Help with creating own DDNS

cgi2099

Cadet
Joined
Jul 3, 2019
Messages
4
I am in the planning/research part of making my home FeeNas/NextCloud - NAS

Reading through the forums and doing google searches, to be able to access my nextcloud remotely and from our phones I need a static IP through my ISP or through a DDNS service

My question: Is there a way to set up/host my own DDNS in FreeNas so I don't have to use a DDNS online service? Or is this not a good idea and possibly a better alternative? A static IP through my ISP isn't an option do to the ridiculous monthly pricing :/

Here is my parts list for my NAS: NAS Build
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
Is there a way to set up/host my own DDNS in FreeNas so I don't have to use a DDNS online service?
No, not really. But why would you want to?
 

cgi2099

Cadet
Joined
Jul 3, 2019
Messages
4
No, not really. But why would you want to?

I am trying to avoid any dependency on a service I don't have any control over and also to avoid another potential way for my data to be accessed or vulnerable.

I am very new to all of this, so if this is not the best way to do this could you provide me with the best method?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I am trying to avoid any dependency on a service I don't have any control over
That's simply not going to be practical*. Any usable DNS is going to be provided externally, so you're going to have a third-party dependency no matter what.

and also to avoid another potential way for my data to be accessed or vulnerable.
How do you think that using a third-party DDNS service would increase this risk in any way?

could you provide me with the best method?
There really isn't any "the best method"--there are several possibilities, each with its own pros and cons, but all of them are going to call for using some form of dynamic DNS service. Once that's set up, the most secure option would be to set up a VPN server (I prefer to run this on the router, but there are guides here for installing that in a jail if you need to). Then, when you need to connect to your Nextcloud installation with your phone, connect it to your VPN first. Pro: nothing touches your network without first being authenticated, and all traffic is encrypted. Con: More complicated both to set up and to use.

A second option would be to set up SSL on your Nextcloud installation (which is done automatically if you use my script), then forward ports 80 and 443 to that installation. Pro: Simpler both to set up and use. Con: Nextcloud itself is exposed to the world, and any vulnerabilities there (if any) can be exploited.

* Possible, sure. You could write your own dynamic DNS server, run it in a jail, and point NS records for the domain toward that jail. But I don't think that's a practical option.
 

cgi2099

Cadet
Joined
Jul 3, 2019
Messages
4
That's simply not going to be practical*. Any usable DNS is going to be provided externally, so you're going to have a third-party dependency no matter what.


How do you think that using a third-party DDNS service would increase this risk in any way?
-To be honest I just assumed since a third party was handling the DDNS is would be less secure then if I could do it myself, but I have zero knowledge on all this

There really isn't any "the best method"--there are several possibilities, each with its own pros and cons, but all of them are going to call for using some form of dynamic DNS service. Once that's set up, the most secure option would be to set up a VPN server (I prefer to run this on the router, but there are guides here for installing that in a jail if you need to). Then, when you need to connect to your Nextcloud installation with your phone, connect it to your VPN first. Pro: nothing touches your network without first being authenticated, and all traffic is encrypted. Con: More complicated both to set up and to use.
-This would be my preferred method but I don't think I can go this route due to a couple of people connecting to the NextCloud without any knowledge other then using the apps on their phones

A second option would be to set up SSL on your Nextcloud installation (which is done automatically if you use my script), then forward ports 80 and 443 to that installation. Pro: Simpler both to set up and use. Con: Nextcloud itself is exposed to the world, and any vulnerabilities there (if any) can be exploited.
-I looked at your "Scripted installation of Nextcloud 16 in iocage jail" and this is pretty awesome and the route I am going with I think (thank you for putting this together for people like me BTW, very much appreciated) When you say exposed to the world do you mean if they get past our password's or could the data be accessed in a different way?

* Possible, sure. You could write your own dynamic DNS server, run it in a jail, and point NS records for the domain toward that jail. But I don't think that's a practical option.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
When you say exposed to the world do you mean if they get past our password's or could the data be accessed in a different way?
Certainly password compromise is a risk, but there's also the possibility that an attacker could exploit a vulnerability in Nextcloud, PHP, Caddy, or other relevant software. I don't know of any significant vulnerabilities in any of these, but it's a greater attack surface than the VPN solution.
 

cgi2099

Cadet
Joined
Jul 3, 2019
Messages
4
Certainly password compromise is a risk, but there's also the possibility that an attacker could exploit a vulnerability in Nextcloud, PHP, Caddy, or other relevant software. I don't know of any significant vulnerabilities in any of these, but it's a greater attack surface than the VPN solution.

Thank you for your help on all this, you are awesome!!!

Could you point me in the direction for troubleshooting FreeNas installation?

I tried to install lastnight but when I loaded the install media on a flashdrive and booted to it, I kept getting "Missing boot loader" message. I remade the install media with Rufus and Win32 multiple times. I thought maybe it was hardware related so I tried a different machine and get the same message
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
No, not really. But why would you want to?

