OpenWrt Forum Archive

Topic: ddns-scripts: now support godaddy.com and cloudflare.com API version 4

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

new in ddns-scripts 2.7.6 / luci-app-ddns 2.4.8 is the support for
- godaddy.com and
- cloudflare.com API version 4

Installation needs to update ddns-scripts first and then add the required package:
- ddns-scripts_cloudflare.com-v4
- ddns-scripts_godaddy.com-v1
!!! Attention !!! both packages require and will install cURL
Both providers require secure (https://) communication.
You may need to additional install ca-certificate package

The correct configuration for "option domain" differ from the known default:
default: host(dot)subdom(dot)yourdomain(dot)TLD
required: host(dot)subdom(at)yourdomain(dot)TLD
example: option domain "host.subdom@yourdomain.tld"

To update the domain record only configure "option domain" as before (without @ sign):
yourdomain(dot)tld
example: option domain "yourdomain.tld"

(Last edited by chris5560 on 19 Dec 2016, 10:11)

hi, thanks for your script ... i already tell you this by email, but i think could be good for everyone better posted here

i found the script passes urls to shell command as is, and if the url has ampersands, shell splits command and runs first part in background (curl, with an incomplete url), and second part appear lost ... this result in an incompatibility of cloudflare api and update fails

the fix that seems worked to me consist in enclosing all invocations of '$__URLBASE/path/blah' urls in single quotes.. so the script also passes single quotes to the shell, avoiding parameter expansion

hi,
could you please send me a log (by direct mail) from ddns-scripts. ddns-scripts working since years with "&" inside urls.
There should be something else going wrong.

about the openwrt ddns and cloudflare mechanics ... i think updates are done in this way

- detect real ip by different methods (i use url = one of THESE)
- get registered ip by running nslookup (BUG: see this thread)
- compare ips obtained with these methods, and perform the update if differ

since i guess cloudflare registered ip(s) are taken from their load balancing pool, it could be different than your actual public one, this could lead to problems appearing an update is always needed .. please somebody explain if i am wrong or right ... for example:


01: Detect registered/public IP
02: #> /usr/bin/nslookup mydomain.com  >/var/run/ddns/mydomain_com.dat 2>/var/run/ddns/mydomain_com.err
03: Registered IP '11.11.1.1 22.22.2.2' detected
04: Detect local IP on 'web'
05: #> /usr/bin/curl -RsS -o /var/run/ddns/mydomain_com.dat --stderr /var/run/ddns/mydomain_com.err --noproxy '*' 'htttps://domains.google.com/checkip'
06: Local IP '33.33.3.3' detected on web at 'htttps://domains.google.com/checkip'
07: Update needed - L: '33.33.3.3' <> R: '11.11.1.1 22.22.2.2'
08: parsing script '/usr/lib/ddns/update_cloudflare_com_v4.sh'
09: #> /usr/bin/curl -RsS -o /var/run/ddns/mydomain_com.dat --stderr /var/run/ddns/mydomain_com.err --noproxy '*' --header 'X-Auth-Email: mymail@example.com'  --header 'X-Auth-Key: abc123abc123abc123abc123'  --header 'Content-Type: application/json'  --request GET 'htttps://api.cloudflare.com/client/v4/zones?name=mydomain.com'
10: #> /usr/bin/curl -RsS -o /var/run/ddns/mydomain_com.dat --stderr /var/run/ddns/mydomain_com.err --noproxy '*' --header 'X-Auth-Email: mymail@example.com'  --header 'X-Auth-Key: abc123abc123abc123abc123'  --header 'Content-Type: application/json'  --request GET 'htttps://api.cloudflare.com/client/v4/zones/baddeadbeefcafebabe/dns_records?name=mydomain.com&type=A'
11: IPv4 at CloudFlare.com already up to date
12: No update send to DDNS Provider
13: Waiting 600 seconds (Check Interval)


- added an extra 't' to scheme to avoid bbcode url parsing

- wget/curl https urls need "ca-certificates" package installed

- note the "password" is the global api key found in CF profile page

- it seems since line 07 script thinks ips are different and triggers an update, but cloudflare realizes no changes at 11 rendering the update pointless and risky

- fixed script output: note single quote enclosing of urls.. for me, with no quotes the "&type=A" part is missing, resulting in list all dns registers, causing multiple subsequent script calls, confusing it with unexpected responses and failing


(edit: the paragraph that used to be here was moved to its own thread)

(Last edited by atesin on 17 Dec 2016, 15:48)

Additional questions:
Log 03: Do you really get two IPv4 addresses ?
"password" is the global api key: Does this meen Cloudflare offers a test environment ?

