Advertisements

Dynamic DNS (DDNS) and a Little More

toolsWhat is DNS?

DNS is a look-up service that happens automatically and behind the scene. For the most part, it’s built into the internet. It converts the name you enter at the top of the browser to a numerical IP address. The IP address is used to get you where you want to go. It’s basically like the index at the back of a book.

The entire DNS process is reasonably complicated, but you can happily live a full and complete life without knowing or caring anything about it. Even if you have an advanced home network. The only exception would be if you install Windows Server 2012, in which case you will have to know something about maintaining your own network DNS server.

When you start a web site, you pick out a name and are given an IP address. That IP address is yours and only yours. It takes the format of w.x.y.z, and there is a numbering convention that controls what the value of w, x, y, and z can be. When someone wants to visit your site, they enter the name you picked out and DNS converts it to the w.x.y.z you were assigned. DNS makes life easy.

Everyone on the internet has an IP address

If you’re reading this on the internet right now, then you have an IP address. That’s how this page knew where to go on the way back to you from the WordPress servers. Assuming you’re at home, your ISP (Comcast, AT&T, others) assigned one to your account so you can get on the internet. The difference is that your ISP changes your IP address whenever it chooses. Your ISP not being mean. It’s just making efficient use of its resources. In theory you could have a different IP address each day of the week. Their servers keep track of how to route your pages around. Normally, you couldn’t care less. It just works.

At home right now, three people are on the internet. Explain this.

Your ISP gave your account one IP address. Your home router uses a multiplexing technique called NAT (network address translation) to keep everyone separate. It takes the ISP provided IP address and can potentially subdivide it into as many as 256 local IP addresses. One is used by the network. One is used for a special purpose. The remaining 254 are potentially available for user connections. The router keeps them all separate. NAT also provides protective firewall properties.

Going off on a tangent a little

Routers uses the same IP addresses in virtually every household. There are three ranges of IP addresses that are considered non-routable, or not allowed on the internet outside your house. Most home networks use the 192.168.0.0 range, and most commonly 192.168.1.x. Many home routers use the specific address 192.168.1.1, but your 192.168.1.1 has nothing to do with your next door neighbor’s 192.168.1.1. Your network can’t talk to the next door neighbor’s network unless you know their ISP provided IP address AND they have left a door open for you. This is nice to know.

You might have seen that weird number 255.255.255.0, called a subnet mask. It helps the router calculate the full range of IP addresses you are using. If your router address is 192.168.1.1 and your subnet mask is 255.255.255.0 … as most home routers are … the subnet mask tells the router that it only has to keep track of the IP address range 192.168.1.0 through 192.168.1.255, which accounts for the 256 local IP addresses mentioned above. Mostly, this is something you don’t care about.

Your device’s network adapter has a unique id number associated with it called the MAC address. In theory, all mac addresses on all devices throughout the world are unique. In practice, that’s probably not true, but true enough to apply the concept. Your router associates your local IP address with the mac address of your network adapter. It builds a little cross reference table inside to keep everyone organized. Copies of this cross reference table are also kept in each device to make it easier for network devices to communicate locally. Mostly, this is something you don’t care about.

If you have a busy home internet, you need a good router. Not the cheapest one you can find from someone you think you heard has a good reputation. It takes quality and performance to keep a busy network running reliably. Amazon, TigerDirect, BestBuy, Newegg, and others all offer a wide selection of routers, but, more importantly, provide user reviews and ratings. Get used to reading reviews and specs. With routers, it’s a good idea to follow the crowd and get what they say they like best. The good ones in high demand aren’t discounted much and they’re usually a little costly. User reviews are better than technical reviews. Some routers that test great have mediocre reputations. This is something to remember.

So what’s DDNS?

DDNS is a technique that keeps on top of the IP address your ISP assigned to you. Periodically, and fairly often, a program runs to find out what your ISP provided internet IP address is at this moment. Then a private company somewhere on the internet is contacted and associates your current IP address with an internet name you provided to them. The internet name is a composite of a name you chose and their actual domain name. When someone on the internet enters that name in a browser, they’re talking to you.

For example, Asus offers a free DDNS service for buyers of some of the products they sell. I own an Asus router and use their DDNS service. Within the router, I turned the DDNS feature on and entered a name. Asus agreed the name was unique and established the link within a couple of seconds. The router relays my current IP address to Asus DNS servers several times a day. I now have an accessible internet presence at ________.asuscomm.com.

Behind the scene, the internet DNS service sees the ‘asuscomm.com’ part of the name and routes the search to the Asus DNS servers. Asus finishes the job and matches ________.asuscomm.com to whatever my ISP has decided my IP address should be at that moment. From this, the internet knows where to find me.

Netgear provides a similar service to purchasers of their routers.

There’s no list of computer vendors who offer DDNS services. You just have to look on the vendor site for a product you own or are thinking of buying. Several private companies provide DDNS services. No-ip.com offers both free and paid services. Dyndns.com offers a low cost DDNS service. There are other DDNS vendors. Just ask Google.

When you use an outside DDNS vendor, you will probably have to run a program daily so they can track your IP address. Many routers and some Network Addressable Storage devices (NAS drives)  have built-in links to commonly used DDNS companies. The DDNS page on your router will have a drop-down box with all the names. Pick one and sign up with them.

Is there a catch?

Maybe. Your ISP might not like you using their wires for inbound access to you. Comcast says ‘no problem’ and others probably feel the same, but some are said to frown on you having DDNS capability. They hinder you by closing down some types of inbound access.

