starred/nsupdate.info-nsupdate-info
1
0
Fork 0
mirror of https://github.com/nsupdate-info/nsupdate.info.git synced 2026-04-25 00:25:58 +03:00
Code Issues 56 Projects Releases Packages Wiki Activity

[GH-ISSUE #496] Login or Registration does not work. #366

New issue
Open
opened 2026-02-26 10:31:06 +03:00 by kerem · 11 comments
kerem commented 2026-02-26 10:31:06 +03:00
Owner
Copy link

Originally created by @stokito on GitHub (Jul 16, 2022).
Original GitHub issue: https://github.com/nsupdate-info/nsupdate.info/issues/496

I can't sign up into the site. How long the registration will be closed?

Originally created by @stokito on GitHub (Jul 16, 2022). Original GitHub issue: https://github.com/nsupdate-info/nsupdate.info/issues/496 I can't sign up into the site. How long the registration will be closed?
kerem commented 2026-02-26 10:31:06 +03:00
Author
Owner
Copy link

@ThomasWaldmann commented on GitHub (Jul 16, 2022):

I won't reopen it (== self service account creation) in the near future.
Also, all external authentication methods (twitter, github, google, ...) are disabled.

There is just too much abuse by criminals and neither want to support their actions nor deal with deleting their stuff all the time.

Account owners who can't login any more (because they used some external authentication and did not set a local password or forgot the local password) can write me an email to info @ nsupdate.info:

  • email from: should be the address used in the account
  • alternatively, give your user name
  • state some of your hosts (makes it easier for me to find your account)

I will then set a new temporary password for you, so you can log in again.

Note: I currently do not create new accounts manually, sorry (too much work).

<!-- gh-comment-id:1186286769 --> @ThomasWaldmann commented on GitHub (Jul 16, 2022): I won't reopen it (== self service account creation) in the near future. Also, all external authentication methods (twitter, github, google, ...) are disabled. There is just too much abuse by criminals and neither want to support their actions nor deal with deleting their stuff all the time. Account owners who can't login any more (because they used some external authentication and did not set a local password or forgot the local password) can write me an email to info @ nsupdate.info: - email `from:` should be the address used in the account - alternatively, give your user name - state some of your hosts (makes it easier for me to find your account) I will then set a new temporary password for you, so you can log in again. Note: I currently do not create new accounts manually, sorry (too much work).
kerem commented 2026-02-26 10:31:06 +03:00
Author
Owner
Copy link

@stokito commented on GitHub (Jul 16, 2022):

Interesting how other DDNS providers working with abuses. In the DuckDNS FAQ said

Q: Do you have an Abuse policy?

A: yes, we will block, as much as we can anyone who is abusing our service, see our Terms of Use and Privacy Policy. If you have any issues please use the Google Group to contact us

https://www.duckdns.org/faqs.jsp

Maybe this is solvable somehow.

The bigger problem is for tunnels providers.
I remember this article https://pagekite.net/2018-07-18/Phishing_and_spam
The Ngrok also spent a lot efforts to stop spam
https://ngrok.com/abuse
here is some examples
https://medium.com/@g33xter/phishing-with-ngrok-252309890b87

Maybe their experience may be useful

<!-- gh-comment-id:1186290503 --> @stokito commented on GitHub (Jul 16, 2022): Interesting how other DDNS providers working with abuses. In the DuckDNS FAQ said > Q: Do you have an Abuse policy? > > A: yes, we will block, as much as we can anyone who is abusing our service, see our [Terms of Use](https://www.duckdns.org/tac.jsp) and [Privacy Policy](https://www.duckdns.org/pp.jsp). If you have any issues please use the [Google Group](https://groups.google.com/forum/#!forum/duckdns) to contact us https://www.duckdns.org/faqs.jsp Maybe this is solvable somehow. The bigger problem is for tunnels providers. I remember this article https://pagekite.net/2018-07-18/Phishing_and_spam The Ngrok also spent a lot efforts to stop spam https://ngrok.com/abuse here is some examples https://medium.com/@g33xter/phishing-with-ngrok-252309890b87 Maybe their experience may be useful
kerem commented 2026-02-26 10:31:06 +03:00
Author
Owner
Copy link

