak DNS
authentication to fall back on.
More information about the linux