All internet traffic travels on ports. Think of a port as a channel number, like CBS is on channel 2 in Chicago. All common web page traffic occurs on port 80. All SSL normally occurs on port 443. Other traffic uses other ports. Some types of traffic use standard ports. Remote desktop commonly uses port 3389. There are over 65,000 possible ports, and the first 1,024 are, by general agreement, assigned to specific tasks.

Some ISPs block certain ports. Your DDNS service might be provide a port forwarding feature to let you shift traffic from the blocked port to one left open. Asus won’t do this for me.

Port Forwarding

There’s another problem you have to get past. Routers don’t like to let unexpected traffic into your home network. Routers can tell when inbound traffic is in response to a request you made, such as normal web traffic to and from your browser.  Depending on your router, for inbound traffic that was not initiated by an outbound request, you will most likely have to open certain ports on the router and direct that traffic to a certain computer. This is called port forwarding.

For example, assume your main server uses local IP address 192.168.1.55. Assume you want to set up a VPN that uses SSL and you want your main server to be the endpoint. You will have to go to a screen in your router and enter some numbers into a screen form. It will ask you what port to listen for, what local IP address to forward the inbound traffic to, what port to send it out on, and if it is TCP or UDP.

In this example you would forward port 443 in to port 443 out and send all new inbound traffic on port 443 to 192.168.1.55 using TCP.

Router manufacturers may use different terminology to describe the port forwarding feature in their product. Each manufacturer makes their port forwarding screen look a little different from the others, but all contain the same basic elements.

TCP and UDP are transmission methods. Most internet traffic uses TCP since it contains a lot of features to make it reliable. UDP is not reliable by design, but is really fast and perfect for some types of communication. Generally, when you’re told to perform port forwarding, you’ll be told if it’s TCP  or UDP. Port forwarding is something to keep in the back of your mind.

Do I always need DDNS to communicate remotely?

No. Some companies, such as TeamViewer and LogMeIn and others, provide secure remote desktop capabilities by maintaining a link behind the scene. You just install their software and set up a client – server link. You don’t need DDNS. You don’t need to make SSL certificates or root certificates. They use proprietary methods to initiate and maintain the link without you needing to do anything special except configure their software, which is usually pretty easy. Both TeamViewer and LogMeIn offer free software for small scale private home use. Some even allows your tablet to run the desktop of your Window’s PC from across the country.

Most router and NAS vendors offer cloud services that provide remote access to storage on the device you purchased from them. You just sign up and follow their instructions. You just need a secure password and an internet connection.

Other companies that offer remote services probably provide the same ease of use.

Microsoft offers Remote Desktop, which provides a service similar to TeamViewer and LogMeIn. You will need DDNS and will probably have to open and forward port 3389 to connect if you’re not on the local network. You need nothing special to remote desktop to a PC on the local network.

In Conclusion

Finally, when you leave a port open, anything might crawl in. As soon as you open an inbound port, or run software that opens ports for you, or turn on DDNS, or remove all NAT protection by turning your server into a DMZ, or forward a port, you introduce risk into your life. Don’t open or turn on anything you’re not using. Just like you turn off the light when you leave a room, close ports when you’re done with them. Think of ignoring port security like leaving your front door unlocked and open when you’re on vacation. Supplement your capable router and your knowledge and common sense with a good software firewall and good internet security software. There is no way to eliminate risk, you can only reduce it.

My home network is scanned from all over the world, 100s of times a day. Nonstop. So is yours. I see their daily attempts in my various router logs. I have no idea what they want, but I personally assume they are up to no good. Some claim to be ‘security researchers’. I have no idea what that means. To best protect yourself, keep as few ports open towards the internet as possible. Protect the ones that are not intended for public access with encryption certificates, passwords, and user ids known only to you. If someone Googles your IP address, the search results might point directly to a door a device of yours created on your home network. Google is amazing in how well it finds places to go on the internet. (This also implies someone with no bad intent can accidentally attempt entry to an exposed device if Google finds it and it’s not protected properly.)  SPI and NAT can’t protect you if a port is left open. You need to take the initiative from there. Keep all firmware updated as directed by the people you got it from.

“Every solution introduces new problems you never thought of before.”

Advertisements

4 Comments on “Dynamic DNS (DDNS) and a Little More”

  1. John says:

    Good article thanks. In your conclusion you recommend closing ports when not in use. Does this need to involve going into the router and removing the forwarding you set up?

    • Carl Rinker says:

      Thank you. Yes, I was referring to only the ports you manually opened and no longer need open. You would close them by returning to the router screens where they were opened and either making them inactive of by deleting the line, depending on how your router works. You would, of course, need to examining your intended usage. If you planned on setting up a home web server that might be accessed by you at any time, then you would probably leave ports 80 and 443 open at all times, plus any other ports your applications needed open.

  2. Shane says:

    Fantastic article. As a part time IT guy/full time engineer filling a need for a very small company with no background in the industry, contributors like you are tremendously helpful when trying to get just enough background knowledge to read the enormous documents on MSDN and the like. I deeply appreciate this kind of article!

    • Carl Rinker says:

      Thank you. You have fresh eyes and are in the same place as many other, including me many years ago. My background was accounting although I had been interested in PCs for years. At that time, for me, the System/36 and AS/400 were the next level. This was long ago.

      Feel free to comment about things you feel should be covered but are not or not well. Maybe I can write something about it or improve on an existing page.


Have Something To Add?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s