@sporkman commented on GitHub (Oct 2, 2022):

Interesting how other DDNS providers working with abuses. In the DuckDNS FAQ said

Q: Do you have an Abuse policy?
A: yes, we will block, as much as we can anyone who is abusing our service, see our Terms of Use and Privacy Policy. If you have any issues please use the Google Group to contact us

https://www.duckdns.org/faqs.jsp

Maybe this is solvable somehow.

The bigger problem is for tunnels providers. I remember this article https://pagekite.net/2018-07-18/Phishing_and_spam The Ngrok also spent a lot efforts to stop spam https://ngrok.com/abuse here is some examples https://medium.com/@g33xter/phishing-with-ngrok-252309890b87

Maybe their experience may be useful

Running a free service like this AND keeping it clear of people trying to use for C&C servers and other nefarious purposes, and then also fighting DDoS attacks from both good guys and bad guys is a full-time job. In theory, sure, any of us could set this up on a bunch of VPSs out there and advertise it as "free dynamic dns service", but without a small team of people constantly babysitting it, it's just not practical.

Just glad the software exists so I can self-host (and I'm looking at this because DuckDNS is again intermittent all weekend long).

<!-- gh-comment-id:1264762950 --> @sporkman commented on GitHub (Oct 2, 2022): > Interesting how other DDNS providers working with abuses. In the DuckDNS FAQ said > > > Q: Do you have an Abuse policy? > > A: yes, we will block, as much as we can anyone who is abusing our service, see our [Terms of Use](https://www.duckdns.org/tac.jsp) and [Privacy Policy](https://www.duckdns.org/pp.jsp). If you have any issues please use the [Google Group](https://groups.google.com/forum/#!forum/duckdns) to contact us > > https://www.duckdns.org/faqs.jsp > > Maybe this is solvable somehow. > > The bigger problem is for tunnels providers. I remember this article https://pagekite.net/2018-07-18/Phishing_and_spam The Ngrok also spent a lot efforts to stop spam https://ngrok.com/abuse here is some examples https://medium.com/@g33xter/phishing-with-ngrok-252309890b87 > > Maybe their experience may be useful Running a free service like this AND keeping it clear of people trying to use for C&C servers and other nefarious purposes, and then also fighting DDoS attacks from both good guys and bad guys is a full-time job. In theory, sure, any of us could set this up on a bunch of VPSs out there and advertise it as "free dynamic dns service", but without a small team of people constantly babysitting it, it's just not practical. Just glad the software exists so I can self-host (and I'm looking at this because DuckDNS is again intermittent all weekend long).
kerem commented 2026-02-26 10:31:06 +03:00
Author
Owner
Copy link

@luckman212 commented on GitHub (Oct 4, 2022):

@sporkman Is there a fairly simple guide or any steps on setting up a selfhosted instance from scratch on a VPS (DigitalOcean etc)?

<!-- gh-comment-id:1267611278 --> @luckman212 commented on GitHub (Oct 4, 2022): @sporkman Is there a fairly simple guide or any steps on setting up a selfhosted instance from scratch on a VPS (DigitalOcean etc)?
kerem commented 2026-02-26 10:31:06 +03:00
Author
Owner
Copy link

@stokito commented on GitHub (Dec 22, 2022):

@ThomasWaldmann could you please explain how criminals are using the service?
As far I understood they are making a phishing like bank.nsupdate.info or they just need for any domain for their website?
In first case we may make a filter by registred trademarks and banned words. And we may require for domain to start from bad so that users will see badbank.nsupdate.info and this should make them more cautios.

