IPv6 and dynamic DNS updates

With IPv4, I only have 1 external WAN IP address, so the DDNS update can be done on the router level. But with IPv6, I can have 5 servers with 5 different external IPv6 addresses.

Since most providers dont provide static IPv6 yet, whats the best way to update my AAAA entries at the DDNS provider? Do I run separate update bash scripts on each of the servers? And aside from setting up a cronjob for the update, how do I detect when the IP changes at the server level so I can trigger an update?

I think with typical ddns services you need to register one 'domain' per ipv6 server, then have the update scripts run on those servers and the ddns entry should never go stale for too long (also create and use stable ipv6 interface identifiers for your servers).

1 Like

The easy solution (in the sense that it always works) would be setting up multiple ddns records and to upgrade them individually by each of your servers.

There are said to be a few smarter ddns providers around, which can bulk update the prefix for multiple ddns records in one go. As I have a semi-static /56 prefix which doesn't normally change, I never looked in this topic - but if you find a good solution, please mention it.

3 Likes

This is a valid and sensible option. I would try this first.

The ddns-scripts package simply checks the WAN interface at some configurable interval. I think it's 10 minutes by default. Interestingly, it's not a cronjob, it's literally a shell script with an infinite loop around a sleep command.

If your servers are running Linux, you can listen for IP address additions and deletions on the kernel's Netlink interface. You can do this in a shell script using the ip monitor command. Example command that prints the global SLAAC address(es) being added or deleted on eth0 in real time:

ip monitor address dev eth0 |
grep -E 'inet6 2[:0-9a-f]+/64 scope global dynamic mngtmpaddr'
2 Likes

Thanks everyone. So it sounds like running individual scripts at the server level is the way to go. I was hoping for a simpler one step solution. I've been googling for days but looks like its not a common issue yet. I want to stay away from port forwarding or proxy mgrs as that defeats the purpose of IPv6, which is a direct 1-1 connection from external to my servers.

I did find "dynv6.com" which has the smarts to parse out the /64 prefix. You then set up different hostnames within yr domain as like with IPv4 but with only the fixed /64 suffix like "::xxxx:xxxx:xxxx:xxxx". With this, you only have to send the IPv6 update once at the router level and dynv6 will do the smarts to combine both yr prefix and suffix for the hosts. Unfortunately, my domains are all on cloudflare which doesn't do this. IPv6 has been around for quite a while, so its surprising to find not much support for dynamic dns yet.

1 Like

I was gonna note that a lot of websites just note DDNS on the server. RFCs pretty much expect each individual service (not per host as I recall) to have it's own IPv6 address(es) assigned directly to the host anyways. This allows for assigning an AAAA record for that specific service for human readability/use.

I pondered this IPv6 update issue for many months. I tried it with the router updating all the AAAA records that it knew about, but that only updated the DHCP derived AAAA records. The SLAAC records were unknown to the router. I suppose I could have tried harder and figured out how to use AVAHI to request AAAA records from any computers running it. Since my domain provider has a free DNS authoritative server with an update API. I used that along with the same sh script running on all the computers that ran linux. It doesn't end up registering things like my IPv6 enabled Samsung TV, but then it isn't clear what advantage that would give me anyway. One downside of adding the openwrt gateway to the global DNS is that there are folks scraping the DNS system for IPv6 hosts to probe. For IPv4 folks just probe every address since most of them are populated. For IPv6, addresses are so sparsely populated that scraping global DNS becomes important. You might want to just register your AAAA records at a server that doesn't get any delegations from the global dns tree. That way you can still hit your server from outside when your AAAA changes but your addresses wont be on any IPv6 address lists.

Good to know I'm not the only one pondering over this! As I said, IPv6 is not new, so why no simple solution yet to this one problem! Guess most of us are still running dual-stack or keeping the old port fwd methods. And I am using SLAAC.

Good idea. At this rate, I'm prob just going to run individual update scripts on each server to send the SLAAC IP for each server to update my AAAA records. Either way, I shld still be protected as the firewall will not be opened to the main DHCP AAAA record.

1 Like

I'm not worried that any machine will get broken into. Ssh is restricted to public key only on any accessible machine and the https password on the router is a long random string pulled from /dev/random and made printable. The issue for me is just that some script kiddies have awful scripts that hammer ssh with password attempts even when ssh returns "authorizations that can continue: pki". It is simply a cpu utilization issue. Setting up an ssh connection to the point that it can negotiate the authentication takes some non-trivial amount of cpu.