1.15.0

This is a major release with many improvements:

1. New CLOUDFLARE_* variables: Cloudflare is transitioning its tools to use the new prefix CLOUDFLARE_*. Therefore, the updater now accepts CLOUDFLARE_API_TOKEN and CLOUDFLARE_API_TOKEN_FILE. The old CF_API_TOKEN and CF_API_TOKEN_FILE will still be fully supported until 2.0.0, then deprecated (but still supported) until 3.0.0.
2. Improved custom IP providers: The updater now forces IPv4 or IPv6 when connecting to custom IP providers url:<URL>. This solves a long-standing issue where custom providers couldn't be used on dual-stack machines supporting both IPv4 and IPv6. This enforcement ensures predictable IPv4/IPv6 detection on such machines.
3. Stricter IP validation: The updater now rejects unusual IP addresses for updating DNS records, such as link-local addresses or IPv4-mapped IPv6 addresses for AAAA records. These addresses are unsuitable and may cause trouble.
4. Experimental support of using a network interface’s IP address (not finalized until 1.16.0): Experimental support lets you use the address assigned to a specific network interface, bypassing the routing table used by the local provider. The syntax for this feature is under development and will not be finalized until 1.16.0. Please refer to README and join the discussion on GitHub issue #713 if you are interested.

As a reminder, since 1.13.0, the updater no longer drops superuser privileges and PUID and PGID are ignored. Please use Docker’s built-in mechanism to drop privileges. The old Docker Compose template may grant unneeded privileges to the new updater, which is not recommended. Please review the new, simpler, and more secure template in README. In a nutshell, remove the cap_add attribute and replace the environment variables PUID and PGID with the user: "UID:GID" attribute. Similar options may exist for systems not using Docker Compose.

Bug Fixes

• ipnet: reject IPv4-mapped IPv6 addresses for updating IPv6 records (#936) (be5b3a7)
• ipnet: tighten the checking of IP addresses (#942) (640d30b)
• pp: print blank lines to separate each round of updating (#958) (0a6c71b)
• provider: fix the name and messages of custom URL providers (#940) (2d95d69)
• provider: force IPv4/IPv6 for custom URL providers (#939) (3e80358)
• updater: actively close idle connections for IP detection (#943) (05cbf7e)

Features

• config: accept CLOUDFLARE_* and all compatible token settings (#948) (4fc883c)
• provider: get IP from a specific network interface (#941) (69f8cf2) (#947) (4518fac)

1.14.2

This is an urgent hotfix that resolves a nil pointer dereference issue introduced in version 1.14.1.

Bug Fixes

• fix a nil pointer bug introduced by the commit 319e6a0 (issue #911) (#930) (3ea0eb9)

1.14.1 (DO NOT USE)

This version is buggy; use version 1.14.2 instead.

This is a minor release that addresses minor issues and improves the usability of the new feature for managing WAF lists, which was initially introduced in version 1.14.0.

Bug Fixes

• reduce unnecessary quotation marks in logging (#925) (dc3a26b)

Features

• api: clear a WAF list when it cannot be deleted (#908) (1acf11d)
• api: warn about mismatched attributes (#921) (80388a0)

1.14.0

This is a major release with many improvements! The most significant new feature is the ability to maintain a WAF list of detected IP addresses; you can then refer to the list in your firewall rules. Please consult the README. The second most important update is to use a variant of the Happy Eyeballs (Fast Fallback) algorithm to detect the blockage of 1.1.1.1. As the name of the new algorithm suggests, you should not notice any delay due to the detection, being happy. 😄

As a reminder, since 1.13.0, the updater will no longer drop superuser privileges and PUID and PGID will be ignored. Please use Docker’s built-in mechanism to drop privileges. The old Docker Compose template may grant the new updater unneeded privileges, which is not recommended. Please review the new template in README that is simpler and more secure when combined with the new updater. In a nutshell, remove the cap_add attribute and replace the environment variables PUID and PGID with the user: "UID:GID" attribute. If you are not using Docker Compose, chances are your system supports similar options under different names.

Other notable changes:

1. The global Cloudflare account ID will no longer be used when searching for DNS zones. CF_ACCOUNT_ID will be ignored.
2. To reduce network traffic and delay, the Cloudflare API token will no longer be additionally verified via Cloudflare’s token verification API. Instead, the updater will locally check whether the token looks like a valid Bearer Token before using the API.
3. Many parts of the README have been rewritten to improve clarity and to document the support of WAF lists.
4. The DNS record updating algorithm was revised to be more deterministic, which means the updater will not give up updating stale DNS records (and create new ones) when there are errors; it will simply try again next time. As a result, in very rare cases, the updater may need more rounds to recover from errors.

