DDNS Via VPS For Home Servers

Let’s simplify and rewrite the DDNS setup guide from scratch, focusing on clear steps to set up DDNS with SSH key-based security.

---

Setting Up DDNS with a VPS and Home Server

Prerequisites

1. Home Server: A server at home with a changing IP.
2. VPS: A remote server with a static IP, used to manage DNS.
3. Domain Name: A registered domain name that you can configure DNS records for.
4. DDNS Client: A tool like ddclient installed on your home server.

Overview

Dynamic DNS (DDNS) allows you to associate your changing home IP address with a static domain name. We’ll set up a secure connection between your home server and your VPS to update DNS records automatically.

Step 1: Set Up SSH Key Authentication

To securely connect from your home server to your VPS, you’ll use SSH key-based authentication.

1.1 Generate SSH Keys on the Home Server

1. Open the terminal on your home server and run:

   ssh-keygen -t rsa -b 4096 -C "[email protected]"

2. Press Enter to use the default location (~/.ssh/id_rsa) and set a passphrase (optional).

1.2 Copy SSH Key to the VPS

1. Use the following command to transfer your public key to the VPS:

   ssh-copy-id user@your-vps-ip

   • Replace user with your VPS username and your-vps-ip with the static IP of your VPS.
2. You’ll be prompted for the VPS password once. After this, SSH key-based authentication will be set up.

1.3 Test SSH Key Authentication

To verify SSH key access, try connecting to the VPS:

ssh user@your-vps-ip

You should connect without being prompted for a password.

Step 2: Set Up Bind9 DNS on the VPS

The VPS will manage DNS updates for your domain.

2.1 Install Bind9 on the VPS

1. Log in to the VPS and install Bind9:

   sudo apt update
   sudo apt install bind9

2.2 Configure DNS Zone

1. Edit the DNS configuration file:

   sudo nano /etc/bind/named.conf.local

2. Add a zone configuration for your domain:

   zone "yourdomain.com" {
       type master;
       file "/etc/bind/zones/db.yourdomain.com";
   };
   

2.3 Create DNS Zone File

1. Create a directory for DNS zones if it doesn’t exist:

   sudo mkdir -p /etc/bind/zones

2. Create the zone file:

   sudo nano /etc/bind/zones/db.yourdomain.com

3. Add the following DNS configuration:

   $TTL 86400
   @   IN  SOA ns1.yourdomain.com. admin.yourdomain.com. (
           2023101001 ; Serial
           3600       ; Refresh
           1800       ; Retry
           1209600    ; Expire
           86400 )    ; Minimum TTL
       
   @       IN  NS  ns1.yourdomain.com.
   ns1     IN  A   <your-vps-static-ip>
   home    IN  A   <dynamic-ip-placeholder>
   

2.4 Restart Bind9

Restart the DNS service:

sudo systemctl restart bind9

Step 3: Install DDNS Client on the Home Server

3.1 Install ddclient

1. On the home server, install ddclient:

   sudo apt update
   sudo apt install ddclient

3.2 Configure ddclient

1. Edit the configuration file:

   sudo nano /etc/ddclient.conf

2. Add the following configuration:

   protocol=dyndns2
   use=web, web=checkip.dyndns.org, web-skip='IP Address'
   server=your-vps-ip
   login=user
   password=none
   yourdomain.com
   

3.3 Test and Enable ddclient

1. Test the configuration:

   sudo ddclient -daemon=0 -debug -verbose -noquiet

2. If it works, enable and start ddclient:

   sudo systemctl enable ddclient
   sudo systemctl start ddclient

Step 4: Create a Secure DDNS Update Script

Create a script to update the DNS record securely over SSH.

4.1 Create the Update Script

1. On the home server, create a script:

   nano /home/user/update-ddns.sh

2. Add the following content:

   #!/bin/bash
    
   # Fetch the current IP address
   IP=$(curl -s http://checkip.amazonaws.com)
    
   # Update the DNS record securely over SSH
   ssh user@your-vps-ip "nsupdate << EOF
   server localhost
   zone yourdomain.com
   update delete home.yourdomain.com A
   update add home.yourdomain.com 300 A $IP
   send
   EOF"

3. Save and make the script executable:

   chmod +x /home/user/update-ddns.sh

4.2 Set Up a Cron Job

1. Open the crontab editor:

   crontab -e

2. Add the following line to update the IP every 5 minutes:

   */5 * * * * /home/user/update-ddns.sh

Step 5: Verify DDNS Functionality

1. Check DNS Update: Use dig or nslookup to verify the DNS record:

   dig home.yourdomain.com

2. Test Access: Try accessing the home server via home.yourdomain.com to confirm it resolves to the current IP.

---

This setup ensures your home server remains accessible with a dynamically updated DNS record and secure communication using SSH. Let me know if you need any further help!

Here’s a complete, well-organized Markdown note summarizing everything we’ve discussed in this chat:

---

Setting Up DDNS, Port Forwarding, and Security for Home Server Access

Table of Contents

1. Overview
2. Self-Hosted DDNS Setup with Cloudflare
3. Port Forwarding on Home Router
4. Allowing ICMP (Ping) Traffic with UFW
5. Security Risks of Open Ports
6. Corporate Security Practices

Overview

You wanted to securely access your home server, which has a dynamic IPv6 address, from the internet. We set up a self-hosted Dynamic DNS (DDNS) using Cloudflare and configured port forwarding on your home router. We also addressed security risks related to opening ports and examined how large corporations tackle these challenges.

