WebHooks and Dynamic DNS

Hi all,

I’ve created a web app using Flask to trigger a python code to automate splitting of my biweekly paycheck into 4 different pots based on percentages of the amount. I have this triggered using a webhook but in testing I’ve just been using my Public IP, however since I’m running this from my home I don’t have a static IP and therefore I’m wondering about using a dynamic DNS to cope with the IP changing, is this safe to do? And if so does anyone have suggestions of good services to accomplish this?

Work uses https://dyn.com/remote-access/ , they used to have a free product but they may have withdrawn it, but I believe they are the leader in the space.

Quite a few web related companies offer a free or cheap service if you’re a customer, for example 1&1 hosting and some router companies such as Draytek and even Synology cameras , so have a look.

If you’re concerned about security then you can run the app on a locked down device or VM.

Thanks for the ‘Dyn’ link but, as you say is a possibility, they have withdrawn the free product. I’ll have a look through the other companies you suggested but I am more concerned about the security opposed to finding an company capable of providing dynamic DNS, I’m sure I can manage that.

Are there any security concerns to be had with dynamic DNS even? I just figured because essentially your routing you webhook transaction data through a company’s DNS server it has chance to be intercepted which wouldn’t be good considering it has your transaction data attached?

Also not sure what you mean about using a locked down device? I’m planning on running mine on my raspberry pi.

Thanks for your help!

As I understand it,

You run a local host in your home which checks your current i.p. every X minutes, when it detects a change of i.p. it sends a message to the ddns company to update the DNS record of xxxxx.ddnscompany.com to direct to your new i.p.

The only security issue is if the ddns company gets hacked and they manually change the I.p. to their own server (a threat for any site) or MiTM attacks, to mitigate this often you can install a certificate for the site, and enforce HTTPS on your web app.

By locked down device , I mean network security such as putting it on its own Vlan etc. And only allowing the ddns host permissions it needs.

Yea, I think that’s how it works too. I guess my question was more a misunderstanding of how DNS works, thinking that the HTTP request was sent to the DNS server and then forwarded on once the public IP had been obtained. Rather than how it actually works returning the public IP to the user who then makes the HTTP request directly to the public IP.

So yes, looks like you just need to worry about the concerns you raised, which are standard for any web application or server. Which should be mostly mitigated by using the HTTPS protocol which looks fairly easy to be added into Flask!

I wasn’t really aware of VLAN but after a bit of research not sure I’ll be able to use it. Firstly, I don’t think my bog-standard internet router has the functionality. Secondly considering it seems device specific rather than program specific and my raspberry pi is also hosting my Plex media server which needs access to the local network, not sure it’s applicable? Might be worth getting another raspberry pi for security?

Thanks again for your help!

Yeah, it’s unlikely your ISP router supports vlans,

If I’m correct that the API can’t move money out the account then I wouldn’t be too worried about it at the end of the day, especially if it’s just your own account, it’s just an extra step of security to segment the machine from the rest of the network.

Putting it on a Vlan would stop Plex working anyway as it’s device specific. (It is possible to get Plex working across vlans but you generally need specific makes of routers)

You right about the API, you can’t move move money out of your account, only between pots and your main account. You are able to get your transaction data and you have identifiers for information like account ID but not sure if that’s just for the API? But yea, maybe I’m just being overcautious! Also meaning Vlan might be excessive for my use case and require a bit of investment first but thanks for making me aware of it! And actually thanks for all your help in general, I very much appreciate it! :grin:

1 Like