Improving dynamic DNS security
You can improve the security of dynamic DNS updates.
CAUTION:
Although Firewalls support dynamic DNS updates, the protocol itself poses a security risk because there is no access control. If you must use dynamic DNS updates, do so only after careful research, planning, and testing.
There are actions you can take to improve the security of dynamic DNS updates:
- Always place the DNS servers behind the Firewall for protection from IP address spoofing.
- Use BIND or an equivalent DNS server that allows you to define which hosts are allowed to send dynamic updates.
- Consider using static DNS entries instead, as DDNS is not necessarily needed with inbound load balancing. In that case, the DNS entries are not removed automatically from the DNS server if an ISP fails, but you can sometimes solve these problems by other means. For example, some web browsers can automatically try other IP addresses if one address does not respond.