DDNS does not update LuCI's display

manywrt · September 9, 2021, 8:57am

On my router TP-Link C7 v5 running on OpenWrt release 19.07.8, I have entered configurations for two DDNS services:

The configs work fine insofar as updating the services (i.e. what afraid.org and dynu.com think C7's public IP address is). This I test by these steps: log into their Web pages for my DDNS subdomains, enter some arbitrary IP address (e.g. 5.5.5.5), wait 10 minutes (OpenWrt DDNS's default internal), and see those Web pages receive/reflect the correct public IP.

The problem with LuCI: When the services have got the correct IP, LuCI's DDNS page continues to show 5.5.5.5. If I wait half an hour,* maybe the dynu.com entry will show the correct IP, but not afraid.org (okay, after an hour and half, the afraid.org on LuCI may also update).

*See section ADDED NEXT DAY

More info on my setup:

My C7 is sitting behind another router (for safety while being worked on).
My C7 has wget installed but not curl.
My afraid.org config looks like this (where cowsubdom.mooo.com is my subdom and the XXXX... is the key you get from afraid.org, both made up for this illustration) (using a Web page for source so that the router may sit behind another).

config service 'mooo_ipv4'
	option lookup_host 'cowsubdom.mooo.com'
	option password 'XXXXXXXYYYYYYYZZZZZZZ'
	option service_name 'afraid.org-keyauth'
	option ip_source 'web'
	option ip_url 'http://ipecho.net/plain'
	option interface 'wan'
	option enabled '1'

Questions:

Would DDNS (by the above config) update LuCI's display (with correct IP) without delay (when DDNS updates afraid.org) if C7 were directly facing the Internet? (I believe option interface 'wan' may have something to do with this updating. I believe it might work if C7 were facing the Internet.)
If no to 1, how can I get DDNS to update LuCI without delay?
If yes to 1, how can I get DDNS to update LuCI without delay even if C7 were sitting behind another router?
Should I worry about any of this? (It seems given a couple of hours, everything eventually gets the right update. In real life, IP addresses will not change often. Not likely to check LuCI within a couple of hours of the rare change.)

ADDED LATER

LuCI gives me these "hints":

Hints
Below a list of configuration tips for your system to run Dynamic DNS updates without limitations
DNS requests via TCP not supported
BusyBox's nslookup and hostip do not support to specify to use TCP instead of default UDP when requesting DNS server!

You should install 'bind-host' or 'knot-host' or 'drill' package for DNS requests.

No certificates found
If using secure communication you should verify server certificates!

Install 'ca-certificates' package or needed certificates by hand into /etc/ssl/certs default directory

ADDED STILL LATER

I also get this interesting phenomenon.

Log into dynu.com site > go to my subdom page > manually set IP to 9.9.9.9
Log into LuCI > go to DDNS page > click PID for dynu.com DDNS to stop the process > click same button (now reading "START") to re-start the process
See LuCI dynu.com item receive 9.9.9.9.
Go back to the dynu.com site my subdom page > see that it has got the correct IP (presumably from my OpenWrt router).

In sum, it is as though LuCI and the dynu.com subdom page swaped their information. The subdom page gets the correct IP, and LuCI gets the outdated info.

Very strange!

ADDED NEXT DAY

What I called "half an hour" is actually 20 minutes. Because the update takes every 10 minutes (default interval), 9 minutes may elapse (after manual change) before the router updates the DDNS provider site. The site then updates its DNS table (not sure about the right term), and at the next update time (another 10 min later) the router detects it. These 19 minutes became "half an hour" in my mind before more precise measuring. Seems to me a completely acceptable outcome. Duckdns.org also follows this time pattern. This leaves only afraid.org as problematic. On one test it took 50 minutes after site update (i.e. up to 59 minutes counting from manual change) for afraid.org's change to become detectable by the router. I believe the problem is with afraid.org.

