-
-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Domain resolution is resolving to internal IP causing constant record updates #389
Comments
I resolved this by setting a custom dns on the container. For example with docker run: or with docker-compose:
|
That's good advice, and I gave it a shot, but sadly it doesn't seem to work (or isn't respecting that environment variable)
...which isn't what you meant, is it? EDIT: Yeah, it appears that executing the |
Thanks a lot! That works perfectly for me too. |
I've made a pr #417 addressing this issue. Feel free to comment, if I missed something. |
Thanks @affeldt28 for the PR. Commit 464a557 should put a nail into it, you can now use |
@cybersteel8 @qdm12 is it better to use an Authoritative Server as resolver or the classic 1.1.1.1 is enough? Also, what is the best value for the TTL setup with a DDNS service? |
First the easy answer:
As short as possible. When your public ip address changes, you want the DNS records to update as quickly as possible depending on your needs. Usually 5 minutes is fine, otherwise you should really get a fixed ip.
DNS over port 53 udp is in plaintext and unencrypted, and there is no cryptographic verification by default, so really it doesn't matter, one could manipulate your traffic and feed you a bad ip address anyway. BUT It doesn't matter much since ddns updater is using this to check against your public ip address. In the worst case, it will just trigger the update more often. Now in the depth of technicalities for the paranoid, we could either:
DNS over tls is great for privacy, whilst DNSSEC is great to make sure a record is correct without relying on i.e. Cloudflare, which might be more interesting here. But DNS over TLS is not implemented in ddns updater yet (not so much of a need yet), maybe I'll get to it one day. |
@qdm12 Thank you very much for the details. I will follow your suggestions. However, just for curiosity, wouldn't this be a security issue if used together with PUBLICIP_FETCHERS=dns? An attacker could change the answer for both public IP and DNS answer in a very specific and targeted attack in order to change the ip of my domain? |
That's a very good point I didn't realize, can you create an issue copy pasting your comment? I'll check if they have these public ip echo endpoints with dns over tls, and, if not, at least default to http(s) and not http+dns for the public ip fetchers. |
Done |
TLDR: Hostname resolution should explicitly use an external DNS provider
Running version latest built on 2022-11-03T09:49:13Z (commit d8de9d2)
My server's default DNS resolver is my router, and in my router's configuration I have the domain used here overridden to return the internal IP. This applies only inside the local network, so the domain when accessed externally points to my external IP, as is governed by No-IP.
This means that DNS resolution of the domain name using the default DNS server, eg. 192.168.0.1 (the gateway) will never return the correct IP. To resolve the domain, any external DNS server should be used, like 1.1.1.1 or something else.
This is confusing ddns-updater and causing the domain to never match the external IP and it is always updating it, every cooldown.
If ddns-updater could be configured to specifically use an external DNS server, such as google or cloudflare or quad9 to resolve the domain name, this would return the correct response.
Logs:
Configuration file:
Host OS: Unraid 6.11.1
The text was updated successfully, but these errors were encountered: