FreePBX DDNS - privacy and security

General Help
1

I noticed today that FreePBX has a DDNS entry in the System Admin functions. Visiting it for the first time I discovered that our FreePBX host public IP was registered on an external server and that dig could be used to expose that IP address through pbxact.com. I am not at all comfortable with this situation but I have no data to act on.

I have some questions:

  1. What is the purpose of this setup?

  2. Is it turned on by default or did we enable it in some fashion?

  3. What are the implications of turning it off?

  4. How does one turn it off?

2

I believe this happens when you register your deployment. You will notice the DDNS address has your deployment number in it.

The purpose is, if you do not have a static IP address, you can use that DDNS for external phones and remote access if required.

Turning off? I am not sure you can do that, I have not seen a way to do so.

3

I don’t see how running dig against simply pbxact.com reveals YOUR ip address

Andrews-MacBook-Pro:~ andrew$ dig pbxact.com

; <<>> DiG 9.8.3-P1 <<>> pbxact.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64224
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pbxact.com.			IN	A

;; ANSWER SECTION:
pbxact.com.		3554	IN	A	199.102.239.49

;; Query time: 19 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Feb 20 19:54:52 2015
;; MSG SIZE  rcvd: 44

Everything that @deanot26508 has said is correct. So if you’d like us to disable this feature or let you disable it then I encourage you to open a feature request. There’s nothing sneaky we are trying to do (and quite simply it’s really for everything that @deanot26508 listed)

4

I don’t see how running dig against simply pbxact.com reveals YOUR ip address

I do not recall writing that it did.

However, one can get the IP information by doing a dns query using the deployment registration number together with the domain deployments.pbxact.com. As the deployment number appears to be an eight digit number an exhaustive search of the DNS space using a slow botnet at only 30 lookups per second would take what; 35 days or so? And that would provide the IP address of every Asterisk deployment registered with you. While this setup might not be a critical security failure I do not think that it will win any awards either.

I am not suggesting malevolence here. I am just observing that the circumstance exists and stating that I believe it may be leaking more information than I feel comfortable with.

5

Its a DDNS feature that most SMBs were asking for. You can go into the module and define a fake IP address which will report to us instead of the real IP address it detects.

6

Thanks. I will cogitate on this for a bit.