But if criminals just need for any domain and they don't want to register because it needs for a credit card then this makes it more dificult. The only solution would be to require a payment of 1$ and then rollback.
Maybe you can create a group of moderators voulontiers who can review emails about abuses. How many of abuses letters do you receive?

I'm asking because I made my own ddns server and I need to know how to protect.

I decided to use a different approach. I want to make my users to be automatically registered. So they'll just generate a long random domain (uuid or ed25519 pub key) and token and configure a ddns client. The new domain with the token are registred and any next updates will require of the same password.
Since the domains are not human readable then nobody interested for a sqoting. Not used domains will be removed after a period.

P.S. my ddns server poc https://github.com/yurt-page/go-ddnsd

<!-- gh-comment-id:1362261768 --> @stokito commented on GitHub (Dec 22, 2022): @ThomasWaldmann could you please explain how criminals are using the service? As far I understood they are making a phishing like bank.nsupdate.info or they just need for any domain for their website? In first case we may make a filter by registred trademarks and banned words. And we may require for domain to start from bad so that users will see badbank.nsupdate.info and this should make them more cautios. But if criminals just need for any domain and they don't want to register because it needs for a credit card then this makes it more dificult. The only solution would be to require a payment of 1$ and then rollback. Maybe you can create a group of moderators voulontiers who can review emails about abuses. How many of abuses letters do you receive? I'm asking because I made my own ddns server and I need to know how to protect. I decided to use a different approach. I want to make my users to be automatically registered. So they'll just generate a long random domain (uuid or ed25519 pub key) and token and configure a ddns client. The new domain with the token are registred and any next updates will require of the same password. Since the domains are not human readable then nobody interested for a sqoting. Not used domains will be removed after a period. P.S. my ddns server poc https://github.com/yurt-page/go-ddnsd
kerem commented 2026-02-26 10:31:06 +03:00
Author
Owner
Copy link

@ThomasWaldmann commented on GitHub (Dec 22, 2022):

Well, as far as i could see / got notified of:

  • they register an arbitrary dyndns hostname to point to a distribution host of illegal material (e.g. CSAM), malware (computer virus/trojan infected stuff) or copyright violations (ebooks, movies, ...)
  • they register specific dyndns hostnames to point to fishing sites, like somebank.nsupdate.info, somepostalservice.nsupdate.info - they are rather creative with these so it is hard to blacklist them, even when using regexes.
  • they register specific dyndns hostnames to sell fake / questionable products
  • they register less specific dyndns hostnames for other sites with services for their criminal operations.

I think a simple list of trademarks / registered names would be huge and won't solve the problem. E.g. if you had wellsfargo (a bank) on your list, the abuser would just use wells-fargo or we11sfargo or wellsfarg0 or ... - some are even hard to match with regexes.

I thought about obligatory payments. That might deter some of the criminals, because that would harm their anonymity and some kind of information about them might be in reach for criminal investigators then. But I guess even that could be worked around, just by abusing the credit card of someone else. Also, I don't like that, because it would basically turn the free service into a commercial one, cause more work for me and would be either for nothing or would be more expensive...

There is no "moderation admin interface" (yet?) for the nsupdate.info software (I currently do that via the django admin). In any case, I would only give access to very trusted persons I personally know.

Using random (like uuid) hostnames and not allowing the user to choose the hostname removes some of the criminal use cases, but not all. Of course, it also removes some of the reasons why legitimate users want to have a dyndns name in the first place (== because they can remember it easily). It also removes some pattern matching options for the admin to fight criminal abusers.

About removing inactive hostnames after some time: we also do that (after a rather long time), but it first notifies the users multiple times via email about that this is going to happen if there is no activity. This is not completely unproblematic, because sometimes users give fake email addresses or just don't get or read our emails. Hostnames that are not updated for longer times usually happen for cable internet providers (IP does not change).

It is a good practice to not update the dyndns host if the IP did not change, BUT still send 1 monthly unconditional update just to signal "hey, I am still alive and using this dyndns host".

