Sonic Domains Names and Dynamic DNS

Web hosting discussion, programming, and shared and dedicated servers.
3 posts Page 1 of 1
by gtwrek » Fri Jan 13, 2017 4:56 pm
Perhaps not directly a Sonic questions, but I'm thinking some of the bright folks here may be able to help.

I'm a current Sonic Fusion X2 customer - considering "upgrading" to FTTN X2. Not thrilled with the forced modem rental nor using ATT's network. I'd want to setup a semi-permanent OpenVPN connection to SONIC VPN - but think I can swing this on my linux router.

But one of the sticking points that I'm having trouble figuring out how-to-solve is the darned lack of Static IPs available. Sonic current gives me one - which is all I need.

Sometime in the past I was stuck for a short period of time with a Dynamic IP from Sonic. It was a frustrating experience. I don't know if it was my basic sysadmin capabilities or just the lack of maturity for the various Dyn DNS software at the time, but it never worked well. There was always a 50/50 chance that when my IP address actually changed (not often mind you), the dynamic update wouldn't take. And of course I'd find this out when not at home, trying to connect remotely to my home server. I can remember trying to walk my wife through the DYNDNS debug over the phone. Not pleasant.

Sonic now owns my domain name registration - I'd want whatever dynamic DNS to still work with my domain. I don't know if this helps or hurts. From a high level it should help - Sonic knows my Dynamic IP (as they're assigning it - or at least getting the info from ATT). Sonic manages my domain, along with the DNS records. Should be possible to connect these right?

Not that I think it matters, but all I'm opening up is a SSHD port. Everything I need to to I can do through a SSH tunnel.

Is what I'm thinking to do possible? As I said my sysadmin (and networking) skills are intermediate at best - I'm quite comfortable with a bash command line and reading man pages or howtos, and figuring this out. I just don't do these task often enough to keep them firmly in memory. It's something I need to do every few years to setup my network how I like it, then I promptly forget everything.

Thanks,

Mark
by drew.phillips » Fri Jan 13, 2017 6:59 pm
Hi Mark,

If we host your site's DNS as well, then it's totally doable. We have a cool Dynamic DNS API available to Sonic customers that would allow you to push IP updates to your site's DNS address. The full documentation is available here. Full curl examples are supplied for each method.

Once you get an API key, all you'd really need to do is set up a cron job to hit the /dyndns/host endpoint to update your A records. Adjust the frequency depending on your needs. A simple update script would just be a curl one-liner to make that request. Since you mentioned that you're just tying to open an SSH tunnel, you can push an A record update to a subdomain like home.yourdomain.com so you could then ssh to home.yourdomain.com when needed.

And not to take you down a slippery slope, but another potential option would be to install Tor on your home server, and set up a Hidden Service that maps to the SSH port on your server. I do this and know several other security minded folks who do the same.

The advantage of the hidden service method is that 1) you don't need to worry about firewalls and port forwards because Tor establishes circuits to other relays on the network and the incoming traffic uses these circuits and 2) you don't need to worry about the IP address changing, because Tor will handle that, and your hidden service address stays constant (unless you opt to change it), and 3) you don't need to expose your SSH server to the public internet. Someone can't connect to your service without first knowing it's address, and you can also further secure the hidden service with an extra username/password combination within Tor.

The downside is, you need Tor on whatever computer you'll want to SSH from, but it's easy to install, especially on Linux. You'd connect like proxychains ssh user@hiddenserviceaddress.onion -p PORT#. Proxychains is a program that intercepts all network communications for the program it executes and routes them through a proxy (by default Tor's SOCKS proxy).

There's definitely a bit of a learning curve to the Tor method, but it's secure and has some advantages.

Hope that helps, let me know if you have specific questions on my suggestions or need some help getting either method set up.
Drew Phillips
Programmer / System Operations, Sonic.net
by gtwrek » Sat Jan 14, 2017 4:06 pm
Drew,

Thanks for the details - that's exactly what I needed. Sounds like everything's solvable, and within my abilities.

The Tor stuff and hidden servers is interesting to know, but probably not something I'll be setting up initially. My sysadmin skills are average - my sysadmin skills while keeping this secure in mind, are probably less-than average... I probably know just enough to get myself in trouble.

For now, I just rely on tcp_wrappers, with hosts.deny, and hosts.allow to basically only whitelist a few servers. It's not as flexible, but probably secure enough. Well it WAS until some $@%^&@ person upstream decide tcp_wrappers was too kludge for SSH, and removed that support. I took a sys update, not realizing that support was removed. My servers were wide open for weeks (Did have root login disable,d and strong passwords). But I was pissed none-the-less. I need to brush up on my iptables knowledge a bit more...

Thanks again,

Mark
3 posts Page 1 of 1

Who is online

In total there are 25 users online :: 1 registered, 0 hidden and 24 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: ximara and 24 guests