Dynamic DNS (DDNS) is a service that maps a fixed domain name to a dynamic IP address. DDNS lets you control a router or webcam, or access a home game server or remote computer, among other things.
Some DDNS providers offer the service for free; others charge a fee. Often, the provider has a set of second-level domains (for example, hopto.com or ddns.net) under which users can register any non-claimed domain of level three or lower (for example, yourcompanyname.hopto.com). Some services allow you to use your own second-level domain (for example, yourcompanyname.com) instead of one of the DDNS provider’s domains.
The purpose of Dynamic DNS
Devices online are identified by their IP addresses. When a user tries to open a website, such as encyclopedia.kaspersky.com, the client (for example, a browser) first queries the Domain Name System (DNS), which finds the IP address of the site’s server and returns it to the client so that the latter can connect to the server at this address.
Since the list of devices online is constantly changing (some users disconnect, others connect), internet service providers mainly use dynamic addressing. As a result, connected devices may change their IP address from time to time.
The DNS system stores a huge number of mappings of domain names to IP addresses spread over multiple servers worldwide. When the IP address of a server changes, the links in the DNS must be updated, which can take quite a while.
DDNS makes it possible to assign a dynamic IP address to a specific domain name. This lets you connect to a website, camera, game server, or router remotely, despite the periodic change of IP. And the owner of the domain name doesn’t need to manually update the DNS records each time the address changes.
DDNS in malicious campaigns
APT groups can use DDNS to hide the IP addresses of their C2 servers or malware-spreading landing pages. Their goal is to make it harder to detect and block malicious resources based on IP address. On the other hand, to evade blocking by domain, cybercriminals can generate random subdomains under the same DDNS domain, since often the domain of a DDNS service (for example, No-IP, DynDNS, or Duck DNS) is considered clean by security systems, as are subdomains on which no malicious activity has yet been spotted.
In addition, a DDNS user account can be hacked, just like any other account. Having gained access to a DDNS account, the attackers can redirect visitors of the legitimate domain to a malicious server.