The use of Dynamic DNS (DDNS) services embedded in appliances, such as those provided by vendors like Fortinet or QNAP, carries cybersecurity implications. It increases the discoverability of customer devices by attackers.<\/p>\n\n\n\n
Advisory on security impacts related to the use of TLS in proprietary vendor Dynamic DNS (DDNS) services.<\/p>\n\n\n\n
The use of Dynamic DNS (DDNS[1]<\/a><\/sup>) services embedded in appliances, such as those provided by vendors like Fortinet or QNAP, carries cybersecurity implications. It increases the discoverability of customer devices by attackers.<\/p>\n\n\n\n
Securing Internet communications is crucial for maintaining the confidentiality and integrity of information in transit. This is typically achieved through a combination of Public Key Infrastructure (using X.509[2]<\/a><\/sup> certificates) and encrypted, authenticated connections (TLS[3]<\/a><\/sup> and its precursor, SSL[4]<\/a><\/sup>).<\/p>\n\n\n\n
Certificate Transparency (CT)[5]<\/a><\/sup> is a mechanism designed to ensure transparency in the issuance of certificates, with the main aim of spotting rogue Certification Authorities (CAs) and the issuance of fraudulent certificates[6]<\/a><\/sup>. The Certificate Transparency Log is a public and immutable record of all issued certificates.<\/p>\n\n\n\n
Although the Certificate Transparency Log is designed to improve security and transparency, its public nature leads to known Information Disclosure risks. Attackers abuse the Certificate Transparency Log to identify subdomains (FQDNs) in order to map a target’s attack surface and, consequently, exploit vulnerabilities[7]<\/a><\/sup>.<\/p>\n\n\n\n
Dynamic Domain Name System (also known as Dynamic DNS or DDNS) is a technology that allows users to link a Fully Qualified Domain Name (FQDN) with an IP address that may change over time.<\/p>\n\n\n\n
This system consists of two main components: a DDNS client installed on the device that needs to be accessible and a DDNS server managed by a service provider.<\/p>\n\n\n\n
Although this type of technology is not recommended for use in SMB (Small and Medium Business) or Enterprise environments (spoiler: it often is), it is highly popular in SOHO (Small Office\/Home Office) settings. In fact, an increasing number of vendors are now integrating this service into their appliances to meet this demand.<\/p>\n\n\n\n
The combined use of these two technologies – requiring a certificate for an FQDN associated with a DDNS domain owned by a specific vendor – can lead to widespread exploitation of vulnerabilities.<\/p>\n\n\n\n
For instance, suppose firewall manufacturer ACME Inc. offers its DDNS service under the domain “acme-firewall.com”.<\/p>\n\n\n\n
If a vulnerability were discovered in this firewall, a malicious user could abuse the Certificate Transparency Log to identify vulnerable targets by querying all subdomains of “acme-firewall.com”. This would allow them to massively compromise thousands of exposed devices.<\/p>\n\n\n\n
Fortinet has introduced the “FortiGuard DDNS” service in its FortiGate firewall products. While this service facilitates the setup of VPN systems in the absence of a static IP, it inadvertently encourages the exposure of the appliance’s administrative interface to the Internet.<\/p>\n\n\n\n
This DDNS service uses three Fortinet-owned domains:\u00a0fortiddns.com<\/em>,\u00a0fortidyndns.com<\/em>, and\u00a0float-zone.com<\/em>. It also integrates an ACME client for automatic certificate generation via Let’s Encrypt[8]<\/a><\/sup>.<\/p>\n\n\n\n