First post here.
I am preparing myself to install Nextcloud on OpenMediaVault, probably with docker.
From a security standpoint which is better:
- Static public IP address provided for free by my internet provider monzoon or
- using a free Dynamic DNS provider such as duckdns or desec
I skimmed through the search but didn’t found a topic that deals with this question. If i missed one, then accept my apologizes and kindly link it.
Since I got no answers, I post my own findings for the record.
A similar question was discussed on stackexchange. My takeaway is, that it doesn’t matter.
[https://security.stackexchange.com/questions/79642/is-it-bad-to-have-cameras-using-a-static-ip-address](Is it bad to have cameras using a static IP address?)
Usually yes, but there’s something to consider: If you have a dynamic IP address, you’ll probably use some dynamic DNS service to forward your domain to (e.g. example.org → some-dyndns.org → your server with a dynamic IP). This is one more step compared to a static IP (example.org → your static IP), and you have to trust a third party (the dynamic dns provider, except you host it yourself, which is possible too).
Also, if you use CNAME/DNAME to forward your domain to the dyndns address, the dyndns provider could misuse this (e.g. hosting its own site on your domain).
Complexity is a very good point. If the DNS entries are cached more or less long, under certain circumstances, an attacker could perhaps issue an SSL certificate for your domain, when he gets the ip address you had before.
For the rest, I don’t know if static or dynamic ranges are scanned more often but this is security by obscurity.
There is one more point, if you have a dynamic ip, most isps tend to auto disconnect and reconnect on a daily basis, this means if this happens you get a new ip and the routing has to switch. However if you frequenrly transfere bigger files such a disconnect may occure during transfer and you may need to start again.
Caching itself shouldn’t be a problem, since you can set the typical DNS values (Expire, Refresh, Retry and TTL) to a reasonably short time, and depending on your router you can force a disconnect on a convenient time (I force mine to reconnect at 4am in the morning).