Domain Names and DDNS
Category : SecureOffice
Published by xoops on 29-Nov-2020 17:10

Table_of_Contents

1      Choose a Domain Name

2      Email Server Considerations

2.1                Ability to Manage Domain MX Records

2.2                Maximum Email Security

2.3                Email Blacklisting

2.4                Send Email Services

2.5                Receive Email Services

3      Free LetsEncrypt SSL Certificates

3.1                Public Suffix List

3.2                Wildcard Certificate Compatibility

4      Select Dynamic Domain Name Service

List of Tables

Table 1:       Free SMTP SmartHosts

Table 2:       Email Reception Services

Table 3:       DDNS Providers

1      Choose a Domain Name

The terms Dynamic DNS (DDNS) and DNS (Domain Name Service) are used interchangeably since a DDNS service is just a DNS service which allows IP addresses to be dynamically updated by clients. The service may be free or paid, depending on provider and plan.

If not hosting internet services or a domain name and Dynamic DNS provider service is already active, this step can be omitted.

A domain name is a human readable text string that is an alias (another name) for the numeric IP address used to uniquely identify a particular computer on the internet.

It is assumed your SecureOffice installation will provide publicly accessible services such as websites, email, file sharing, telephony, IOT, etc. services for the internet. If this is not the case, SecureOffice is being used as a (free) high performance router / gateway and choosing a domain name and the following DNS Provider selection can be omitted.

An active domain name is required to access the premium package repository for any packages not provided by basic OpenWrt / SecureOffice such as ZoneMinder (IP camera security system), Home-Assistant (home automation), docker containers, virtual machine hosting (Vmware), Xorg, NxServer and custom scripts such as RAID, easy VPN creation, etc.

There are two options for domain names:

  • A free domain name, a subdomain of a Dynamic Domain Name Service (DDNS) provider. For example "you.dynu.com". Your domain name will be of the form "yoursite_name" dot "provider_name" dot "(com, org, etc.)". It is recommended that users initially choose a free domain name until SecureOffice configuration is nearly complete (except for Securing Your Site section) and then decide whether or not a paid domain name is required.
  • A paid (yearly cost) domain name. For example "you.com". Your domain name will be of the form "yoursite_name" dot "(com, org, etc.)". Most, if not all paid DNS providers offer a domain name registration service. If you have a static IP address from your ISP (Internet Service Provider), they may already provide domain name and DNS services as part of your internet plan.
  • Various free and paid DDNS services are reviewed here. It may be useful to internet search "DDNS providers review".
  • Securely hosting internet services (encrypted) requires SSL certificates for your site, discussed here.

Whether you choose a free or paid domain name, DNS service providers allow you to setup, manage and renew your domain registration.

Prior to next step, the following preferences have been established:

  • Free or paid domain name.
  • Unique portion of domain name, for example "my_really_cool_domain"
  • Domain Suffix: ".com", ".org", etc.

2      Email Server Considerations

If you do not intend to have a local email server for your domain, the requirements of this section can be omitted.

2.1                Ability to Manage Domain MX Records

MX (Mail eXchange) records are used to uniquely identify email servers on the internet. They translate email addresses (you@yourdomain) to the domain of the email server which handles email reception for a domain.

DNS services usually provide the ability to manage your domain Mail eXchange (MX) records. The requirement is the ability to modify the real domain name that your emails are forwarded to. Ensure the chosen DNS provider allows you to manage your MX records.

2.2                Maximum Email Security

Mailgun has an excellent overview of email ports, protocols and security considerations. Mailtrap has an excellent overview of SMTP security.

The most secure client (Outlook, Thundbird, etc) email configuration is to use SSL / TLS encryption for client email transmission / reception from / to email servers. SMTP (Simple Messaging Transport Protocol) uses port 465 (legacy) or 587 (current standard) for email transmission. For email reception, POP3 (Post Office Protocol, version 3) uses port 995 and IMAP (Internet Message Access Protocol) uses port 993.

SMTP port 25 is used primarily for SMTP relaying. SMTP relaying is the transmission of email between email servers.

Unfortunately, for spam control reasons, most ISP's block SMTP outgoing port 25, preventing mail servers from directly sending email. Many ISP's provide alternate ports or a proxy for email transmission. If an alternate port is not available from your ISP and, they cannot / will not open the required ports for email transmission, the alternatives are to change ISP or use a third-party email transmission service with unblocked ports.

