Dynamic DNS: Bridging The Gap Between Dynamic & Static IP Address Environments

IP Addresses and the Domain Name System (DNS) are two core elements of Internet infrastructure that have been working together for a long time – the DNS typically being referred to as the “telephone book of the Internet” – to map human readable domain names to IP addresses.

As core building blocks, these technologies can be leveraged together to create interesting solutions to common networking problems. A recent trend is to use commodity Internet access purchased from local Internet Service Providers (ISPs), plus a Virtual Private Network (VPN), to create a secure channel for information to flow between enterprise locations.

This technique is used by many enterprises to create a cost-friendly alternative to traditional and expensive frame relay, ATM, point-to-point T-1 or MPLS services.

The Problems

Dyn - DNS VPN - Tom Daly

IP address allocation planning and utilization is a common area of concern within enterprises choosing to deploy a VPN on top of commodity Internet access, such as Digital Subscriber Line (DSL), cable modem, or fiber, to the premises-based solutions.

Nearly all ISPs today default to providing subscribers with dynamically assigned WAN IP addresses, with fewer ISPs offering static WAN IP addresses as an option.

In some cases, when static WAN IP addresses are available, there is a charge associated with their utilization (recent market rates command up to $14.95 per month for a single static WAN IP address).

The need for ISPs to constantly evolve their network architecture and related capacity causes the need and desire to deploy dynamic IP addresses to their subscribers.

Additionally, the current exhaustion of IPv4 space requires ISPs to be far more conservative in their IP subnetting plans than they have in the past.

This leads to more renumbering and reallocation events than ever before, which also contributes to the desire to deploy a dynamically IP addressed environment. This is typically accomplished by running Dynamic Host Configuration Protocol (DHCP) in the ISP environment.

For enterprises deploying a secure VPN on top of commodity Internet connections, DHCP-assigned WAN IP addresses can create a unique challenge for IT administrators.

First off, it is nearly impossible to deploy a VPN hub using DHCP-assigned addresses due to the fact that remote VPN devices need to know where to connect to establish their secure tunnels. This is typically addressed by deploying static WAN IP addresses at the VPN hub location, typically at the enterprise headquarters or the enterprise data center.

Second, when VPN connections fail in a DHCP-assigned environment, administrators are typically left without a mechanism to remotely troubleshoot, diagnose, and rectify the connection problem, leading to expensive on site service calls.

The Solution

Dyn’s DynECT Managed DNS is uniquely positioned to assist enterprises in bridging the gap between dynamic and static IP address environments by tying in domain names and the DNS to the environment. For the VPN hub, Dyn’s support for Dynamic DNS, a protocol extension to the DNS, allows for the remote updating and re-mapping of DNS hostnames as dynamic IP addresses change, nearly in real time.

This capability creates an abstraction layer between the WAN IP address assigned to a device and the fully qualified domain name (FQDN) of the device itself.

Dyn - VPN Gateway

Rather than establishing VPN connections via IP address, connections are made to device FQDNs, enabling the network to reconfigure itself via DHCP as needed, but maintaining a solid mapping via DNS to the hardware device.

For the remote VPN device, Dynamic DNS also assists in the remote administration and troubleshooting of that device. By assigning FQDNs to remote devices, administrators can simply connect to a FQDN to access that device, knowing that any changes to the WAN IP address of the device will be updated in the DNS in nearly real-time.

To support Dynamic DNS, devices simply need to support the industry standard DynDNS update protocol, developed and supported by Dyn since 1998. This HTTP-based update protocol provides a simple way to inform our network of globally deployed DNS servers of an IP address change.

Secure account provisioning for each remote device ensures that no weaknesses are exposed in managing the network. Devices may be provided individual credentials, or shared credentials may be installed across multiple devices for ease of deployment. Upon detecting a WAN IP address change, devices use the Dynamic DNS update protocol to quickly inform Dyn’s DNS servers of the change, causing the related FQDN to be updated.

From a security perspective, customers can rest assured that the same level of security is delivered by the VPN solution, and that by using Dynamic DNS, no additional threat vectors are exposed for customers. A minimal trade off is exposed in that upon a WAN IP address change, a remote VPN gateway may become disconnected, and may need to wait up to 60 seconds before re-connecting the VPN network.

Competitive Comparison: Static IP Addresses vs. Dynamic DNS

Static WAN IP Address DHCP WAN IP w/Dynamic DNS
Deployment Mode Limited support; varies by ISP Universally supported regardless of ISP.
Network visibility Limited to IP address inventory Fully qualified domain names assigned to each remote device
Remote troubleshooting and administration Requires knowledge of per site addressing; inventory / documentation Simple to remember, up-to-date hostnames assigned to each device.
Cost Variable; cost per static IP address per location Fixed, cost of DynECT Managed DNS services

 

 

How do I modify my hosts file?

