Important Note:

Improperly formed Access Control Lists can result in locking yourself out of your easyDNS™ account. You should always test your ACL's using the "test this ACL" utility before committing them. If you are not sure how to proceed or do not fully understand the scope of this tutorial, you should contact support before enabling an ACL.

Remember, ACL's do not replace other security considerations, they enhance them. It is still your responsibility to secure your username and password as well as to select a secure secret question and answer pair.


Security and Access Control Lists
It is possible to limit logins to your account so that logins will only be accepted from network locations specified by you. This vastly improves security in the case where your account username and password are compromised, a third party may not be able log into your account and assume control of your domains if you have an Access Control List specified limiting logins.

Example Usage Scenario
You may have a small Local Area Network in your office and some remote users working on workstations under your company domain name. You can then specify the network block your office LAN resides on:

192.168.42.0/24

In this case the class C netblock beginning on 192.168.42.0. You could additionally or optionally specify a hostmask:

*.example.com

The result of having the two examples above entered into your "Access Control List" on your easyDNS™ account is as follows:

* Valid logins will be accepted from any computer on the 192.168.42 netblock (computes on IP addresses 192.168.42.1 thru 192.168.42.255)

* Valid logins will be accepted from any computer whose hostname resolves to <anything>.example.com (as returned by a gethostbyaddr() call on the remote IP address connecting).

If you want to enable an Access Control List and want to connect from a dynamic IP over which you have no control over the reverse DNS entry, see the section below "Using ACL's with Dynamic DNS".


How the ACL is Processed
When a login attempt is made to an account with an ACL enabled, the ACL is processed one line at a time and any one match is sufficient to allow access. That is to say, if an ACL contains 5 lines, the current connection need only match 1 line of those 5 to be granted access.

It is important to note that invalid logins (i.e. bad passwords) result in access denial regardless of whether the current connection fulfills the Access Control List or not.


Valid Types of ACL Entries
You can enter the following types of entries into your Access Control List:

Hostname Wildcard
example: *.example.com matches any hostname within the "example.com" domain such as www.example.com, user1.example.com, dsl-20392.example.com.

Posix Regex
example: regex:[A-Z][A-Z][A-Z][[:digit:]][[:digit:]]\.example\.com applies the Posix Regular Expression against the result obtained from doing a gethostbyaddr() on the remote IP address connecting. In this case, valid logins will be allowed from abc57.example.com, zzz02.example.com but not abc.example.com.

(You must prefix your ACL entry with the keyword "regex:" to use this style of ACL entry)


Perl Regex
example: /[A-Z]{3,3}\d\d\.example\.com/ applies the Perl Regular Expression against the result obtained from doing a gethostbyaddr() on the remote IP address connecting. In this case, valid logins will be allowed from abc57.example.com, zzz02.example.com but not abc.example.com.
(You must prefix your ACL entry with the keyword "pcre:" or surround your perl-style regex with forward slashes '/' to use this style of ACL entry)


Exact Hostname
example: laptop.example.com Exact hostnames are treated differently. Rather than perform a gethostbyaddr() on the IP address the connection is coming from, a gethostbyname() is performed on the exact hostname and then compared to the remote IP. If they match, access is granted.


Netblock
examples: 192.168.12.0/24, 192.168/16, 192.168.49.117/32 IP Blocks in CIDR format. In this case access is allowed from hosts on IP's on the Class C netblock 192.168.12 , the Class B netblock 192.168 (not recommended) or the exact IP address 192.168.49.117, respectively.


IP Mask
example: 192.168.14.*, allows access from IP's within the 192.168.14.0 Class C. IP Masks are merely converted to netblocks (above) and stored in CIDR format.


Using ACL's with Dynamic DNS
If you are using easyDNS™'s dynamic DNS service and want to enable an Access Control List which will allow access from your dynamically assigned IP, odds are your reverse DNS will not be the same as your dynamic hostname, thus the "wildcard hostname", "posix regex" and "perl regex" methods will not work, and neither will the "IP Block" (because your IP is dynamic).

The way to get this to work is simply yo specify an "exact hostname" in your ACL for the device using the dynamic DNS, examples are "laptop.example.com", "dsl.example.com", "me-and-my-shadow.example.com". When your IP changes your dynamic DNS client will update your DNS settings here, then when you come in to log in we will see that your new IP matches your "exact hostname" ACL and access will be granted.

What to do if you are locked out of your account
You can contact support if for some reason your ACL malfunctions. By default, if you supply your account secret question/answer then our support staff can remove your ACL settings only, at which point you should be able to log in with your username & password.

The security settings also provide an extra level of security in the Override token, which you can specify a different "password" than your secret question/answer pair. If this value is set then easyDNS™ Support staff will only remove your current ACL settings upon receipt (verbally or via email) of this other "override token" and not from the secret question/answer pair.