Running Ghost and NGINX on Docker running on a Raspberry Pi
Okay, so firstly - I'd like to say... I really like iwantmyname.com - they are a VERY simple registrar with no ads, no BS - everything is very simple to navigate on their site. I hate using GoDaddy because it takes forever to click through their terrible interface to try and work with my domains - many other registrars are like that too - I use iwantmyname.com because I feel like it's designed well for people like us.
That being said - the way iwantmyname.com handles Dynamic DNS is simply irresponsible.
I'll go ahead with this tutorial on how to use their Dynamic DNS protocol and see if you can spot why it's stupid. I'll comment on this more later.
Dynmic DNS with iwantmyname.com
As per the documentation, this is their simple interface:
curl -u "[username]:[password]" \ "https://iwantmyname.com/basicauth/ddns?hostname=[hostname1]&myip=[IP]"
If you leave off the
myip flag - it just uses your public IP address (easier).
curl -u "[username]:[password]" \ "https://iwantmyname.com/basicauth/ddns?hostname=[hostname1]"
So, literally - this is what I use for uberbuilder.com:
curl -u "allyourdomains:are-belong-to-us" \ "https://iwantmyname.com/basicauth/ddns?hostname=www.uberbuilder.com,uberbuilder.com"
Do you see it?
When you use this - you're not using a username/password that you've registered for DDNS updates for this one single domain - but that's your ACTUAL master account username:password. If you type this in, and actually execute it, this command get's stored in your bash history. Worse, there pretty much is no way to securly store your credentials on a Raspberry Pi. Pretty much if your Raspberry Pi gets compromised - then all your domains are belong to us - Game over.
I've contacted their support regarding this security issue asking them to please create a more secure way to use DDNS. This was their response:
thank you for getting in touch.
Sorry for being the bearer of bad news, but we don't provide additional layers of security for our API at the moment. It's been set up as a basic and quick way of managing your domains. Currently, we're working on other projects that need to be finished before the API can be polished.
Nevertheless, you definitely have got a point when it comes to establishing an API key or other options to secure the domain management. I've just forwarded your feedback to our developers so it can be added to the discussion. Thanks for sharing your thoughts!
If there are any other questions, we'll be happy to answer them.
Support Person [Name protected]
If you use iwantmyname.com - please email firstname.lastname@example.org and demand that they give this issue some priority. Especially if you're going to setup your Raspberry Pi like this.
If they don't fix this soon I will unfortunatly be forced to move my domains to a different registrar.
iwantmyname.com - please fix this sooner than later.
I feel dirty inside.
One way to try and make this shitty situation iwantmyname.com puts us all in a little better is to blackbox a Raspberry Pi Zero W with no ssh access firewalled off from the entire world - only allowing it to reach out to iwantmyname.com specifically for this task that runs the logic to update this if your public IP ever changes. I'll check with my Security buddies and ask them what they think about this.
What do you think about this? Add your thoughts in the comments section below.