For email servers it is good practice to confirm that encryption is used for sent and received emails. MxToolbox provides a free online tool for this. To test a server, enter the email server <domain_name>:<port> for the sending (or proxy) and receiving servers. If the test results contain "OK - Supports TLS" for both servers then sent / received emails are encrypted. This does not mean that all of your emails are end to end encrypted, since that depends on intermediate servers. Further, any server in the chain may be compromised allowing for third parties to monitor your emails and perform MITM attacks. For complete email security, some form of end to end encryption is required, where only the sender and recipients can read the contents.

Some ISP's block SMTP port 25 incoming. Many will unblock this port at customer request. If port 25 incoming is blocked and cannot be unblocked, alternatives are to change ISP or use a third-party email service which receives your domain emails on port 25 and forwards using an alternate port, which SecureOffice firewall forwards to your email server.

In preparation for running an email server, the best (most secure) scenario is to ensure that your ISP does not block port 25 incoming and either does not block port 25 outgoing or provides an alternate port for email transmission.

An additional email security consideration is determining whether your ISP or email provider intercepts or stores incoming / outgoing emails and logs. They may lie about this and, ISP's in many jurisdictions are legally compelled to keep copies of your emails should snoops with guns become interested. To work around this, find an ISP or email provider with a no logs, no storage policy or consider end to end email encryption.

If your ISP does not meet the above requirements, third party email send and / or receive email services are required, negating some of the security benefits of point-to-point email.

2.3                Email Blacklisting

Spam (junk email) is a serious problem, clogging user inboxes, wasting mail server resources and, in general, reducing the quality of email service. To deal with spam, email servers rely on blacklists containing the domains of known spammers. If your domain gets on a blacklist, many mail servers will reject your emails and many email clients will classify your emails as spam.

It is possible to get on a blacklist by no fault of your own because your ISP or DNS provider's entire domain has been blacklisted due to spamming by other customers or, you have a virus sending spam. If you have a dynamic IP address, you may end up blacklisted due to previous spamming by a previous user of the same IP address.

If your emails are not being delivered, after confirming that it is not a configuration problem, there are tools available to check whether your domain has been blacklisted. Blacklist status of your domain can be checked using MX Toolbox.

If your domain ends up on a blacklist, it must be determined why, the problem corrected and a request must be made for removal from whichever blacklist you are on.

The Composite Blocking List is one central repository of blacklisted domains / IP addresses. Their website contains information regarding how to fix the problems that got you blacklisted and how to be removed from the blacklist. Use the MX Toolbox link above to determine which blacklists(s) you are on and follow the removal procedures for the blacklist.

2.4                Send Email Services

SMTP SmartHosts are intermediate email servers which accept emails from senders and forward them to recipients. Sending an email using a SmartHost requires authentication, generating a higher level of trust (reducing spam rejection) by recipient email servers. If your ISP provides an alternate port for email transmission, this is a SMTP SmartHost.

SMTP SmartHosts are used for the following purposes:

  • By ISP's to spam filter sent emails, to control spam and avoid getting on blacklists which results in emails being rejected by mail servers.
  • Provide an alternate port for email transmission; to work around ISP's which block port 25 outgoing.
  • To have a third party to deal with email blacklisting, keeping your domain / IP address off blacklists and managing removal from blacklists.
  • Offload bulk email transmission from your local email server.

If your ISP blocks port 25 outgoing and does not provide an alternate port for email transmission, you will have to choose and use a SMTP SmartHost.

Below are several free SMTP SmartHost service providers. None have been tested with SecureOffice. Users will have to research and choose one that meets their requirements.

Provider

Free

Port Redirection

Notes

 

 

 

 

Socket Labs

Yes

25, 2525, 587, and 465 (SSL)

Free plan is limited to 2000 emails / month. No credit card required.

Postmark

Yes

25, 2525, or 587, TLS all ports

Free for first 25000 emails.

Easy SMTP

Yes

25, 587, or 465 (SMTPS)

Free for first 10,000 emails / month

MailGun

Yes

25, 587, 2525 or 465 (SMTPS)

Free for first 10,000 emails / month. Also provides free domain email reception service.

Table 1: Free SMTP SmartHosts

Some DNS service providers also provide SMTP SmartHost services.

2.5                Receive Email Services

Third-party email services may be required for the following reasons:

  • The receive port (25) required for email is blocked by your ISP. Choose a service which provides port redirection to ports not blocked by your ISP.
  • You want third-party spam / virus filtering service for emails.
  • You do not want to miss emails when your server is down. Most email senders retry for at least several days if delivery is unsuccessful, meaning a sever can be down for several days before missing emails. Store and forward services (with longer rejection time-outs) delay sending emails until your server is back up.

