Bug: Don Dominio simple-api.dondominio.net connection reset by peer

[madmalkav]

1. Is this urgent: No

2. DNS provider(s) you use: Don Dominio

3. Program version: Running version v2.5.0 built on 2023-06-07T09:11:38Z (commit a6f72d9)

4. What are you using to run the container: docker-compose image provided by TrueNAS Scale

I'm not sure the petition is being done at the correct address, my logs shows https://simple-api.dondominio.net but on their documentation they use https://dondns.dondominio.com/plain/ (for plain answer) https://dondns.dondominio.com/json/ (for json answer) or https://dondns.dondominio.com/xml/ (for xml answer)

Logs:

2023-09-27 11:56:26.612610+00:002023-09-27T13:56:26+02:00 INFO reading JSON config from environment variable CONFIG
2023-09-27 11:56:26.612792+00:002023-09-27T13:56:26+02:00 INFO Found single setting to update record
2023-09-27 11:56:26.820877+00:002023-09-27T13:56:26+02:00 INFO Reading history from database: domain REDACTED host @
2023-09-27 11:56:26.821181+00:002023-09-27T13:56:26+02:00 INFO [healthcheck server] listening on 127.0.0.1:9999
2023-09-27 11:56:26.821231+00:002023-09-27T13:56:26+02:00 INFO [backup] each 24h0m0s; writing zip files to directory /updater/data
2023-09-27 11:56:26.821303+00:002023-09-27T13:56:26+02:00 INFO [http server] listening on :30007
2023-09-27 11:56:27.000410+00:002023-09-27T13:56:27+02:00 INFO IP address of REDACTED is REDACTED and your IP address is REDACTED
2023-09-27 11:56:27.000489+00:002023-09-27T13:56:27+02:00 INFO Updating record [domain: REDACTED | host: @ | provider: dondominio | ip: ipv4 or ipv6] to use REDACTED
2023-09-27 11:56:27.059204+00:002023-09-27T13:56:27+02:00 ERROR Post "https://simple-api.dondominio.net": read tcp 172.16.0.94:56986->37.152.88.150:443: read: connection reset by peer

Configuration file (remove your credentials!):

Host OS:

Truenas Scale (Linux)

[qdm12]

I'm not sure the petition is being done at the correct address, my logs shows https://simple-api.dondominio.net/ but on their documentation they use https://dondns.dondominio.com/plain/ (for plain answer) https://dondns.dondominio.com/json/ (for json answer) or https://dondns.dondominio.com/xml/ (for xml answer)

Good point, but:

• there is the simple post interface API which is without the /json path suffix (different API documentation page)
• their documentation might had changed, whilst keeping compatibility with the older API calls ddns-updater is doing, since their API documentation mentioned above changed from the code here

I could change it to use https://dondominio.dev/en/dondns/docs/api/#usage as you mentioned, but to save me the ~hour of work, the error ERROR Post "https://simple-api.dondominio.net": read tcp 172.16.0.94:56986->37.152.88.150:443: read: connection reset by peer you get seems to be a low level networking problem instead of a bad request sent 🤔 Are you still getting it now??

[qdm12]

Email sent to their support:

Hi there,

you still document the API usage using https://simple-api.dondominio.net on the documentation page https://dondominio.dev/en/api/docs/api/#simple-post-interface but the page no longer works and isn't TLS encrypted.

Can you please either fix it or update the documentation?

It seems the API at https://dondominio.dev/en/api/docs/api/ is working though.

I'll update the code to work with the API described in https://dondominio.dev/en/api/docs/api/

[qdm12]

Actually I just received a response, can you try checking with dondominio's support why this is as such?

Hi,

This URL can't work without an authorized user, IP and password, the message it is showing is correct in your case.

If you are already a customer with an API user and you are experiencing any problem or error, please, log in your MrDomain user account, open a ticket from the inside and we will check it again.

Regards,

[madmalkav]

Sorry, I’m no longer using this software and outta home. I can reinstall and test when I get back to home, but that will be some weeks for now

[madmalkav]

Let’s shameless mention @mateusan while I’m not back to see if he, as the author of the original official DonDominio client, can provide some clue

[mateusan]

Let’s shameless mention @mateusan while I’m not back to see if he, as the author of the original official DonDominio client, can provide some clue

endpoint: https://dondns.dondominio.com
documentation: https://dondominio.dev/en/dondns/docs/api/

[qdm12]

Ok so the current endpoint and API calls are no longer valid I guess then...

[qdm12]

1. Endpoint migrated to api.dondominio.com in 7eee3fc
2. A or AAAA record is created if it does not exist in 8839db9 - this is the reason I am using the more complex API at api.dondominio.com instead of dondns.dondominio.com
3. "host" can now be something else than "@", and can be a subdomain or the wildcard "*". Please let me know if this is not possible, but I didn't spot any limitation on their documentation.