You are right "log 07" recognise that update is needed.
log 09 reads the RecordID of the record to update.
log 10 reads the current registered ip inside Cloudflare record
If it's already the one we need, ddns-scripts skip sending and update to the record that is already up to date.
From my testing it takes up 10 minutes until DNS records are synconized.
If Cloudflare offers its own DNS servers use them because they should be updated in seconds.

nslookup problem answered in your second forum entry

answers:

log 03 = yes. i got 4 ips!! (2x ipv6 + 2x ipv4), and noone of them are my openwrt public ip, so they has to belong to CF ....  this is the nslookup for windows at my job, try yourself

C:\Windows\System32>nslookup al-anon.cl
Servidor:  xx.xxxxxx.xxx.xxx.xx
Address:  x.x.x.x

Respuesta no autoritativa:
Nombre:  al-anon.cl
Addresses:  2400:cb00:2048:1::681f:5774
          2400:cb00:2048:1::681f:5674
          104.31.87.116
          104.31.86.116

password = as i don't know any script documentation, i found this for myself (same as installing ca-certificates pkg) comparing the script output and CF api doc  ... i ignore if there is a test environment (would be terrific)

log 07 = i think this shouldn'd be this way ... in one hand, the ip detection (htp:/dyndns/checkip, wan eth ip or whatever) detects the public ip of your router .. in the other hand, dns queries return ips owned by cloudflare cdn, i think since CF provides you a front layer of redundancy, security and cache, this is ok ... so the ips from your server and CF will be always different, and this is the point in this case

log 09 = agree... would be cool also if we can obtain record id from CF webpage or somewhere to input directly in script config skipping one step (afraid.org script does similar, it also protects your real login)

log 10 = the registered ips inside cloudflare records should always be the same as obtained with nslookup, so i think this step could be also skipped

i think the real point here is to keep your router connectivity in 2 ways.. between cloudflare (for users browsing your webpage), and beetween YOU (for admin your router, access home network, etc.)

          B E F O R E          
                               
             HOME  :  INTERNET 
                   :           
 your home   your  :  internet 
  network   router :   surfer  
                   :           
  ,~~~~~.     |  | :     O     
 ( cloud )---[::::]---- /|\    
  `~~~~~'   /      \    / \    
           /       :\          
        +-+        : \ O       
 server |=|        :  /|\ YOU  
        +-+        :  / \      
               A F T E R                   
                                           
             HOME  :  INTERNET             
                   :                       
 your home   your  :  cloudflare  internet 
  network   router :   dns+cdn     surfer  
                   :                       
  ,~~~~~.     |  | :    +---+        O     
 ( cloud )---[::::]--X--| ? |-------/|\    
  `~~~~~'   /      \    +---+       / \    
           /       :X                      
        +-+        : \ O                   
 server |=|        :  /|\ YOU              
        +-+        :  / \                  

(image powered by notepad++ column select big_smile)

in the example above, i think the connections marked with "X" are the critical, but as i see, the one to cloudflare cdn should be the scope of this script  ... if cloudflare can supply a (sub)domain pointing directly to your router ip would be great, but in the meanwhile there is the ddns service we used before

i clearly see cloudflare is not intended for accesing your router remotely, but as a way to protect your web server for loads, attacks, etc. with a front layer ....  so according this i think the way this script should work is just "ping" cloudflare service to say "hi, i am here" so it can note your router ip *internally* to reach your ENDPOINT WEBSERVER when it requests ... so the detection/update should be in the *endpoint ip* registered in cloudflare records

(Last edited by atesin on 17 Dec 2016, 23:22)

I think here are two points to look at:
1.) your changing IP update is required by cloudflare to redirect traffic from "Internet surfer" to your servers.
2.) you need your real routers ip for admin access.
ddns-scripts can only handle it in 2 separate configurations.
1.) Every round it founds the diff between registered and "local ip" and try to send an update to cloudflare.
Luckily ddns-scripts before sending what is currently saved inside cloudflare database and only update the record if there is a real change of "local ip".
2.) you setup a record at one of these many free ddns providers where you register a domain nobody knows for admin access.
OR) try to clarify with Cloudflare to fix your problem. i.e. special hostname and/or subdomain where registered and local ip are the same.

hey... i think i found the way to make cloudflare points to your router ip

in dns section, must click on the cloud of the domain you want until it turns grey

if clouds are orange dns will point to load balancing ips regardless the ip was shown


http://i68.tinypic.com/161ja0i.jpg


C:\Windows\System32>nslookup al-anon.cl
Servidor:  xxxxx.xxxxxxxx-xxxxxxx.xx
Address:  xxx.xxx.xxx.x

Respuesta no autoritativa:
Nombre:  al-anon.cl
Addresses:  2400:cb00:2048:1::681f:5674
          2400:cb00:2048:1::681f:5774
          104.31.87.116
          104.31.86.116

C:\Windows\System32>nslookup remote.al-anon.cl
Servidor:  xxxxx.xxxxxxxx-xxxxxxx-xx
Address:  xxx.xxx.xxx.x

Respuesta no autoritativa:
Nombre:  remote.al-anon.cl
Address:  200.104.36.2...