Self-Hosted DDNS Setup with Cloudflare

Prerequisites

• Cloudflare Account: API access required.
• API Token: Create a scoped token with Zone: DNS: Edit permissions or use the Global API Key.
• Home Server: Linux-based, with a changing IPv6 address.

1. Create Cloudflare API Token

• Log into Cloudflare Dashboard > My Profile > API Tokens > Create Token.
• Use the Edit Zone DNS template and assign permissions to the specific zone.
• Copy the API token.

2. Set Up DDNS Updater Script on Home Server

• Install curl on your home server:

  sudo apt update
  sudo apt install curl

• Create and edit a script to update the DNS record:

  nano ~/ddns-update-cloudflare.sh

• Example script:

  #!/bin/bash
   
  DOMAIN="example.com"
  SUBDOMAIN="home"
  ZONE_ID="your_zone_id"
  AUTH_EMAIL="[email protected]"
  GLOBAL_API_KEY="your_global_api_key"
   
  # Get current IPv6
  IPV6=$(curl -6 -s https://ifconfig.co)
   
  # Check if the DNS record exists
  RECORD_RESPONSE=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?type=AAAA&name=$SUBDOMAIN.$DOMAIN" \
    -H "X-Auth-Email: $AUTH_EMAIL" \
    -H "X-Auth-Key: $GLOBAL_API_KEY" \
    -H "Content-Type: application/json")
   
  RECORD_ID=$(echo $RECORD_RESPONSE | jq -r '.result[0].id')
   
  if [[ $RECORD_ID != "null" ]]; then
    # Delete the existing record if it exists
    curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD_ID" \
      -H "X-Auth-Email: $AUTH_EMAIL" \
      -H "X-Auth-Key: $GLOBAL_API_KEY" \
      -H "Content-Type: application/json"
  fi
   
  # Create a new DNS record
  curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
    -H "X-Auth-Email: $AUTH_EMAIL" \
    -H "X-Auth-Key: $GLOBAL_API_KEY" \
    -H "Content-Type: application/json" \
    --data "{\"type\":\"AAAA\",\"name\":\"$SUBDOMAIN.$DOMAIN\",\"content\":\"$IPV6\",\"ttl\":120,\"proxied\":false}"

• Make the script executable:

  chmod +x ~/ddns-update-cloudflare.sh

3. Add Cron Job for Periodic Updates

• Edit crontab:

  crontab -e

• Add the following line to update the DNS record every 5 minutes:

  */5 * * * * /bin/bash ~/ddns-update-cloudflare.sh > /dev/null 2>&1

Port Forwarding on Home Router

Required Ports to Forward

External Port	Internal Port	Protocol	Description
22	22	TCP	SSH Access
137	137	UDP	Samba NetBIOS
138	138	UDP	Samba NetBIOS
139	139	TCP	Samba SMB/CIFS
445	445	TCP	Samba SMB/CIFS

• Configure port forwarding based on your router’s settings. Forward the above ports from your public IP to the internal IP of your home server.

Identify WAN Interface for NAT

• Common WAN interfaces: DHCP, PPPoE, Static IP, LTE (e.g., eth0, ppp0, lte0).
• Use the active WAN interface for setting up NAT and port forwarding.

Allowing ICMP (Ping) Traffic with UFW

Edit UFW Before Rules

1. Open the UFW before rules file:

   sudo nano /etc/ufw/before.rules

2. Add the following lines:

   # Allow ICMP (ping)
   -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
   -A ufw-before-output -p icmp --icmp-type echo-reply -j ACCEPT

3. Reload UFW:

   sudo ufw reload

Security Risks of Open Ports

Main Risks

1. Unauthorized Access
   • Mitigation: Use SSH keys, MFA, and IP restrictions.
2. Exploitation of Vulnerabilities
   • Mitigation: Regular updates and vulnerability management.
3. DDoS Attacks
   • Mitigation: Rate limiting, firewall rules, and DDoS protection.
4. Data Interception
   • Mitigation: Encrypt traffic with TLS/SSL and use VPNs.
5. Reconnaissance (Port Scanning)
   • Mitigation: Implement IDS/IPS and honeypots.
6. Malware Deployment
   • Mitigation: Use endpoint security solutions and restrict file permissions.

Corporate Security Practices

Key Measures Used by Corporations

1. Next-Generation Firewalls (NGFWs) and IDPS
2. Zero Trust Architecture (ZTA) and Micro-Segmentation
3. VPNs and SSL/TLS Tunnels for Secure Access
4. Network Access Control (NAC) and Endpoint Security
5. Regular Penetration Testing and Red Teaming
6. Security Information and Event Management (SIEM)
7. Cloud-Based Security Solutions (e.g., WAF, DDoS Protection)
8. Deception Technology (Honeypots and Deceptive Ports)

Summary

This note captures all the steps and strategies we discussed, from setting up DDNS and port forwarding to managing security risks and implementing corporate-level security practices. By following these measures, you can securely access your home server from the internet while minimizing exposure.

---

Feel free to copy, save, or modify this Markdown note as needed! Let me know if anything needs to be added or adjusted.