DynDNS mistakenly blocks many hosts for abuse (Update)

Earlier today many DynDNS users have received a notification email that their account has been blocked for abuse. DynDNS offers a free service which allows users without fixed IP address to be able to access their computers through a unique human-readable address like <name>.dyndns.org, which is why it is very widespread – it is used by many computer experts to remotely manage and secure computers of relatives, for example. The affected users received this email:

Upon asking the DynDNS support about the issue the following answer gets send:

Earlier today we ran into some issues with our dynamic updates pushing to the nameservers. This has been corrected, so any new updates will be processed correctly. We are also running a script that will push all of the changes we received during this time that were not properly processed. This script will take about 3 hours to run, so if you want to update yours in the meantime, either push an update from your update client or view the hostname in your account and simply click the save changes button (even though you didn’t make any changes).

We are very sorry about this issue and the headaches it has undoubtedly caused you. Our engineering team is discussing options to ensure that this particular incident does not happen again.

This is also posted on their support forum. At the time of writing this article, not all redirects were working yet. In case you are affected, log into your DynDNS account, unlock your mistakenly blocked account and refresh the IP manually.

Update: The reason for blocking many accounts is due to erroneous behaviour of the update client – like the popular Fritz!Box has integrated. DynDNS answered that via email:

The update server issue caused updates to be received from customers, but not propagated to the actual nameservers. During the issue, if your hostname were assigned to 1.1.1.1 and you sent us a new IP address of 2.2.2.2, the servers continue to answer with 1.1.1.1 during the problem period. This was fixed and the servers were synchronized, so everything should be working properly now.

The Fritz!Box checks regularly that its IP address matches the DNS records and if it doesn’t then it pings the DynDNS service to make an update. If the records aren’t updated, it will try automatically after 3 minutes.

To prevent broken update clients from flooding the DynDNS servers, the clients are blocked after receiving a certain number of updates with the same IP address. A handful is fine, but a client that consistently sends repeated information will get blocked.

Many thanks to the DynDNS Support for providing these detailed information to me.

Sorin Mustaca
Data Security Expert