

Sandcats.io: free dynamic DNS for Sandstorm users - paulproteus
https://blog.sandstorm.io/news/2015-05-18-sandcats.html

======
zrail
This seems pretty dang useful. I needed something similar for a non-Sandstorm
server a few weeks ago and, since all of my domains are hosted on Route53, I
wrote this:

[https://github.com/peterkeen/route53_ddns](https://github.com/peterkeen/route53_ddns)

~~~
wwarren
I faced the same problem; came up with the same solution :)
[http://willwarren.com/2014/07/03/roll-dynamic-dns-service-
us...](http://willwarren.com/2014/07/03/roll-dynamic-dns-service-using-amazon-
route53/)

------
jimmcslim
Port forwarding would also be a handy feature, albeit a major (impossible?)
technical challenge to deal with the varying support for interfaces to set it
up. Or perhaps an ngrok-style tunnelling feature (which would obviously be
more expensive to run).

~~~
paulproteus
(Hi! I'm the author of the blog post & maintainer of the Sandcats service.)

I'm excited about Sandstorm eventually helping people tackle issues like port
forwarding. There's enough to do that it's not something I'm personally
prioritizing, but it would definitely be very interesting. I can imagine the
initial version of this feature working using UPnP for example, for routers
that support it.

Thanks for taking an interest in Sandstorm!

As for ngrok-style tunneling, that's something I'm less interested in
hosting/maintaining as part of the Sandcats toolkit for Sandstorm self-
hosters. I'd be happy to see Sandstorm grow the ability to integrate with
services that offer something ngrok-like, though.

Somewhat hilariously, a Tor hidden service is easy to set up and has built-in
NAT traversal, if I understand things correctly, so maybe one day we'll see a
"Run your Sandstorm server as a Tor hidden service" feature purely for the
connectivity conveniences.

~~~
jimmcslim
Have you folks considered partnerships with Synology, QNAP, etc? Syno have
just embraced Docker in their latest OS version, although that is limited to
their Intel-based NAS range. Sandstorm might have an opportunity to provide a
platform for lower-end and high-end NAS to run web applications.

But I'm sure you have considered this already :-)

~~~
kentonv
We are exploring this direction but don't have anything firm yet. We don't aim
to enter the hardware business ourselves so we're happy to partner with anyone
building hardware. :)

Sandstorm is limited to x86_64 for probably the same reason Docker is -- our
app packages contain binaries and we don't want to burden developers with
supporting multiple architectures, at least for now.

I'm biased, obviously, but Docker on Synology strikes me as an odd fit. Docker
is optimized for massive SaaS-scale deployments of stateless servers, not so
much one-off small-scale stateful app deployments.

------
resoluteteeth
Sandstorm is interesting, but I didn't realize it had this sort of DNS
requirement. This will also mean it will essentially require a wildcard ssl
certificate for people who want to completely host it themselves, which could
seriously limit its uptake.

~~~
kentonv
__TL;DR: __We 're working on that one; stay tuned. ;)

 __Long version: __Yes, Sandstorm requires a wildcard host for security
purposes. In general, by splitting things up into lots of small, isolated
units, we can protect against bugs in apps. For example:

\- First, obviously, hosting each app on a separate origin (hostname) is
important if you don't want a bug in one app to allow compromise of other apps
or Sandstorm itself (or if you want to run apps that you don't necessarily
trust). Since we want app installation to be a one-click process, we need to
generate hostnames automatically. But we go a lot further than just allocating
a host for each _app_.

\- By hosting every Etherpad _document_ in a separate, isolated container, we
can protect you against bugs in Etherpad that leak information from one
document to another. Several such bugs have been disclosed in the last few
months; none affected Etherpad on Sandstorm.

\- By hosting Wordpress's edit interface on a separate host from the public
web view -- guarded by Sandstorm access control -- and making the public view
read-only, we can protect you against security problems in Wordpress. Several
such bugs have been disclosed in the last few months; none affect Wordpress on
Sandstorm.

\- By creating a new unguessable throw-away host name for every _session_ \--
i.e. every time you open the same document, it's on a different host, and that
host expires when you close it -- we can protect against XSRF, clickjacking,
and reflected-XSS attacks in apps, because the attacker does not know to what
hostname to address the attacks.

So there's a lot of really huge advantages to having a wildcard host
available. The big disadvantage is that wildcard SSL is expensive -- around
$100/yr at its cheapest. But that's an artificial price based on CA's
perception that wildcard certs are only needed by people who can pay a lot --
it doesn't cost them any more to create the certs, they're just doing price
segmentation. So instead of solving the problem by giving up on our nice
security properties in order to make non-wildcard certs work, maybe we can
solve the problem in meatspace by convincing the CAs that Sandstorm calls for
a different pricing model.

And that's all I can say for the moment. :)

~~~
teekert
Seems to me like sandcats and
[https://letsencrypt.org/](https://letsencrypt.org/) are a perfect match when
the time comes...

~~~
kentonv
Indeed.

------
wmf
I am so torn between wanting to cheer anything Sandstorm-related and thinking
that your Sandstorm hosting provider should also set up the DNS for you.

~~~
kentonv
Managed hosting will come Real Soon Now. :)
[https://sandstorm.io/preorder.html](https://sandstorm.io/preorder.html)

But we hope sandcats.io makes it clear that we are dedicated to supporting
self-hosting as well.

~~~
kentonv
ossreality: Thanks!

FYI, it appears HN is auto-killing all your comments, which is why I couldn't
reply directly. :(