Well, the better answer is "well, yes, of course you could, unfortunately everyone else has drunk the kool-aid and everybody uses these crappy not-actually-DDNS-just-appropriated-the-term-for-their-own-use crap services."

Actual Dynamic DNS, as outlined in RFC2136 and followups, allows a client device with knowledge of a TSIG key to publish a DNS record. This can be used on a local network (for example by DHCP/dhclient as an exit hook) to update DNS to reflect dynamically allocated IP's on the local net. It can also be used over the Internet to update a remote nameserver. This works swimmingly well and is how you would want to do this in a professional setting.

The problem is that you do need to have a fixed-IP DNS server somewhere out there. This *could* be a service provider, but the last I checked, I couldn't find any of them that supported this. They all seem to want you to log into a web server that then interfaces with their DNS backend.

I am trying to avoid any dependency on a service I don't have any control over and also to avoid another potential way for my data to be accessed or vulnerable.

Exactly.

How do you think that using a third-party DDNS service would increase this risk in any way?

Easy peasy.

The reasons you would want to self-manage this are similar to the reasons you want to run other services yourself ... big services, especially ones that are free, are a target for hostile actors, and if a bad guy can subvert the underpinnings, you become vulnerable.

For example, if I can social-engineer a "DDNS" service provider into allowing me access to the DDNS account, maybe by claiming I lost access to the email address, I can then take over where "danb35.crappydns.com" points to. What good is that? Well let's say that I know you've been talking up Bitcoin on the Bitcoin forums and have mentioned how you store your Bitcoin on your safe and highly secure FreeNAS box with encrypted disks and all that. So I point your DNS elsewhere, to a box at a datacenter where I set up a proxy for ":*" and analyze your traffic. I find that you put ssh on :5522 and are running web stuff with a LetsEncrypt certificate on :5543. A transparent proxy through to your original IP address leaves you none the wiser that I'm intercepting the traffic. Now, because I'm a smart intruder and I'm specifically targeting you, I next obtain a LetsEncrypt certificate for "danb35.crappydns.com" because I can do that as the new "owner" of your DNS label. Then I stick an SSL-peeking proxy into the data path that legitimately appears to be "danb35.crappydns.com". And I wait. Because you're unlikely to ever notice. Maybe I know a way to compromise NextCloud. Or maybe I just wait for you to log in to your NAS administration portal, which I've conveniently intercepted into a fake authentication portal. I can probably tease you into doing that by breaking something that you expect to work from remote. I have a pretty good chance of being able to find a way to tease a password out of you, without your realizing that there's an interception in the middle. And the instant you are "dumb enough" to log on with admin credentials, I'm going to be trying that via SSH, and then I'll be in your NAS.

This is how targeted attacks work. Are they common? Not really. But they happen.

I'm not dead set against outsourcing stuff. I run email for a lot of people, for free. Mail's a difficult problem for end users to solve. I've been running email since the '80's. It's a classic thing that is most practical when outsourced. But there's a LOT of fake phish out there, the "your email account is over quota" or the "your account needs to be verified" stuff. Occasionally I'll get a call from a user about these. The conversation is usually quite short, along the lines of "Why would I send you an email asking you to verify yourself? I have your phone number. You have mine." That's a level of service you can't get from Google or Yahoo, who operate at a massive scale with people they don't even know at all.

The less you find yourself married to a service provider, especially a free service provider, the less open you are to certain types of attacks.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I next obtain a LetsEncrypt certificate for "danb35.crappydns.com" because I can do that as the new "owner" of your DNS label.
...at which point Certificate Transparency ensures that I'm going to know something's up.
I'm going to be trying that via SSH, and then I'll be in your NAS.
...assuming I allow password logins via SSH.

Arguing against "run your own DNS" for a home user is the RFC's requirement strong encouragement to have multiple, geographically-diverse hosts. Possible? Sure, just rent VPS space somewhere else. Practical? Kind of doubt it for this use case.
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
Could you point me in the direction for troubleshooting FreeNas installation?
The "installation and upgrades" subforum would probably be the best place for a thread, detailing your hardware, what you've tried so far, and what exactly you're seeing. In terms of imaging applications for Windows, I've heard of issues with both the ones you mention; Etcher seems to do a good job for most.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
...at which point Certificate Transparency ensures that I'm going to know something's up.

Unlikely for the average user.

...assuming I allow password logins via SSH.

Likely for the average user. But also totally irrelevant, as you *will* allow password logins via SSH, because I will log in to your web console and make it so, if it isn't already. See, that's the suckage in this sort of attack.

Arguing against "run your own DNS" for a home user is the RFC's requirement strong encouragement to have multiple, geographically-diverse hosts. Possible? Sure, just rent VPS space somewhere else. Practical? Kind of doubt it for this use case.

That was relevant in the '80's, less relevant in the '90's, and often pretty much ignored after that point. This coincides nicely with when such requirements stopped being enforced upstream -- basically when registrars started caring more about dollars than technical correctness.
 
Top