Linux-Fu: Your Own Dynamic DNS

It is a problem as old as the Internet. You want to access your computer remotely, but it is behind a router that randomly gets different IP addresses. Or maybe it is your laptop and it winds up in different locations with, again, different IP addresses. There are many ways to solve this problem and some of them are better than others.

A lot of routers can report their IP address to a dynamic DNS server. That used to be great, but now it seems like many of them hound you to upgrade or constantly renew so you can see their ads. Some of them disappear, too. If your router vendor supplies one, that might be a good choice, until you change routers, of course. OpenWRT supports many such services and there are many lists of common services.

However, if you have a single public accessible computer, for example a Web server or even a cloud instance, and you are running your own DNS server, you really don’t need one of those services. I’m going to show you how I do it with an accessible Linux server running Bind. This is a common setup, but if you have a different system you might have to adapt a bit.

There are many ways to set up dynamic DNS if you are willing to have a great deal of structure on both sides. Most of these depend on setting up a secret key to allow for DNS updates and some sort of script that calls nsupdate or having the DHCP server do it. The problem is, I have a lot of client computers and many are set up differently. I wanted a system where the only thing needed on the client side was ssh. All the infrastructure remains on the DNS server.

Continue reading “Linux-Fu: Your Own Dynamic DNS”

Hackaday Links: March 1, 2020

Talk about buried treasure: archeologists in Germany have – literally – unearthed a pristine Soviet spy radio, buried for decades outside of Cologne. While searching for artifacts from a Roman empire settlement, the archeologists found a pit containing the Soviet R-394KM transceiver, built in 1987 and apparently buried shortly thereafter without ever being used. It was found close to a path in the woods and not far from several sites of interest to Cold War-era spies. Curiously, the controls on the radio are labeled not in Cyrillic characters, but in the Latin alphabet, suggesting the radio was to be used by a native German speaker. The area in which it was found is destined to be an open-cast lignite mine, which makes us think that other Cold War artifacts may have fallen victim to the gore-covered blades of Bagger 288.

Good news for Betelgeuse fans, bad news for aficionados of cataclysmic cosmic explosions: it looks like the red giant in Orion isn’t going to explode anytime soon. Betelgeuse has been dimming steadily and rapidly since October of 2019; as a variable star such behavior is expected, but the magnitude of its decline was seen by some astronomers as a sign that the star was reaching the point in its evolution where it would go supernova. Alas, Betelgeuse started to brighten again right on schedule, suggesting that the star is not quite ready to give up the ghost. We’d have loved to witness a star so bright it rivals the full moon, but given the times we live in, perhaps it’s best not to have such a harbinger of doom appear.

If you plan to be in the Seattle area as the winter turns to spring, you might want to check out the Vintage Computer Fair Pacific Northwest. We visited back during the show’s first year and had a good time, and the Living Computers: Museum + Labs, where the event is held, is not to be missed. The Museum of Flight is supposed to be excellent as well, and not far away.

Mozilla announced this week that Firefox would turn on DNS over HTTPS (DoH) by default in the United States. DoH encrypts the DNS requests that are needed to translate a domain name to an IP address, which normally travel in clear text and are therefore easily observed. Easily readable DNS transactions are also key to content blockers, which has raised the hackles of regulators and legislators over the plan, who are singing the usual “think of the children” song. That DoH would make user data collection and ad-tracking harder probably has nothing to do with their protests.

And finally, sad news from California as daredevil and amateur rocketeer “Mad” Mike Hughes has been killed in a crash of his homemade rocket. The steam-powered rocket was to be a follow-up to an earlier, mostly successful flight to about 1,900 feet (580 m), and supposed to reach about 5,000 feet (1.5 km) at apogee. But in an eerily similar repeat of the mishap that nearly killed Evel Knievel during his Snake River Canyon jump in 1974, Mike’s parachute deployed almost as soon as his rocket left the launch rails. The chute introduced considerable drag before being torn off the rocket by the exhaust plume. The rocket continued in a ballistic arc to a considerable altitude, but without a chute Mike’s fate was sealed. Search for the video at your own peril, as it’s pretty disturbing. We never appreciated Mike’s self-professed Flat Earth views, but we did like his style. We suppose, though, that such an ending was more likely than not.

DNS-over-HTTPS Is The Wrong Partial Solution

Openness has been one of the defining characteristics of the Internet for as long as it has existed, with much of the traffic today still passed without any form of encryption. Most requests for HTML pages and associated content are in plain text, and the responses are returned in the same way, even though HTTPS has been around since 1994.

But sometimes there’s a need for security and/or privacy. While the encryption of internet traffic has become more widespread for online banking, shopping, the privacy-preserving aspect of many internet protocols hasn’t kept pace. In particular, when you look up a website’s IP address by hostname, the DNS request is almost always transmitted in plain text, allowing all the computers and ISPs along the way to determine what website you were browsing, even if you use HTTPS once the connection is made.

The idea of also encrypting DNS requests isn’t exactly new, with the first attempts starting in the early 2000s, in the form of DNSCrypt, DNS over TLS (DoT), and others. Mozilla, Google, and a few other large internet companies are pushing a new method to encrypt DNS requests: DNS over HTTPS (DoH).

DoH not only encrypts the DNS request, but it also serves it to a “normal” web server rather than a DNS server, making the DNS request traffic essentially indistinguishable from normal HTTPS. This is a double-edged sword. While it protects the DNS request itself, just as DNSCrypt or DoT do, it also makes it impossible for the folks in charge of security at large firms to monitor DNS spoofing and it moves the responsibility for a critical networking function from the operating system into an application. It also doesn’t do anything to hide the IP address of the website that you just looked up — you still go to visit it, after all.