C:\Windows\System32>

... i was tinking the above .. so i configured this direct domain and do some tests... here are the results:



01 : ************ ************** ************** **************
02 : PID '22647' started at 2016-12-20 12:51
03 : ddns version  : 2.7.6-5
04 : uci configuration:
ddns.alanon_cl.dns_server='8.8.8.8'
ddns.alanon_cl.domain='al-anon.cl'
ddns.alanon_cl.enabled='1'
ddns.alanon_cl.ip_source='web'
ddns.alanon_cl.ip_url='https://domains.google.com/checkip'
ddns.alanon_cl.lookup_host='remote.al-anon.cl'
ddns.alanon_cl.password='cloudflareaccountglobalapikey'
ddns.alanon_cl.service_name='cloudflare.com-v4'
ddns.alanon_cl.username='atesin()gmail!com'
ddns.alanon_cl=service
05 : verbose mode  : 0 - run normal, NO console output
06 : check interval: 600 seconds
07 : force interval: 259200 seconds
08 : retry interval: 60 seconds
09 : retry counter : 0 times
10 : No old process
11 : last update: never
12 : Verify DNS server '8.8.8.8'
13 : #> timeout 2 -- /usr/bin/nc 8.8.8.8 53 </dev/null >/var/run/ddns/alanon_cl.dat 2>/var/run/ddns/alanon_cl.err
14 : Detect registered/public IP
15 : #> /usr/bin/drill -V0 -u remote.al-anon.cl @8.8.8.8 A >/var/run/ddns/alanon_cl.dat 2>/var/run/ddns/alanon_cl.err
16 : Registered IP '200.104.36.201' detected
17 : Starting main loop at 2016-12-20 12:51
18 : Detect local IP on 'web'
19 : #> /usr/bin/curl -RsS -o /var/run/ddns/alanon_cl.dat --stderr /var/run/ddns/alanon_cl.err --noproxy '*' 'https://domains.google.com/checkip'
20 : Local IP '200.104.36.201' detected on web at 'https://domains.google.com/checkip'
21 : Forced Update - L: '200.104.36.201' == R: '200.104.36.201'
22 : parsing script '/usr/lib/ddns/update_cloudflare_com_v4.sh'
23 : #> /usr/bin/curl -RsS -o /var/run/ddns/alanon_cl.dat --stderr /var/run/ddns/alanon_cl.err --noproxy '*' --header 'X-Auth-Email: atesin()gmail!com'  --header 'X-Auth-Key: cloudflareaccountglobalapikey'  --header 'Content-Type: application/json'  --request GET 'https://api.cloudflare.com/client/v4/zones?name=al-anon.cl'
24 : #> /usr/bin/curl -RsS -o /var/run/ddns/alanon_cl.dat --stderr /var/run/ddns/alanon_cl.err --noproxy '*' --header 'X-Auth-Email: atesin()gmail!com'  --header 'X-Auth-Key: cloudflareaccountglobalapikey'  --header 'Content-Type: application/json'  --request GET 'https://api.cloudflare.com/client/v4/zones/de7e3dea56d5d17cf9e4a91b3f0afdfe/dns_records?name=al-anon.cl&type=A'
25 : IPv4 at CloudFlare.com already up to date
26 : ERROR : No update send to DDNS Provider
27 : Waiting 600 seconds (Check Interval)

from here logs start cycling from line 12 each 10 min. .. i obfuscated my email address

note the difference between "lookup_host" and "domain" .... it seems the first is used to detect ip (with drill.. i just installed and worked flawlessliy out of the box big_smile).. the second is passed to the update script

the ip detection i am using is "https://domains.google.com/checkip" ... note as i stated previously, to make work https urls with wget/curl you must install "ca-certificates" package

about the specified url..  i was looking for a cloudflare owned ip check url HERE but i didn't find it, so used the google one because seems neutral, universal and stable ... i would still prefer a cloudflare branded url like "htp:/ipcheck.cloudflare.com" .. does it exists?

also note security concerns about exposing your direct ip address trought a subdomain, a simple dns query could reveal it ... so as an alternative is still a good idea if you have another ddns service to access your router and home network, use it also for passing ip detection to cloudflare

however this config seems to work fine, i have the doubt why until ips are detected the same, the update is still forced every cycle until i can't find any related config, does anybody knows why?

(Last edited by atesin on 20 Dec 2016, 17:02)

  • It looks like there is still a bug inside "update_cloudflare_com_v4.sh".
    It returns a wrong error number. That's why the time of last successful update is not updated.
    Fix coming soon.

  • If Cloudflare offers it's own DNS servers and possibly Web-Pages to detect your current IP is a question you need to clarify with cloudflare's support.

  • Yes secure transfer with curl/wget/uclient-fetch require certificates, but there are two package versions available of ca-certificates and there are users who wants to install only specific certificates. That's the reason why ca-certificates are not autoinstalled.

@chris5560, thank you so much for your effort on bring us this terrific script ... i think i am not so skilled than you but i wanted to reach at height by testing the script and update process with cloudflare all i could do..

now you mention the certificates thing i wonder ... what certificates packages are there?.. which do you recommend?.. what is the specific certificate cloudflare uses and how to install it?

however your script lacked documentation, i admit i didn't comprehend at first ...  but all the information discussed here is what your script needs to be complete.. now all this information are ready to organize and write a little tutorial or man page

thanks again

(Last edited by atesin on 21 Dec 2016, 05:17)

The discussion might have continued from here.