With the Dynamic Host Configuration Protocol (DHCP), devices are dynamically assigned IP addresses as they disconnect and reconnect to the network. This can be problematic for applications that link to a static IP address and not to the host name of the device.
The Domain Name Service (DNS) maps hostnames to IP addresses. Dynamic DNS (DDNS) services automatically update their records as IP addresses change to ensure that clients requesting the record for a hostname always receive the correct IP address.
DDNS services need a means of learning about changes to a device’s IP address. Often, this is accomplished using an agent installed on a router or a device on the organization’s network. This agent will periodically communicate with the DDNS provider and update it regarding IP address changes that could impact DNS records.
DNS and DDNS are both designed to implement lookups from hostnames to IP addresses. From a DNS client perspective, the two services are largely identical.
The primary difference between DDNS and DNS is the frequency at which the DNS server’s records are updated. With DNS, records are updated manually by the owner of the DNS record if its infrastructure changes, which is relatively infrequent. With DDNS, record updates happen more frequently and are automated to ensure that DNS clients have access to the latest information.
The defining feature of DDNS is the automatic updates to DNS records as the IP addresses of an organization’s systems change. This can be implemented in a couple of different ways. The two main types of DDNS include:
DDNS’s automated management and updates to DNS records can provide numerous benefits to an organization. These include:
The ability to update mappings from hostname to IP address can benefit cybercriminals as well as organizations. Many companies use blocklists that look for connections to known malicious IP addresses to identify malware installed on their systems.
With DDNS, malware authors can more easily evade these blocklists since malware can be designed to make requests to hostnames rather than IP addresses. If these hostnames are configured with DDNS, attackers can more easily change IP addresses to avoid IP-based blocklists.
Also, if an organization uses DDNS, an attacker may be able to take advantage of this fact in phishing attacks. If the attacker can take control of the DDNS update mechanism, they can redirect users to an attacker-controlled site masquerading as the organization’s website.
DNS security solutions must provide protection against threats to DDNS systems. This includes identifying malicious DNS entries and securing the DNS protocol and channel.
Monitoring and securing DNS infrastructure is an essential part of an enterprise network security strategy. For example, threat intelligence that identifies malicious domains is a rich source of Indicators of Compromise (IoC) for any organization’s security operations center (SOC). Check Point Infinity SOC is a threat hunting tool that can search for malicious domain names used by threat actors and campaigns that use DDNS in attempts to evade IP-based detection.
In addition Check Point Quantum Spark family and the cloud-based Spark family management Security Management Portal also support DDNS. Quantum Spark small business firewalls can be configured to support DDNS to assign a name to the SMB gateway. This fixed name then ensures the firewall is accessible from the Internet even as the external IP address changes.