DNS "network"

I figured out about Dynamic DNS Service Providers and this works for me. (but)
Basically I want to buy a domain name and put it on my machine and be visible on the net.

So if I install BIND on my home machine how do I get it to "mingle" with other dns servers?
Does BIND advertise by broadcast/multicast?
How do I get some other dns server to point to my machine?

(And of course join the "network" of online dns-es)

Many thanks.

When you register with a registrar, in you settings you can tell it what name server to use. You would simply point it to your BIND servers. So if you purchase vlad777.com. You would tell your domain registrar to look at your public IP address of your BIND server to figure out who vlad777 is. On your server you would setup your own host names, however you cannot host other names beyond the one you purchased. You need to be accredited by ICANN for that.

This will walk you through the whole process.

Logically registrars have their own DNS servers (that I can point). Dough , just didn't click.
I found this: godaddy-dyndns-for-the-poor

What kind of bandwidth do you have on your home network? What's your download and upload speeds?

10Mb / 1Mb
I will just use it to experiment and learn, so it doesnt matter.

If you're just learning, you may want to make your site only available on your LAN, or even just a localhost site. You're probably going to have security vulnerabilities, and if you make your site publicly available on the internet, you'll probably get owned, putting other machines on your network at risk.

Anything important is off the LAN anyway because I am already paranoid.
If I only enable http and port 80 in my firewall, is that a big risk?

First of all, I think it's socially responsible to mention that I'm not an expert. I'm not an expert in networking, in web development, or in cyber security. I'm a college student majoring in cyber security, and my only personal experience developing websites is developing a local host site with and without SSL for a class project, the goals of which were to show the difference in the network traffic between SSL and non SSL.

That being said, the point is that at first, you'll probably just get up a simple html page saying "hello world". There's not a whole lot an attacker could do with that, as the attack surface is very small. Think of attack surface as like a house ... if you build a house and only have one door, there's a very small attack surface. IE, only one way for an attacker to get in. But once you start adding more doors, more windows, the attack surface increases, especially if you're new to building houses, doors, and windows.

When your site gets more complex, and it inevitably will as you progress through learning, your attack surface is going to increase. As you're just learning, you're almost 100% guaranteed to not implement best security practices, so your site is going to be vulnerable.

If your site is public facing on the internet, there is probably a 100% chance that your site will get owned by a hacker. There are literally billions of people that use the internet, and there is a very non significant percentage of those users that are malicious hackers that do things like scan entire network ranges for vulnerabilities, search shodan for insecure internet facing devices, and try to exploit them when found.

If an attacker can connect to your site on your LAN, he can intercept the traffic in a proxy like burp suite, and manipulate the traffic. If he can own your site and get root access, he can pivot and try to compromise more devices on your network. You say nothing important is done on your LAN, but you're posting from a computer or mobile device on your LAN, are you not? Do you want the chances of your posting device getting owned increased? Your LAN is your LOCAL area network. It is your home, or business network. It needs to be secure. Hosting a public facing DDNS website from your LAN while you're learning web development is not how you keep your LAN secure.

The best way to learn is to do so in a safe manner, and just willy-nilly creating a web site and putting it up on the internet as you're learning, jeopardizing your LAN and all the devices on it, is not a safe way to learn. You should strongly consider using virtual machines, create a site accessible only on your LAN, not accessible at all via the external internet, and learn to develop secure websites before publishing one on the internet.

And when that time comes, linode.com has some very reasonable web hosting plans. They are very highly regarded, and when the time comes for me, I will be choosing them as a web host, fwiw.

Finally, all of that being said, when the time comes that you feel confident in your web development abilities, and you are ready to have your own internet facing web site, your network bandwidth is entirely insufficient for hosting a website, outside of receiving like maybe a few hundred visitors a month. You have absolutely zero capabilities for scalability with such a network connection. And such asymmetrical network connections (download and upload speeds are not the same, upload typically much slower) are completely standard for consumer grade internet plans. Your ISP probably even "outlaws" hosting a website with your connection in your terms of agreement. And the short of the story is just that your internet connection just cannot support a website with the potential to grow. This is one of linode's strengths - scalability. You can start small and grow. You have zero room to grow on your home network.

