Can someone elaborate on how using a custom domain would potentially be the same safety as using Nabu Casa’s dynamically generated one?
I currently use the randomly generated one, e.g.: https://iorgfhuiorghuoergh.ui.nabu.casa
but it would obviously be nice to have the custom domain, e.g.: home.example.com
But doesn’t this make it far less secure since the ability to scan domains would be far easier for simple urls like this? Wouldn’t that essentially be the same as port forwarding and pointing my CNAME at my home IP? Maybe that last part isn’t the same since there’s reverse proxy going on, but hope my question still comes across.
Someone is scanning 10.0.0.1 and they’re hosting hundreds of thousands of dynamically generated URLs. Less likely to find your 1 dynamically generated URL.
vs
Someone scanning 71.0.0.1 and there’s only 1 instance which they would more likely come across.
True I guess I’m getting crossed between understanding someone port scanning for an open opportunity and what is actually occurring with these urls / proxies and associating IPs
I feel this discussion is confusing the differences between obscurity and security. Hoping the attacker doesn’t notice me is the domain of obscurity, ensuring the attacker isn’t successful at entry is security. Obscurity may reduce your risk in some use cases, but it doesn’t improve your security. This is similar to the concept of changing well-known web ports to non-standard port numbers.
Most likely it’s just ease of management on their end. They don’t have to maintain an interface for people to specify what subdomain they want, changing it, etc. They create the subdomain once on their end, assign it, and then that’s it. No management or software really needed after initial creation. To me, this is a good business decision as it saves money and reduces costs on Nabu Casa’s side. Would I like to pick my own subdomain? Sure, it’d be kinda cool. Do I want them to charge me more to manage that on their end? Not really.
Security wise, they are both pretty much identical. As others said, the name is merely for humans. Routing services care about IP addresses and that’s it. But, the reason I’ve always stayed with Nabu Casa is because I don’t want to support the infrastructure needed to maintain my own domain name for HA (DuckDNS, SSL certs, port mapping/forwarding, etc). Nabu Casa handles all that and I happily pay $6.50/month US for it. Everything else I have that I need externally, I just use Teleport with my UDM-PRO for and not bother exposing it externally.
Not at all. In fact the list of Nabu Casa URLs is publicly available due to its use of SSL. You can look up a list of the urls at the certificate issuing authority, crt.sh | nabu.casa (this may take some time to load). The same can be done for any domain that uses SSL.
It is a common misconception that the Nabu Casa URL has security by obscurity. It does not.
What I can tell you though is that since moving from DuckDNS to Nabu Casa I no longer see the 3-4 (unsuccessful) intrusion attempts I was seeing weekly. This is due to Nabu Casa not requiring port forwarding and open ports.