Modifying your hosts file will allow you to override the DNS for a domain, on that particular machine. This can be used to test your site without the test link, prior to going live with SSL, verify an alias site works prior to DNS changes, or for other DNS related reasons. This causes your local machine only to look directly at the IP specified.

Your hosts file will need to have two entries added that will contain the IP address you want the site to resolve to and the address. Adding the below two lines for example will point www.domain.com and domain.com to our current PHP5-ITK (“Refreshed” PHP5) cluster:

64.49.219.194 www.domain.com
64.49.219.194 domain.com

Below is how to locate and edit the hosts file on several OS platforms. Once the proper domain information is added you will save the file and your system will begin resolving to the specified IP. Once testing is finished these entries should be removed.

Windows 8, Windows 7 and Windows Vista

Windows 8, Windows 7 and Windows Vista use User Account Control (UAC), so Notepad must be run as Administrator.

For Windows 8

  1. Press the Windows key.
  2. Type Notepad in the search field.
  3. In the search right click Notepad and select Run as administrator.
  4. In Notepad, open the following file:
    c:\Windows\System32\Drivers\etc\hosts
  5. Make the necessary changes to the hosts file.
  6. Click File -> Save to save your changes.

For Windows 7 and Windows Vista

  1. For Click Start -> All Programs -> Accessories.
  2. Right click Notepad and select Run as administrator.
  3. Click Continue on the “Windows needs your permission” UAC window.
  4. When Notepad opens Click File -> Open.
  5. In the filename field type:
    C:\Windows\System32\Drivers\etc\hosts
  6. Click Open.
  7. Make the necessary changes to the hosts file.
  8. Click File -> Save to save your changes.

Windows NT/2000/XP

  1. Click Start -> All Programs -> Accessories -> Notepad.
  2. Click File -> Open.
  3. In the filename field type:
    C:\Windows\System32\Drivers\etc\hosts
  4. Click Open.
  5. Make the necessary changes to the hosts file.
  6. Click File -> Save to save your changes.

Linux

1. Open a terminal window.

2. Open the hosts file in a text editor (you can substitute any text editor):

sudo nano /etc/hosts

3. Enter your password.

4. Make the necessary changes to the hosts file.

5. Press control-X (hold control and hit X), then answer y when asked if you want to save your changes.

Mac OS X 10.0 – 10.1.5

1. Open /Applications/Utilities/NetInfo Manager.

2. To allow editing the NetInfo database, click the padlock in the lower left corner of the window.

3. Enter your password and click OK.

4. In the second column of the browser view, select the node named machines. You will see entries for -DHCP-,broadcasthost, and localhost in the third column.

5. Select the localhost item in the third column.

6. Choose Duplicate from the Edit menu (the quickest way to create a new entry is to duplicate an existing one). A confirmation alert appears.

7. Click Duplicate. A new entry called localhost copy appears, and its properties are shown below the browser view.

8. Double-click the value of the ip_address property and enter the IP address of the other computer.

9. Double-click the value of the name property and enter the hostname you want for the other computer.

10. Click the serves property and choose Delete from the Edit menu.

11. Choose Save from the File menu. A confirmation alert appears.

12. Click Update this copy.

13. Repeat steps 6 through 12 for each additional host entry you wish to add.

14. Choose Quit from the NetInfo Manager menu. You do not need to restart the computer.

Mac OS X 10.6 – 10.1.8

1. Open Applications > Utilities > Terminal.

2. Open the hosts file by typing the following in the Terminal window:

sudo nano /private/etc/hosts

Type your user password when prompted.

3. Edit the hosts file. The hosts file contains some comments (lines starting with the # symbol), as well as some default hostname mappings (e.g. 127.0.0.1 – local host). Append your new mappings underneath the default mappings.

4. Save the hosts file by pressing Control+x and answering y.

5. Make your changes take effect by flushing the DNS cache with the following command:

dscacheutil -flushcache

6. New mappings should now take effect.

Configuring Dyn and Untangle for Remote Access

After completing the setup of an Untangle firewall for your network, one of the first things you will probably want to configure is remote access.

To configure remote access of your Untangle firewall, follow these steps below:

1) Enable HTTPS administration.

2) You will have to spend approximately $25/year (as of 2014) the “Remote Access” option at Dyn in order to associate a hostname with a Dynamic IP address.

3) Create a hostname to correspond to your Untangle firewall.

4) Install Dyn Updater on a PC on your network. This will keep the Dynamic IP Address of your ISP router in sync with the hostname you created in Step #3.

5) On your ISP router, enable Port Forwarding or access from the internet to HTTPS (port 443).