Please let me know if it works, especially number 1. and perhaps number 3. 👍

[madmalkav]

Thanks a lot for your work. I expect to be back in Spain in 2-3 weeks and will test extensively

[mateusan]

1. EndPoints:
   EndPoint: api.dondominio.com -> not exists / old
   EndPoint: https://simple-api.dondominio.net -> It is used for domain registration
   Endpoint: https://dondns.dondominio.com/ -> Dynamic DNS URLs
2. A or AAAA record is created: -> no
3. Yes

[qdm12]

Thanks @mateusan
I'm not sure anymore where I read api.dondominio.com, maybe just my mistake 🤔 Anyway it's changed to simple-api.dondominio.net in eee8485 and that should work (relevant service documentation)

EDIT: Hopefully this doesn't trigger the ERROR Post "https://simple-api.dondominio.net": read tcp 172.16.0.94:56986->37.152.88.150:443: read: connection reset by peer error ugh

[mateusan]

Yes, the new EndPoint for api.dondomain.com is simple-api.dondomain.net, but this endpoint is behind a FireWall. Therefore, it does not make sense to use this service for "Dynamic DNS".

[qdm12]

Oh sadly true...

The API service is restricted to a limited amount of IP address. Each of these IP address must be registered in the system to allow access to the API.

Why not just sticking to rate limiting though?

Any attempt to do so will be detected in real-time by our system, temporarily blocking access to the API for the username and password used.
Repeated attemps will result in blocking and/or terminating the account.

It feels like the second part would do the trick and that the first part is kind of unneeded? Thanks!!

[mateusan]

The service at simple-api.dondominio.net is focused on domain registration, not the "dynamic DNS" service

For "Dynamic DNS" services, use the other api. Any suggestions or changes needed, please let us know. We can even make a resource for you

[qdm12]

The point of the more complex API was to have ddns-updater create the A or AAAA record if it didn't exist (see issue #129 tracking this for existing providers).
I changed it in f60f721 to use dondns.dondominio.com/json which should be working fine, I'll just add a note it's not possible to create records for dondominio. Thanks!

[madmalkav]

Live got complicated this year, and I had no chance to test this until recently. My container fails with this error:

Startup probe failed: 2024-08-13T17:17:43+02:00 ERROR program is unhealthy: record update failed: [domain: REDACTED | host: REDACTED | provider: dondominio | ip: ipv4]: failure (unsuccessful result: Incorrect data) 2024-08-13 17:17:29 CEST; Last success update: 2024-07-25 18:28:29 CEST; IP: REDACTED 2024-08-13T17:17:43+02:00 INFO Shutdown successful

I have tried every configuration I could think of, but nothing works. I think it might be related to the compulsory parameter "Name", as this is not mandatory according to the DonDominio docs

[qdm12]

The name field is unneeded indeed, and was not even used in the code. Removed in the code and the documentation in commit c7dbbcb.

I think I spotted the problem, and funnily enough, it's in their API documentation. They mention in https://dondominio.dev/en/dondns/docs/api/#usage the field apikey, but in the example they have ...&password=apikey&..., so I'm thinking maybe the key is password instead? Could you try:

docker run -it --rm alpine:3.20
apk add wget ca-certificates
# Replace the values youruser, yourpassword, full.domain.com and yourpublicip with your actual values
wget -O- https://dondns.dondominio.com/json?user=youruser&password=yourpassword&host=full.domain.com&ip=yourpublicip&lang=en
exit

Does this work?? 🤔 If not, what error response do you get?

[madmalkav]

It works OK with the API key, with the password it returns:

{"success":false,"version":"2.0","messages":["Wrong key"],"user":"","ts":"2024-08-21T12:12:58+02:00"}

Also, I think I didn't paste all the log info in my previous message, ddns-updater also throws:

Startup probe failed: 2024-08-21T11:59:51+02:00 ERROR program is unhealthy: lookup IP addresses do not match: REDACTED instead of REDACTED for REDACTED 2024-08-21T11:59:51+02:00 INFO Shutdown successful

[qdm12]

Ok can you run ddns-updater with LOG_LEVEL=debug to see what request it sends to don dominio? I'm a bit confused, since it should work as it's currently using apikey=password 🤔

[madmalkav]

I edited my previous comment adding log information I forgot to add some days ago , I will try the LOG_LEVEL thing as soon as possible.

[madmalkav]

As I mentioned in the past, I run ddns-updater in Truenas Scale. I'm starting to think the problem may be related to Truenas, because the log on ddns-updater looks ok, it sees the public IP correctly, sees it is already applied to the domain, and skips update.

2024-08-21T12:51:52.435997721+02:00 stdout F 2024-08-21T12:51:52+02:00 DEBUG ipv4 address of REDACTED is IP and your ipv4 address is SAME_IP, skipping update

But on the Truenas GUI I see the error I posted before:

Startup probe failed: 2024-08-21T11:59:51+02:00 ERROR program is unhealthy: lookup IP addresses do not match: REDACTED instead of REDACTED for REDACTED 2024-08-21T11:59:51+02:00 INFO Shutdown successful

It is showing an old IP and I don't know where that IP is coming from.

[qdm12]

Perhaps truenas shows an old unhealthy message? What do you get in a terminal with docker inspect ddns-updater in the healthcheck section?

[madmalkav]

The message was current and the web interface never became available. So definitively something to do with the startup probe. Now it is working OK, dunno why, will resume debugging next time I get an IP change. Maybe you want to close this ticket, as it seems it is not related to ddns-updater after all, or at least not with the Dondominio module.