How safe is dynamic DNS?

RouterOS General
1

I was just wondering if my widespread use of dynamic dns is a security issue.

For example, I use dydns.org for all my sites.

That is, I might have sites such as (names changed to protect):

site1.dyndns.org
site2.dyndns.org
site3.dyndns.org
site4.dyndns.org
site5.dyndns.org

A hacker might say 'I’ll run an attack on all domain names for all permutations with replacement of 5 characters (A-Z and 0-9) followed by dyndns.org

There would be 60,466,176 permutations with replacements of set of 5 characters out of 36.

With the thinking that it might be more fruitful to do that that run an attack on an entire class A known to be used by a particular ISP’s clients?

I understand a class A is ~16MM – about 1/4 of the above example.

Or, a much smarter algorythm that limits the attemps to subdomains with existing words or letters commonly next to each other (which is a big reason we use dyndns: Because “site1” is a heck of a lot easier to remember than “a1m8q”).

BTW, if the subdomain name has only 3 characters (abc.dyndns.org), for example, the number of permutation with replacement drops to 46,656 – so that might be a good reason to not use short subdomains.

Just wondering.

2

What is hosted/serviced on these IP addresses?

3

I was thinking in a general, generic way about the security.

I don’t host anything like a publicly available web site.

I do run internal devices that get access from outside the location, usually/mostly via VPN or RDP.

Home Assistant servers, Blue Iris Servers, plenty of telnet/SSH, RDP, and plenty more.

4

The less information the better.
AFAIK, most vulnerabilities are found through port scans. A DDNS name will not have impact on that.
Try to limit the number of port forwards as much as possible, that will have impact.

5

So use any DNS to manage your DNS names and configure

site1.yourdnsdomain.safer as CNAME to site1.dyndns.org

If sth goes wrong you manualy reset site1.yourdnsdomain.safer to any IP you wish.
In parallel you should monitor/log the external address of your site1 to be able to set DNS manualy.

6

Thanks for the insights guys.

I do have a bunch of domain names sitting doing nothing, so maybe I’ll make CNAMES.