DNS-o-Matic (and OpenDNS) update-only key/password

Comments

6 comments

  • Avatar
    rotblitz

    This is a good idea.  I have voted for it.

    What you can do for the time being:

    You open a second DNS-O-Matic account with different credentials.  These can be used then only for this account and the related updates, and not also for e.g. your other OpenDNS account.  However, you cannot update OpenDNS through this account, but any other services you may have defined, without allowing to access any of these services.

  • Avatar
    mboissonneault (Edited )

    Good idea! It lowers the risk, but it's still a risk. Since I use one account to update multiple networks under my control, one bad update trashes it for multiple networks. I will create one DNS-o-Matic account per network to prevent that.

    I don't mind having a single OpenDNS account, but with an update key. DNS-o-Matic uses the account username and password in it's update string, no mitigation possible, my password is still broadcast over Internet and I don't like that!

    OR: forcing 2FA for account management?

    Edit: Mitigation not possible, DNS-o-Matic uses the account username and password in it's update string.

  • Avatar
    rotblitz

    "DNS-o-Matic uses the account username and password in it's update string"

    Interesting. How did you find out?  You had to "sniff" between DNS-O-Matic and one of your DDNS services...

  • Avatar
    mboissonneault

    It's in the API: https://www.dnsomatic.com/wiki/api

    As cited in the documentation: https://username:password@updates.dnsomatic.com/nic/update?hostname=yourhostname&myip=ipaddress&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG

    Technically, it's not in the update string itself, but since the HTTP request is authenticated with the account info, I fear a replay attack. It's transmitted unencrypted (HTTP) but I'm not certain if some kind of challenge-response is used over plain HTTP.

    As far as I know, it's always been said NOT to send your password over unencrypted links like HTTP. I assume that my account info is then send in the clear, which is VERY BAD.

     

  • Avatar
    rotblitz

    The API is for traffic between you and DNS-O-Matic which can be HTTPS.  I thought you meant the traffic between DNS-O-Matic and your DDNS services.

  • Avatar
    mboissonneault

    Even as HTTPS, it means putting my account info in every device requesting an update. With routers getting hacked, credentials can get stolen... Loss of account, denial of service it becomes... The weakest link is the account info in the update link to DNS-o-Matic.

    Once the update request has been received by DNS-o-Matic, the updates to every other service can be over HTTPS. Update keys are prefered of course, but if over HTTPS, the link is safe and no info leaks in the update process.

    • If one provider does not support HTTPS but uses update keys, it's ok.
    • If one provider does not support HTTPS nor update keys, push them to do so. (Bad for them only)
    • If DNS-o-Matic does not support update keys, and the connection over HTTPS is impossible (router), ALL providers suffer. (BAD for ALL providers)

    Of course, HTTPS must be used if available, HTTP should be deprecated :-p

     

Please sign in to leave a comment.