About self-registration, oauth (external accounts):

  • when only using local accounts on nsupdate.info and disallowing self-registration, i have some control over who can create dyndns hosts and who not. if some user gets on the radar by creating scam hostnames, i can delete the user account and all their hosts and they won't get in again easily.
  • when allowing self-registration, a user who was removed can easily just create a new account (using a new name / email address) and can continue abusing the service until they get noticed again. this is an endless whack-a-mole game...
  • when allowing external accounts (oauth, twitter, github, ... logins) it even gets more comfortable for the abusers, because they can maintain e.g. a twitter account (which i have no control over) and the nsupdate.info service then would just auto-create a profile for them based on that twitter account. even if i removed their hosts and their profile, they could immediate get in again and just recreate their hosts.

Since I have removed self-registration and external accounts, the amount of abuse has significantly decreased (also the amount of abuse notifications I get via email).

But I usually can't keep up with new user registration request emails (also hard to know how they will use the service), so in the past months I focussed on helping existing users to get into their accounts again (e.g. if they only had used the external auth [disabled now], but did not set a local password).

<!-- gh-comment-id:1362854557 --> @ThomasWaldmann commented on GitHub (Dec 22, 2022): Well, as far as i could see / got notified of: - they register an arbitrary dyndns hostname to point to a distribution host of illegal material (e.g. CSAM), malware (computer virus/trojan infected stuff) or copyright violations (ebooks, movies, ...) - they register specific dyndns hostnames to point to fishing sites, like somebank.nsupdate.info, somepostalservice.nsupdate.info - they are rather creative with these so it is hard to blacklist them, even when using regexes. - they register specific dyndns hostnames to sell fake / questionable products - they register less specific dyndns hostnames for other sites with services for their criminal operations. I think a simple list of trademarks / registered names would be huge and won't solve the problem. E.g. if you had wellsfargo (a bank) on your list, the abuser would just use wells-fargo or we11sfargo or wellsfarg0 or ... - some are even hard to match with regexes. I thought about obligatory payments. That might deter some of the criminals, because that would harm their anonymity and some kind of information about them might be in reach for criminal investigators then. But I guess even that could be worked around, just by abusing the credit card of someone else. Also, I don't like that, because it would basically turn the free service into a commercial one, cause more work for me and would be either for nothing or would be more expensive... There is no "moderation admin interface" (yet?) for the nsupdate.info software (I currently do that via the django admin). In any case, I would only give access to very trusted persons I personally know. Using random (like uuid) hostnames and not allowing the user to choose the hostname removes some of the criminal use cases, but not all. Of course, it also removes some of the reasons why legitimate users want to have a dyndns name in the first place (== because they can remember it easily). It also removes some pattern matching options for the admin to fight criminal abusers. About removing inactive hostnames after some time: we also do that (after a rather long time), but it first notifies the users multiple times via email about that this is going to happen if there is no activity. This is not completely unproblematic, because sometimes users give fake email addresses or just don't get or read our emails. Hostnames that are not updated for longer times usually happen for cable internet providers (IP does not change). It is a good practice to not update the dyndns host if the IP did not change, BUT still send 1 monthly **unconditional** update just to signal "hey, I am still alive and using this dyndns host". About self-registration, oauth (external accounts): - when only using local accounts on nsupdate.info and disallowing self-registration, i have some control over who can create dyndns hosts and who not. if some user gets on the radar by creating scam hostnames, i can delete the user account and all their hosts and they won't get in again easily. - when allowing self-registration, a user who was removed can easily just create a new account (using a new name / email address) and can continue abusing the service until they get noticed again. this is an endless whack-a-mole game... - when allowing external accounts (oauth, twitter, github, ... logins) it even gets more comfortable for the abusers, because they can maintain e.g. a twitter account (which i have no control over) and the nsupdate.info service then would just auto-create a profile for them based on that twitter account. even if i removed their hosts and their profile, they could immediate get in again and just recreate their hosts. Since I have removed self-registration and external accounts, the amount of abuse has significantly decreased (also the amount of abuse notifications I get via email). But I usually can't keep up with new user registration request emails (also hard to know how they will use the service), so in the past months I focussed on helping existing users to get into their accounts again (e.g. if they only had used the external auth [disabled now], but did not set a local password).
kerem commented 2026-02-26 10:31:07 +03:00
Author
Owner
Copy link

@ThomasWaldmann commented on GitHub (Apr 17, 2023):

Update: I updated the 2nd post with the current state of affairs.

