Dynamic source filter changes



  • I have my domain DNS hosted by cloudflare and use it for proxying https requests and of course other security benefits they offer.  I also have IPSec setup for my phone and laptop when on the road

    I want to restrict the source of my IPSec port forward rule to only allow the IP of my mobile phone or laptop (when away from home).  However, the IP address is dynamic, especially given I'm connected to random hotspots all the time.

    My idea was to use Dynamic DNS on the phone itself.  However, I'd like to avoid exposing the ip to public DNS if possible.

    I'm thinking of running an internal dyndns solution that can be updated via https (which is proxied by cloudflare) and of course some authentication.  When the phone pushes an update, the internal dyndns would update Unbound.  The firewall rule is tied to the dns entry, thus allowing me to IPSec from the new IP.

    Obviously there is some security concerns around my internal DNS getting pwned; trying to think how I could limit updates to a specific hostname

    Curious what others think of this idea.  Might be better security wise to just push the Ip to public dns…