Maybe I’m missing something but is there any reason a OpenWRT package couldn’t do the above?
Although someone could just use a free dynamic DNS service, the above seems like it would be more secure... in that the router would remain a moving target as well as comparatively less "visible".
Sorry, but this sounds like a misconception.
Roundabout schemes just lower your fault tolerance and offer no security benefits.
You should always act on the premise that the traffic over the internet is traceable.
There's no valid reason to discard DDNS as a well-tested and time-proven solution.
Hello, this has been implemented long time ago and works fine, with the advantage of no TTL, thus reducing downtime.
get a vps, create a limited linux user, create a script on your openwrt device to check for your ip change and upload file containing IP to your vps (sshpass scp).
Have a script to ping devices on the various remote site and execute reacquisition using scp and compare for IP change and update new ip in config files and send some mail for information wether there is any IP changes or not and wether link is down or not.
These tweaking can go much further, with some file presets on each device you can also regenerate key pairs anytime u want with predefine file uploaded on the vps and have all the openwrt devices reacquire pubkey to reinitiate connection to the various sites.
Wasn’t suggesting for DDNS to be discarded, just that for this particular use case it may not be entirely necessary to actively give a third party (one that most wouldn’t otherwise use) constant updates on the IP address of ones home router (whilst indicating that said router is probably port forwarding?). This would seem to increase the likelihood that ones router is targeted in the first place.
The whole IPv4 address space is being scanned continuously, there is no advantage in not using DDNS.
A DDNS service ties those IP addresses to a particular e-mail address and router, whilst indicating probable port forwarding. Though some of the same could be said of goolge or dropbox, to many people those are essential and would be used either way... Also not sure many free DDNS services have comparably robustness.
I'm not sure it does any of those things. It ties a domain name to an IP address, but (to a third party) it doesn't disclose any email or router details. Nor does it indicate port forwarding and, even if it did, it doesn't indicate what ports might be forwarded.
Anything with a public IP address is going to get scanned just by virtue of being connected to the internet. Having a domain name pointed at the IP address doesn't make this any more likely.
I'm not entirely sure what you mean by robustness here. Are you talking security? Uptime? Something else?
Anyway, I'm pretty sure the most popular DDNS services are on par with the likes of google and dropbox for security and uptime. I've certainly had no concerns while using cloudflare for my DDNS.
I’m not suggesting they would necessarily do that on purpose, just that murphy's law may apply if the data is there/collected.
Many people use a DDNS service in combination with port forwarding, so would assume concentration would be higher among DDNS users.
In regards to robustness, with respect to most free ddns services probably yes all of the above security/uptime... for instance I think it was google’s project zero that helped discover Cloudbleed, Heartbleed, Meltdown and Spectre etc.
Wasn’t aware of cloudflare’s free ddns service, will have to look into it.
Concentration would be higher than what? Users with static DNS? Users with no DNS? Also, I don't think people trying to find exploitable devices are trawling through DDNS records to find suitable targets. They'll just scan the address space and see what they find. The DNS record is irrelevant.
Concentration verses trying to find addresses in address space to exploit but you may be right. Either way generally prefer not making/managing another account and needing to trust another service, not really knowing how it maybe exploited (even if that only means my email leaks or something)... particularly if there were an alternative.
Doable, but not necessarily more secure.
Following all the discussion, both way on linking the remote devices have their advantage and disadvantage.
Disad. Private VOIP communication downtime in an issue with ddns compared to your illustration where it can be reduced.
Adv. ddns service are cheaply to freely available
the list is long, to cut short just evaluate your needs, plan and do accordingly.
With wireguard you dont need to have port forward.
fewer services, smaller attack surface (e.g. google account vs google account + DDNS account).
Seems like reason enough.
Fair point but would also be true of the “package” illustrated.
Fair point but seems like there would be a lot of reliable places to put a chunk of encrypted text.
Positives vs DDNS
I have done something similar with pastebin,Dropbox,Google drive. They all give you a dynamic link and you will need a static URL resolver. Maybe you can use ddns but obfuscate the octet
@someeeguy, welcome to the community!
You can make a Tor service.
(there's a similar thread like this somewhere) - Tor acting like DynDNS replacement
You overestimate illusory benefits and underestimate possible issues.
Nobody prevents you from using more than one DDNS service at the same time.
Meanwhile, cloud providers can change the API, restrict external access or block the account.
It is in any case a lot of fun to build something like this.
May be worth ALSO playing with DDNS. I have quite enjoyed https://www.duckdns.org/why.jsp Super simple to use, with just single line in a regular cron job
