How dangerous can a dynamic DNS provider be?

I have a small computer at home which I want to use as a home server with YunoHost. Since the machine is at home it will have a dynamic IP, so I need to set up dynamic DNS for it. As far as I understand the YunoHost documentation I need to sign up with a DDNS provider, then point my existing domain to the IP of the provider’s servers, then set up my server to periodically inform the DDNS provider about its current IP.

This got me thinking: could the DDNS provider lie to the public? Let’s say I’m at my laptop and I execute ssh johndoe@mydomain.com. My laptop connects to the internet and needs to look up the IP behind mydomain.com. The names resolved to the IP of the DDNS provider. However, the provider instead of just forwarding the request to my server intercepts it and then forwards it. Basically a man-in-the-middle attack. When my server confirms the credentials and reports back the attacker will know that whatever I just entered are my valid credentials and thus have access to the server.

Is this a realistic attack scenario or am I mistaken about how DDNS works? If it’s the former, would it be possible to host my own DDNS server? I already have a VPS with YunoHost running at a stable IP, so I could use that as the VPS provider for my home server. If I were to use one of the automatic domains provided by YunoHost (e.g. nohost.me) would I still need to set up a DDNS provider or would that get taken care of automatically?

It’s a realistic scenario.

However, YunoHost relies on HTTPS (where the remote side needs to know a private key for certificate advertised for the domain) and SSH (where you assert the identity of remote side first time you connect, and whenever that changes you get notified).

No user credentials are transmitted plaintext over the wire at any point.

So, even if evil DDNS (one can argue you should use reputable providers, but that’s besides the point) redirects your traffic to a malicious third party you should get immediately warned that the party is forging requests or at least differs from the last time you’ve contacted them.

I think you read this doc page. It’s not exhaustive…

You have several solutions to deal with dynamic IP.

(intermediate) External Dynamic DNS provider

Note that the dynamic DNS provider doesn’t received the packets send to your server.

The tutorial just explain that you should use NS server of the Dynamic DNS provider in order to delegate DNS zone management.

domain.tld. NS IP_DYNAMIC_DNS_PROVIDER_1
domain.tld. NS IP_DYNAMIC_DNS_PROVIDER_2

So the Dynamic DNS provider manages your DNS zone, and reassign your new IP to the A and AAAA DNS records.

domain.tld. A YOUR_DYNAMIC_IPv4
domain.tld. AAAA YOUR_DYNAMIC_IPv6

(easy) Use Yunohost services as Dynamic DNS provider (nohost.me)

If you have a dynamic IP, you can also use a nohost.me domain.

If you want to use your own domain.tld, you can configure a CNAME or DNAME record with a subdomain of your domain.tld. However, this tip just work for subdomain and not for top domain (not possible to configure a CNAME on top domain, it’s a DNS limitation).

ynh.domain.tld. CNAME domain.nohost.me.

(intermediate) Use dynamic DNS client provided by your registrar

Some registrar provide a dynamic DNS client.
Example: Setting up a dynamic DNS with OVH – Sylvain Durand

(expert) Use DNS registrar API with yunohost builtin feature

Some registrar could be bind to yunohost, and yunohost could update the IP directly on API. You just need to add a cron manually to run it automatically.

(easy) Use a VPN with stable public IP

You can buy a VPN to get a public IP on your server: VPN providers | Yunohost

(expert) Use a VPN to access your server privately (and everywhere)

Some people just need to be able to access their server with their equipment and not need to expose the server on the Big Internet.

If you can install what you want on client device, you can search around ZeroTier maybe HeadScale… @tituspijean might have written somewhere a tutorial on this topic.

I understand that. In my attack scenario the DNS provider advertises (if that’s the right word) his own server IP to receive the packet, then repackages them again to send them to my server.

The best analogy I can come up with is a malicious drop-shipping service. Let’s say I set up a drop-shipping service where you place an order on my service, then I forward that order and your address to the actual seller. In that case I never receive your package, I just get you into contact with the seller. However, I could instead place an order with the seller for your item, but specify my own home address. Then I receive your package, open it up, do something evil, repackage the item and send it out to your home address.

My understanding is that HTTPS ensure end-to-end encryption between the sender and the recipient. However, in my attack scenario the recipient gets swapped out because the DNS provider is lying about what the IP behind example.com actually is. It would be like a fake phone book that replaced the phone number of Bob with the one of Alice. It does not matter that the communication is encrypted if I end up dialing Alice’s number instead. All that happens is that no other 3rd party can spy on the call.

Yes it can happens. You need to believe the registrar or the DDNS provider.

However about SSH, it works only if it’s the first time you connect on your server AND if you don’t check the fingerprint (displayed on screen of your home server).

If you already connect OR if you check the finger print, the SSH connection should be secure.

However, with HTTPS, it’s an other story, cause it could be possible to regenerate x509 certificate to decrypt in the middle the traffic…

Note: it could be solved by the use of DNSSEC, but i don’t know if a DDNS provider offers this feature (and browser don’t check it by default, but i think x509 CA does).

Nice question — short answer: yes, a malicious or compromised DDNS/registrar can be dangerous , but there are multiple practical, effective mitigations you can use so that the risk is small for normal use.

Thank you all for the responses. I have decided to go with a YunoHost domain since I have to trust YunoHost anyway. If they want to do something evil they can compromise the server directly instead of jumping through hoops. Maybe I’ll be able to find a way to host my own dynamic DNS provider on a VPS later down the road.