And in comparison to DoT, DoH centralizes information about your browsing in a few companies: at the moment Cloudflare, who says they will throw your data away within 24 hours, and Google, who seems intent on retaining and monetizing every detail about everything you’ve ever thought about doing.

DNS and privacy are important topics, so we’re going to dig into the details here. Continue reading “DNS-over-HTTPS Is The Wrong Partial Solution”

This Week In Security: Is RSA Finally Broken? The Push For Cloud Accounts, Encrypted DNS, And More Mobile Mayhem

Ever wondered what “cyberwar” looks like? Apparently it’s a lot of guessing security questions and changing passwords. It’s an interesting read on its own, but there are some interesting clues if you read between the lines. A General in the know mentioned that Isis:

clicked on something or they did something that then allowed us to gain control and then start to move.

This sounds very similar to stories we’ve covered in the past, where 0-days are used to compromise groups or individuals. Perhaps the NSA supplied such an exploit, and it was sent in a phishing attack. Through various means, the U.S. team quietly compromised systems and collected credentials.

The article mentions something else interesting. Apparently the targets of this digital sting had also been compromising machines around the world, and using those machines to manage their efforts. The decision was made by the U.S. team to also compromise those machines, in order to lock out the Isis team. This might be the most controversial element of the story. Security researchers have wanted permission to do this for years. How should the third parties view these incursions?

The third element that I found particularly interesting was the phase 2 attack. Rather than outright delete, ban, and break Isis devices and accounts, the U.S. team installed persistent malware that emulated innocuous glitches. The internet connection is extremely laggy on certain days, certain websites simply don’t connect, and other problems. These are the sort of gremlins that networking pros spend all day trying to troubleshoot. The idea that it’s intentional gives me one more thing to worry about. Continue reading “This Week In Security: Is RSA Finally Broken? The Push For Cloud Accounts, Encrypted DNS, And More Mobile Mayhem”

Control Your Web Browser Like It’s 1969

Imagine for a moment that you’ve been tasked with developing a device for interfacing with a global network of interconnected devices. Would you purposely design a spring-loaded dial that can do nothing but switch a single set of contacts on and off from 1 to 10 times? What kind of crazy world would we have to live in where something like that was the pinnacle of technology?

Obviously, such a world once existed, and now that we’ve rolled the calendar ahead a half-century or so, both our networks and our interfaces have gotten more complex, if arguably better. But [Jan Derogee] thinks a step backward is on order, and so he built this rotary phone web browser. The idea is simple: pick up the handset and dial the IP address of the server you want to connect to. DNS? Bah, who needs it?

Of course there is the teensy issue that most websites can’t be directly accessed via IP address anymore, but fear not – [Jan] has an incredibly obfuscated solution to that. It relies on the fact that many numbers sound like common phrases when sounded out in Chinese, so there end up being a lot of websites that have number-based URLs. He provides an example using the number 517, which sounds a bit like “I want to eat,” to access the Chinese website of McDonald’s. How the number seven sounding like both “eat” and “wife” is resolved is left as an exercise to the reader.

And here we thought [Jan]’s rotary number pad was of questionable value. Still, we appreciate this build, and putting old phones back into service in any capacity is always appreciated.

Continue reading “Control Your Web Browser Like It’s 1969”

You Might Not Be Able To Read This

Early today, some party unleashed a massive DDoS attack against Dyn, a major DNS host. This led to a number of websites being completely inaccessible. DNS is the backbone of the Internet. It is the phone book that turns URLs into IP addresses. Without it, the Internet still works, but you won’t be able to find anything.

Over the past few months, security professionals have suggested — in as responsible terms as possible — that something big could happen. In early September [Bruce Schneier] wrote, Someone Is Learning How To Take Down The Internet. The implication of this very general warning is that someone — possibly a state actor, but don’t be too sure about that — was figuring out how to attack one of the core services of the web. The easiest way to effectively ‘turn off the Internet’ for everyone is a Distributed Denial of Service attack against root servers, DNS servers, or some other service that plays a key role in the web.

Dyn is responding well to the attack this morning, and the Internet is safe from attack for the time being. As for who is responsible for the attack, what the goal is, and if this will happen again, no one knows. An attack on this scale is most certainly someone with a very large pocketbook or a state actor (Russia, China, the US, UK, Germany, Israel, or the like) but that’s not a given. It’s also not given the DDoS attacks have stopped. You might not be able to read this, but if you can, it might be a good idea to find a shortwave radio.

DNS Tunneling: Getting The Data Out Over Other Peoples’ WiFi

[KC Budd] wanted to make a car-tracking GPS unit, and he wanted it to be able to phone home. Adding in a GSM phone with a data plan would be too easy (and more expensive), so he opted for the hacker’s way: tunneling the data over DNS queries every time the device found an open WiFi hotspot. The result is a device that sends very little data, and sends it sporadically, but gets the messages out.

This system isn’t going to be reliable — you’re at the mercy of the open WiFi spots that are in the area. This certainly falls into an ethical grey zone, but there’s very little harm done. He’s sending a 16-byte payload, plus the DNS call overhead. It’s not like he’s downloading animated GIFs of cats playing keyboards or something. We’d be stoked to provide this service to even hundreds of devices per hour, for instance.

If you’re new here, the idea of tunneling data over DNS requests is as old as the hills, or older, and we’ve even covered this hack before in different clothes. But what [KC] adds to the mix is a one-stop code shop on his GitHub and a GPS application.

Why don’t we see this being applied more in your projects? Or are you all tunneling data over DNS and just won’t admit it in public? You can post anonymously in the comments!