Also cleaned up this ticket a bit, removed posts that are not useful any more.

<!-- gh-comment-id:1510969078 --> @ThomasWaldmann commented on GitHub (Apr 17, 2023): Update: I updated the 2nd post with the current state of affairs. Also cleaned up this ticket a bit, removed posts that are not useful any more.
kerem commented 2026-02-26 10:31:07 +03:00
Author
Owner
Copy link

@dd8zc commented on GitHub (Mar 18, 2024):

Very sad. Unfortunately, my friends recommended the service to me too late. If registration becomes possible again (I can also verify myself by personally sending stamps, even though no one uses stamps anymore), it would be cool if this thread could be updated.

<!-- gh-comment-id:2003377929 --> @dd8zc commented on GitHub (Mar 18, 2024): Very sad. Unfortunately, my friends recommended the service to me too late. If registration becomes possible again (I can also verify myself by personally sending stamps, even though no one uses stamps anymore), it would be cool if this thread could be updated.
kerem commented 2026-02-26 10:31:07 +03:00
Author
Owner
Copy link

@markcst commented on GitHub (Dec 10, 2024):

So nsupdate is dead or not? As far as I can see, new registrations are currently and still not possible (?)

image

<!-- gh-comment-id:2532224873 --> @markcst commented on GitHub (Dec 10, 2024): So nsupdate is dead or not? As far as I can see, new registrations are currently and still not possible (?) ![image](https://github.com/user-attachments/assets/e5371a2c-d0a8-44f3-b491-89bb19bfcea8)
kerem commented 2026-02-26 10:31:07 +03:00
Author
Owner
Copy link

@darkdragon-001 commented on GitHub (Dec 27, 2025):

@ThomasWaldmann do you think it is feasible to open up registration again for users bringing their own domain? Would also be fine with a small one-time sign up fee or donation. I would like to try this out a bit before figuring out how and where to self-host.

<!-- gh-comment-id:3693873074 --> @darkdragon-001 commented on GitHub (Dec 27, 2025): @ThomasWaldmann do you think it is feasible to open up registration again for users bringing their own domain? Would also be fine with a small one-time sign up fee or donation. I would like to try this out a bit before figuring out how and where to self-host.
kerem commented 2026-02-26 10:31:07 +03:00
Author
Owner
Copy link

@ThomasWaldmann commented on GitHub (Dec 27, 2025):

@darkdragon-001 I won't open up the self-registration due to the issues described above.

But you can send me an email and I will create an account for you.

<!-- gh-comment-id:3694138733 --> @ThomasWaldmann commented on GitHub (Dec 27, 2025): @darkdragon-001 I won't open up the self-registration due to the issues described above. But you can send me an email and I will create an account for you.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
0.13-maint
rel0.10
rel0.9
rel0.8
0.13.0
0.12.0
v0.11.0
v0.10.0
v0.9.1
v0.9.0
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.4.0
v0.3.0
v0.2.0b0
djangodash2013
Labels
Clear labels   
bug

   
bug

   
duplicate

   
easy

   
easy

   
enhancement

   
enhancement

   
invalid

   
needs help

   
pull-request

Mirrored from GitHub Pull Request

  
scalability

   
security

   
task

   
urgent

   
wontfix
No labels
bug
bug
duplicate
easy
easy
enhancement
enhancement
invalid
needs help
pull-request
scalability
security
task
urgent
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nsupdate.info-nsupdate-info#366
No description provided.