What I called a "strange phenomenon" does not seem strange at all. At the "every 10 minute" update time, the router may do two things: (a) See what the ddns subdomain has for IP and display it on LuCI and (b) if that IP is different from the correct one update the ddns subdomain, but not (c) re-check what the ddns subdomain has for IP, expecting that it would take some time for the DNS table (again not sure about the term) to update. This (c) the router does at the next "10 minute" update time. If so, the strange "swapping of right info for wrong info" would not be strange at all. I have no way of knowing this is what happens, but the 19 minute lag time is perfectly acceptable to me. I will just use the two sevices that keep to the 19 minute time frame and not bother my head about this any more. Many thanks to trendy again!

trendy · September 9, 2021, 10:06am

Most likely a dns cache issue. After the successful ddns update do a query to verify that nameservers answer with the correct IP. How much is the TTL set for the records? In any case do a dns cache flush to make sure you are not querying the outdated cache.

manywrt · September 9, 2021, 10:26am

Sorry. I'm much more of a newbie than could carry out those things right away. If querying the nameserver is using nslookup in Ubuntu, it gives me what is said to be a "Non-authoritative answer, which seems to have a lag time. I have not consciously set TTL as I don't know what it is. Must be all default (whether of OpenWrt or the DDNS provider). Researching how to do a dns cache flush on OpenWrt.

trendy · September 9, 2021, 10:36am

This is not relevant, it just points out that you are querying a different nameserver (maybe your ISP or Google) and not the nameserver of afraid or dynu, which would be authoritative.

It should be the default then. It is the time-to-leave, the amount of time an answer is cached to avoid multiple queries for the same name on the nameserver.

service dnsmasq restart

manywrt · September 9, 2021, 10:42am

Thanks. The result was:

root@OpenWrt:~# service dnsmasq restart
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
root@OpenWrt:~#

After receiving the above (unencouraging) results, I refreshed LuCI's DDNS page, and saw that nothing has changed.

That LuCI page is presently showing 9.9.9.9 for my afraid.org subdom even though afraid.org's own subdom page shows my correct IP.

trendy · September 9, 2021, 10:49am

Did you refresh the Luci page?
Did you try to lookup the name with nslookup or dig?

manywrt · September 9, 2021, 10:51am

Yes, I did refresh LuCI. As of this moment:

afraid.org: has correct IP
LuCI shows: 9.9.9.9, which afraid.org used to have before OpenWrt updated it
nslookup in Ubuntu: non-authoritative 9.9.9.9
www.hcidata.info/host2ip.cgi: shows correct IP

However, this hcidata may simply be lagging behind even more and showing what the subdomain used to have before 9.9.9.9.

trendy · September 9, 2021, 11:05am

Install dig on your Ubuntu or OpenWrt (in bind-tools).
Here is an example of the first query:

root@fagri:~# dig www.cisco.gr

; <<>> DiG 9.11.2-P1 <<>> www.cisco.gr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49050
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cisco.gr.                  IN      A

;; ANSWER SECTION:
www.cisco.gr.           10674   IN      A       72.163.4.154

;; Query time: 14 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 09 13:47:45 EEST 2021
;; MSG SIZE  rcvd: 57

Notice the query time and the numerical value 10674 in the answer section. That is the TTL.
Now if I run it again:

root@fagri:~# dig www.cisco.gr

; <<>> DiG 9.11.2-P1 <<>> www.cisco.gr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31165
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cisco.gr.                  IN      A

;; ANSWER SECTION:
www.cisco.gr.           10211   IN      A       72.163.4.154

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 09 13:55:28 EEST 2021
;; MSG SIZE  rcvd: 57

Query time is 1 msec which means a reply came from cache. TTL also got lower and by the time it reaches 0 or the cache is full, the entry will be removed from the cache.
I am now flushing the cache in another way:

root@fagri:~# killall -HUP dnsmasq
root@fagri:~# dig www.cisco.gr

; <<>> DiG 9.11.2-P1 <<>> www.cisco.gr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6228
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cisco.gr.                  IN      A

;; ANSWER SECTION:
www.cisco.gr.           9818    IN      A       72.163.4.154

;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 09 14:02:01 EEST 2021
;; MSG SIZE  rcvd: 57

Notice that the query time is not 1 msec, although the TTL is not 0. This way I forced dnsmasq to ask again for this record.
Try it yourself and see if you get or not the correct record. It would also help troubleshooting to query the authoritative NS directly, you can find out which are they with dig NS afraid.org

manywrt · September 9, 2021, 11:07am

Great. Thank you. This one will take some time to get through my head.