[mythtv-users] locating my MythTV box from the internet using a domain name

Thu Feb 19 23:19:00 EST 2004

At 07:10 PM 2/19/2004 -0800, Ian Forde wrote:
>On Thu, 2004-02-19 at 17:59, Ray Olszewski wrote:
> > A good idea? Can't say what is good for you, but remember that you'll have
> > to consider security more carefully if your Myth host makes any of its
> > services available over the Internet.
>
>Yeah, but there's no reason why one can't put it on a ssl-enabled
>webserver with client cert authentication... or even better, have the
>myth box on your internal network and run a reverse proxy with ssl and
>client cert authentication...

Yes, this is a good example of how to handle one potential security 
problem, probably the most obvious one. I was also thinking about other 
services ... communication between frontend and backend (if he has separate 
hosts), between the backend and the SQL server ... and probably some other 
odds and ends that are common among hosts on LANs shielded from the 
Internet by NAT'ing and firewalling.

My impression is that Myth itself is fairly relaxed about its own security 
... a reasonable thing to do on a NAT'd LAN, but riskier once routable 
addresses start getting used. I always ran Myth in such a secure setting, 
so I haven't worked through the details of putting it on a host with a 
public address. Has anyone actually done this before?

> > As to whose job it is ... it certainly is not a job for MythTV itself,
> > since Myth doesn't do DNS. Who is authoritative for "mydomainname.com"
> > (that is, whatever real domain name you intend to use)?
>
>Just find a registrar for the forward lookup... you don't need a reverse
>mapping for this...

Right. These days, almost nobody who's not an ISP or an oldline Fortune 500 
company (and, I guess, some government organizations) is authoritative for 
a block of addresses. But you still have to be authoritative for 
"mydomainname.com" to do forward lookups. I put it all so vaguely because I 
couldn't tell if he was talking about using an existing domain (in which he 
has to find out what the authoritative servers are) or a new one (in which 
case he can pick among the options you offered, plus others).

> > If your ISP is, then it has to update its DNS records to associate this 
> FQN
> > with your available IP address.
> >
> > If you run your own authoritative server, then you update your own DNS
> > records.
>
>If you have a static address, it'll work just fine, otherwise you can
>use dyndns.org or cobble another solution together.  (Find a friend with
>a box with a static IP, then run a cron script that sends dynamic update
>packets when my dhcp lease gets a new address...)

Doesn't the SQL stuff make use of dynamic addresses tricky? Or were you 
assuming this would be a 2-interface system?

> > If whatever registrar you use (or someone else) runs the authoritative
> > server for you, it will have a procedure to let you update the records.
> >
> > Either way, this is really just a standard DNS question, with nothing
> > specific to Myth about it.