Custom domain, less secure with Nabu Casa?

Can someone elaborate on how using a custom domain would potentially be the same safety as using Nabu Casa’s dynamically generated one?

I currently use the randomly generated one, e.g.: https://iorgfhuiorghuoergh.ui.nabu.casa

but it would obviously be nice to have the custom domain, e.g.: home.example.com

But doesn’t this make it far less secure since the ability to scan domains would be far easier for simple urls like this? Wouldn’t that essentially be the same as port forwarding and pointing my CNAME at my home IP? Maybe that last part isn’t the same since there’s reverse proxy going on, but hope my question still comes across.

I’m neither a hacker or a security guy, but I would assume that the scans are being done by ip, not domain name.

1 Like

Yeah, using any name doesn’t effect security at all. It’s the IP. Names are just for us humans.

I see what you mean but say

nabu.casa is: 10.0.0.1

example.com: 71.0.0.1

Someone is scanning 10.0.0.1 and they’re hosting hundreds of thousands of dynamically generated URLs. Less likely to find your 1 dynamically generated URL.

vs

Someone scanning 71.0.0.1 and there’s only 1 instance which they would more likely come across.

Does this make sense as a concern?

Not really, since if you are hosting 100000 urls you don’t have 100000 unique ips. IPs and ports are what is interesting, not domain names.

True I guess I’m getting crossed between understanding someone port scanning for an open opportunity and what is actually occurring with these urls / proxies and associating IPs

1 Like

I feel this discussion is confusing the differences between obscurity and security. Hoping the attacker doesn’t notice me is the domain of obscurity, ensuring the attacker isn’t successful at entry is security. Obscurity may reduce your risk in some use cases, but it doesn’t improve your security. This is similar to the concept of changing well-known web ports to non-standard port numbers.

3 Likes

True – I guess a good question is, is the dynamically generated Nabu Casa url more about obscurity than security?

If it is more about obscurity is it more obscure than a custom domain would be?

If is can be a measure of security would there be any legitimate differences between a custom domain and their dynamically generated one?

Most likely it’s just ease of management on their end. They don’t have to maintain an interface for people to specify what subdomain they want, changing it, etc. They create the subdomain once on their end, assign it, and then that’s it. No management or software really needed after initial creation. To me, this is a good business decision as it saves money and reduces costs on Nabu Casa’s side. Would I like to pick my own subdomain? Sure, it’d be kinda cool. Do I want them to charge me more to manage that on their end? Not really.

Security wise, they are both pretty much identical. As others said, the name is merely for humans. Routing services care about IP addresses and that’s it. But, the reason I’ve always stayed with Nabu Casa is because I don’t want to support the infrastructure needed to maintain my own domain name for HA (DuckDNS, SSL certs, port mapping/forwarding, etc). Nabu Casa handles all that and I happily pay $6.50/month US for it. Everything else I have that I need externally, I just use Teleport with my UDM-PRO for and not bother exposing it externally.

2 Likes

Not at all. In fact the list of Nabu Casa URLs is publicly available due to its use of SSL. You can look up a list of the urls at the certificate issuing authority, crt.sh | nabu.casa (this may take some time to load). The same can be done for any domain that uses SSL.

It is a common misconception that the Nabu Casa URL has security by obscurity. It does not.

What I can tell you though is that since moving from DuckDNS to Nabu Casa I no longer see the 3-4 (unsuccessful) intrusion attempts I was seeing weekly. This is due to Nabu Casa not requiring port forwarding and open ports.

6 Likes

Thanks for all the input!