But all that being said, yes, DDNS (Dynamnic Domain Name Service) is what you would need if you did want to host a website from your home connection, because you almost certainly have a dynamic IP address that changes reguarly, rather than a static IP address that never changes. DDNS keeps your current external, ISP provided IP address current, so it is technically possible for users entering "yoursite.com" to have DNS resolve your domain name to your IP address. But as said, it's entirely unpractical because of your internet speeds.

I already did a hello world. Good point about my ISP allowing it, i'll have to look it up in my contract.
I don't expect scaling for a stupid site like this: mysite
What about my traffic can get a hacker a root access?

(If my ddns provider is updated every 5 minutes ,does that make it difficult for a hacker to put something
between the client and my public IP?)

You should look up nmap, metasploit, burp suite, and SQLmap.

If you develop a web app that is insecure, a hacker could compromise your server that way. If you use a database and it's vulnerable to SQL injection, a hacker could compromise your server. If you're running outdated, vulnerable services on your server, a hacker could potentially exploit those vulnerabilities and inject malicious code, compromising your server. There are lots of ways, and if your server is compromised and root access is gained, they can pivot from your server, which means to launch attacks on other machines on you LAN from the compromised server. If they do that and succeed, well now they've owned your desktop, your laptop, your mobile device, etc.

Burp suite is what would be used to intercept and manipulate data going to your server. A hacker runs burp on their client, connects to your server and analyzes the data returned by your server in burp. They can then make another http request to your server, intercept the traffic in burp before it gets to your server, manipulate it, and then send forth malicious data. I don't think DDNS would have much impact on this, as the DNS would just resolve to your new dynamic IP address.

Edit, you also want to have good security practices regarding email, because I just clicked your link and now I know your email address. So do any malicious hackers reading this. Aside from knowing how to use email in a safe manner, by which I mean use strong passwords, two factor authentication if possible, don't click random links or open random attachments, etc., you should also use a different email address for administration of things like web hosting, domain registration, etc. and contact email. Obviously you'll want an email address people can contact you at, but if you use that same email address for administration of your various accounts, if your email account gets owned, so did your web admin accounts. You should use a dedicated email account for web admin stuff, use it solely for web admin stuff, and keep it completely private.

I had that email for years and only once I got a confirmation email to link another email to mine which was malicious.
I didn't click of course. I will look into the programs you suggested but I'm not into internet security.
(Edit : Not to forget about BackTrack, actually this could get interesting.)

So burp is between my front end on hackers machine, and http on hackers machine, OK thanks.

How about this pivoting? I can't even get windows network between Linux and my windows machines.
What services or daemons would allow remote installation of software?

(Again I can purge and reinstall whole LAN if I have to.)

Just don't use Go Daddy or any of those super cheap sites. Someone can easily setup an attack and inject malware to your site through their own or another users. Zombie by proxy type attack is I think how it goes.

Good general advice in this thread so far. Im a network technician, so maybe I can throw you a few pointers.

  1. Get a Network+ book and read it. the cert is insanely easy compared to ccna work and it covers all the basics. You dont need the cert but a good N+ book is a solid foundation in the bare minimum knowledge required to troubleshoot and understand basic issues.

  2. Host on the cloud. (AWS or etc.). Its actually easirr and safer. If you want to play with real hardware, build a media server or firewall. unless your a business its against your SLA. And insecure.

  3. Host on linux. Way easier and stable. Sudo apt-get apache2 ... start apache ... done!

1 Like

This too, Linux is far easier

OK so I used nmap -v -A my.public.ip.addr
I used off lan computer connected through mobile internet (for nmap).
As expected when I run my hello world with node.js i see port 80 and that is OK.

But why is port 1720 open even if I turn all my computers off?

Check the port forwarding/firewall rules on your router and pc. Log on to your routers administration page and verify all the settings. To check what processes are running on local machines, In windows, use netstat -n or TCPView

lsof -Pni :1720
Would be the command in Linux to check what process is using port 1720