Dynamic DNS

[jethro () DQC ORG (Jethro Tull)]

The following is taken directly from  RFC2136.
(http://www.isi.edu/in-notes/rfc2136.txt)

--
8.1. In the absence of [RFC2137] or equivalent technology, the
   protocol described by this document makes it possible for anyone who
   can reach an authoritative name server to alter the contents of any
   zones on that server.  This is a serious increase in vulnerability
   from the current technology.  Therefore it is very strongly
   recommended that the protocols described in this document not be used
   without [RFC2137] or other equivalently strong security measures,
   e.g. IPsec.

   8.2. A denial of service attack can be launched by flooding an update
   forwarder with TCP sessions containing updates that the primary
   master server will ultimately refuse due to permission problems.
   This arises due to the requirement that an update forwarder receiving
   a request via TCP use a synchronous TCP session for its forwarding
   operation.  The connection management mechanisms of [RFC1035 4.2.2]
   are sufficient to prevent large scale damage from such an attack, but
   not to prevent some queries from going unanswered during the attack.

--
All Dynamic DNS services that I know of are vulnerable .
I am not going to include code, but it is a trivial task to spoof a packet
(UDP or TCP) with RR data in the
format this RFC specifies.  In other words, anyone can manipulate RR
records by sending bogus data
because the only authentication is IP.

That is all I have to say about that.

jethro

"If I had of only known, I would have been a locksmith" - Albert Einstein