Below are several options for mostly free email reception services. Search the internet for more.

Provider

Free

Features

Port Redirection

Notes

 

 

 

 

 

MxGuardDog

Can Be

Anti spam, virus, daily spam blocked email report. Receipients can be removed from spam list.

Yes, choose any email receive port

Tested. Free if link is included on your website. Buy credits until your site is up.

MailGun

Yes

Anti spam, smart routing

?

Free for first 10,000 emails / month.

dynu.com

No

Anti spam, virus

Yes, choose any email receive port.

 

 

 

 

 

 

Table 2: Email Reception Services

Some DNS service providers also provide Email Reception services.

3      Free LetsEncrypt SSL Certificates

3.1                Public Suffix List

If you plan on using free SSL certificates from LetsEncrypt with a subdomain of a DDNS provider, a problem to watch out for is "Too Many Certificates Issued".

This is an indication you are using a subdomain of a DNS provider who is not on the "Public Suffix List", meaning that an alternate method of acquiring SSL certificates or a LetsEncrypt compatible DNS provider must be chosen. While you are at it, send a support request to the DNS provider requesting they get on the "Public Suffix List".

The SecureOffice team uses a subdomain of dynu.com (which is not on the "Public Suffix List") and luci-app-nginx certificates for testing SecureOffice. In practice, it appears that LetsEncrypt periodically resets their certificate counter per domain, and, if you keep trying (luci-app-nginx certificates automatically retries periodically), eventually your certificates will be updated.

The point is that DDNS provider LetsEncrypt compatibility may be a trial-and-error thing and it may take a day or so for certificates to be issued.

Further information regarding SSL certificates, LetsEncrypt, luci-app-nginx-certificates (automatic certificate renewal) is available here.

3.2                Wildcard Certificate Compatibility

LetsEncrypt wildcard certificates required for subdomain addressing requires support from your DNS provider. Usage of subdomain addressing is strongly recommended due to reduced SSL certificate and Nginx configuration management, allowing easy expansion of site services without impacting SSL certificates. When choosing a DDNS provider, ensure that they are LetsEncrypt DNS-01 Challenge compatible. Do an internet search "Letsencrypt DNS-01 Challenge DNS providers" to select a DNS provider or use dynu.com (free and paid DNS verified and used by SecureOffice team).

4      Select Dynamic Domain Name Service

For users who already have a DNS provider chosen and configured, assuming the provider meets the following selection criteria, this step can be omitted.

For the purpose of quickly getting up and running, it is suggested that a DDNS service provider meeting your requirements be selected from the following list, which is far from exhaustive. It is also suggested to use a free subdomain (you.ddnsprovider) for testing your services. Then, once SecureOffice and your internet services are verified, if desired a unique (paid) domain name and various DDNS service providers can be tested and qualified until a final choice is made.

The ability to manage MX records allows redirecting email to another, existing email address. This is a crucial DDNS feature if you intend to host your own email server.

The ability to relay / proxy email on another port, if available from DNS providers is an extra cost, or, requires a third-party service provider for email store and forward.

DDNS Provider

Free Subdomains

Email Store & Forward

Manage MX Records

Notes

 

 

 

 

 

dynu.com

Yes

Yes, $

Yes, Proxy port 25 requires store and forward service, $.

Tested. Recommended, Reasonable cost for unique domain registration.

no-ip.com

Yes

Yes, $

Yes, Paid Feature

 

namecheap.com

No, requires registered, unique domain name

Yes, $

Yes. Proxy port 25 requires store and forward service, $.

 

DuckDNS

Yes

No

No

Auto MX Records, point to your domain. No mail port or mail domain redirection.

Google Domains

No

Yes, $

Yes, Proxy port 25 requires store and forward service, $

 

cloudns.net

Yes

Yes, $

Yes, Proxy port 25 requires store and forward service, $

 

 

 

 

 

 

Table 3: DDNS Providers

The OpenWrt DDNS Wiki provides further information which may aid in final selection of DDNS provider and name registrar for your final domain name choice.

It is expected (hint: requested) that users will add to this DDNS provider list by posting their successes in the forum.

It is requested, for DDNS providers that do not support or allow altering MX records that users submit support requests to non-compliant DDNS providers requesting these features.

It is quite possible that some DDNS providers will ignore these support requests for business reasons (want to charge for email redirection) and, not be added to the above list.