Bug Fixes

• api: decouple account IDs from operations on DNS records (#875) (0fa1085)
• api: eliminate potential memory leak in caching (#854) (b9c7327)
• api: make the updating algorithm more deterministic (#864) (b557c41)
• api: remove global account ID and remote token verification (#877) (5a40ea7)
• monitor: retry connections to Uptime Kuma (#890) (8236410)
• setter: do not quote DNS record IDs (#851) (fc8accb)
• updater: delete unmanaged IP addresses from WAF lists (#885) (bf0361c)
• updater: show the hint to disable a network when IP detection timeouts (#859) (bdf154c) (#862) (397e722)

Features

• api: ability to update WAF lists (#797) (180bcd7)
• provider: Happy Eyeballs for 1.1.1.1 v.s. 1.0.0.1 (#883) (be0109b)

1.13.2

This is a quick release to change the default user/group IDs of the shipped Docker images to 1000 (instead of 0, the root). The change will help many people use the Docker images more safely. You are still encouraged to review whether the default ID 1000 is what you want. If you have already adopted the new recommended Docker template (in README) with user: ... (not PUID or PGID) to explicitly set the user and group IDs, this release does not affect you.

1.13.1

This is a very minor release that improves the error messages produced by the new API token verifier (introduced in 1.13.0). See #813.

Bug Fixes

• domain: fix incorrect parsing of *.*.foo.bar (#809) (9ccf9df)

1.13.0

This is a major release that no longer drops superuser privileges. Please review the instructions in README for the new recommended setup.

BREAKING CHANGES

• The updater will no longer drop superuser privileges and PUID and PGID will be ignored. Please use Docker’s built-in mechanism to drop privileges. The old, hacky Docker Compose template will grant the new updater unneeded privileges, which is less secure and not recommended. Please review the new template in README that is simpler and more secure when combined with the new updater. In a nutshell, remove cap_add completely and add user: ... as

  user: "1000:1000"
  # Run the updater with a specific user ID and group ID (in that order).
  # You should change the two numbers based on your setup.

  If you have not, please add cap_drop: [all] to drop all Linux capabilities. You should probably remove PUID and PGID as well because they are now useless.

• In case you are using the *-nocapdrop Docker tags, they will no longer be maintained. The updater will no longer drop superuser privileges, and thus the nocapdrop builds are identical to the regular ones. Just use the regular Docker tags such as latest.

• The older versions used to add the comment “Created by cloudflare-ddns” to all newly created DNS records. Since this version, the comment has become configurable, but by default it is empty. To restore the old behavior, add the configuration RECORD_COMMENT=Created by cloudflare-ddns (or any comment you want to use).

Features

• api: make record comment of new DNS records configurable using RECORD_COMMENT (#783) (b10c9a3)
• api: recheck tokens if the network is temporarily down (#790) (15d1a5a)
• api: smarter sanity checking (#796) (80dc7f4)
• cron: show dates when needed (#795) (d1850b1)
• config: recheck 1.1.1.1 and 1.0.0.1 some time later when probing fails (possibly because the network is temporarily down) (#788) (0983b06)
• updater: bail out faster when it times out (#784) (3b42131)

1.12.0

This is a major release with two significant improvements:

1. The updater can send general updates via shoutrrr now.
2. The updater supports non-Linux platforms now. Linux capabilities are not supported on other platforms, but all other features should run as expected at least on Unix-like platforms.

There are also two notable improvements to the stock Docker images. Starting from this version:

1. Annotations are properly added to the Docker images, thanks to the updates to the upstream Docker toolchain.
2. A new Docker tag, 1, is introduced to track the latest version with the major version 1. I plan to develop 2.0.0 that may contain larger breaking changes. Sticking to 1 instead of latest now can avoid unexpected breakage in the future.

Note that the notification system was revamped to integrate shoutrrr. As a result, messages may have been reworded.

Bug Fixes

• add annotations to Docker images (#651) (dd04d0d) (#652) (fe2ed00) (#653) (56748eb) (#659) (687ccaa), closes #454
• limit the number of bytes read from an HTTP response (for extra security) (#629) (d64e8d4)
• monitor: force non-empty error messages for Uptime Kuma (#624) (a9bce5c) (#774) (df565b9)
• provider: trim the response of url:URL (generic provider) before parsing it (#709) (48edb15)

Features

• cron: show the far start time during countdown (#761) (39c659a)
• droproot: support non-Linux platforms (#733) (a93b6ab)
• monitor: prioritize error messages (#622) (2f653ca)
• monitor: send Failed to detect IPv4/6 address to monitors (#620) (f1793ad)
• notifier: embed shoutrrr (#633) (61f42a0) (#640) (817125e) (#762) (c09e2b2) (#768) (9cdfec3) (#772) (b8d4604), closes #532
• setter: print (cached) for results based on cached API responses (#776) (1bcbbf0)

1.11.0

This release adds the experimental support of Uptime Kuma.

BREAKING CHANGES

• UPDATE_CRON=@disabled is deprecated; use UPDATE_CRON=@once instead

Features

• add support of Uptime Kuma (#600) (c68eeeb) (#605) (e65531a)
• introduce UPDATE_CRON=@once (#607) (aa57602)

1.10.1

Bug Fixes

• The updater will now keep existing record comments when updating IP addresses. Previously, it would incorrectly erase them. This was a known bug in 1.10.0, and was fixed by fixing the upstream library cloudflare-go.