To directly access a device from the internet, the target device historically needed a network address (known as an "IP" address) which was both public and static:
- A "public" address is one that is on a publicly accessible network reachable from all other devices on the internet;
- A "static" address is one that remains fixed for any given device and does not change over time.
In practice, most Internet Service Providers (ISPs) issue IP addresses which are neither public nor static, which means workarounds are frequently needed to enable remote access to devices:
- Dynamic DNS services track devices that do not have a static IP
- Port forwarding delivers traffic from public networks into otherwise private networks
This document covers only dynamic DNS; see our separate commentary on port forwarding.
When your device connects to the internet and obtains a IP address, the assigned address might look like "184.108.40.206". You may choose to bookmark this so you can type it into your client and remotely access your device with this address.
The next time your device connects to the internet, the assigned IP might change rendering your original bookmark invalid. While annoying, this wouldn't be a huge problem if you still had physical access to the device. You're in trouble, though, if the device is now deployed somewhere beyond your physical reach.
All dynamic DNS services seek to workaround this problem using DNS to give you a working link to your device:
- The dynamic DNS service provider will give your device a name (for example mydevice123.dynamicdnsprovider.com) which maps to the IP address of your device
- The client you've installed on your device will keep the service up to date with the device's most current IP address
Though the dynamic DNS services themselves may be secured appropriately, there is major flaw inherent to this system: these services alone cannot make any guarantee that the device you are attempting to connect to is actually your own.
Here is an example flow:
- Your device is online, connected to the internet with IP address 220.127.116.11
- The client on your device registers it's current IP address with the dynamic DNS service
- You can now access your device via mydevice123.dynamicdnsprovider.com which just points to 18.104.22.168
- Your device goes offline for some reason (eg lost power)
- Another device (for example a third party camera system) connects to your ISP and is issued your original IP address.
- mydevice123.dynamicdnsprovider.com still points to 22.214.171.124 because your device hasn't come back online yet.
- When you go to mydevice123.dynamicdnsprovider.com you now see the third party device instead of your own. You won't get an error that says your device is offline.
If you happened to login at the URL you think is your device but instead reach a nefarious device, you may just find your password gets snatched. Even where such services expire your URL if it hasn't been updated in a while, there remains a window of time where you are potentially exposed.
While dynamic DNS is a well established solution for remotely accessing devices which are not assigned static (fixed) addresses, it remains a workaround and has significant limitations on its use.
With Dataplicity, your device is either connected to the system or it is not. Whichever is the case, your Remote Shell console, and web URL in the case of Wormhole, is unique to your device.
Updated about a year ago