Studio lightThreatSTOP has compiled a list of Dynamic DNS (DynDNS) services and providers. The list itself can is useful for both black lists as well as white lists.

DynDNS services allow a domain name to point to 'moving' resources on the Internet. That is, resources that change their public IP address at varying intervals.

These services have both legitimate and illicit purposes. Threat actors can use them to help mask their physical location. While legitimate services may have an unsteady address scheme.

As a legitimate example, a small business may use an IP address that changes at random intervals due to DHCP. This is in contrast to a major corporation, which can use a fixed IP address and will not need to update their DNS record.

In either case legitimate, or not, a method to update the DNS data with fresh IP data must be available. To do this, DynDNS services act as an authoritative host for the client. On an authenticated connection the service notes the IP address of the client. It then updates its DNS record and pushes it to the Internet. As the updated DNS record propagates the shifted service becomes available.

To use ThreatSTOP list, associate it with either a block list, or allow list in your custom policy. This will either black list known DynDNS providers which will block them. Or whitelist them and allow communications.

Enabling the DynDNS target in your user policy will provide control of communications to Dynamic DNS services to your ThreatSTOP Services. If you do not have a ThreatSTOP account Sign up to try a demo.

If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Defense policies are available on the ThreatSTOP Documentation Hub. Or contact our Support team.