ddclient New opnsense backend and desec

Started by bringha, June 09, 2023, 06:36:27 AM

Previous topic - Next topic
Hi,

As a preparation for 23.7 and migrating from legacy dyndns to ddclient, I experimented today a bit around with both ddclient backends (ddclient and the new opnsense) and dyndns2 protocol. I am with desec and I brought it up and running with the ddclient backend and the config as described here

https://forum.opnsense.org/index.php?topic=26446.msg134975#msg134975

Basically it works, however every second update cycle, an update is said to be performed successfully which does not take place according to the desec DNS logs. ddclient logs look like this:

<29>1 2023-06-08T00:53:49+02:00 OPNsense.zuhause.xx ddclient[61106] 34054 - [meta sequenceId="3"] WARNING:  Wait at least 5 minutes between update attempts.
<29>1 2023-06-08T00:58:49+02:00 OPNsense.zuhause.xx ddclient[61106] 29212 - [meta sequenceId="1"] SUCCESS:  updating crandale.dedyn.io: good: IP address set to 87.XXX.XXX.140
<29>1 2023-06-08T01:03:49+02:00 OPNsense.zuhause.xx ddclient[61106] 50446 - [meta sequenceId="1"] WARNING:  skipping update of crandale.dedyn.io from <nothing> to 87.XXX.XXX.140.
<29>1 2023-06-08T01:03:49+02:00 OPNsense.zuhause.xx ddclient[61106] 50446 - [meta sequenceId="2"] WARNING:  last updated Thu Jun  8 00:58:49 2023 but last attempt on Thu Jun  8 00:58:49 2023 failed.

Could not yet find out why a SUCCESS for an update is noted in the logs which desec is not confirming.

I then tried the new python opnsense backend of ddclient and the result looks very encouraging:

I added simply two new lines into /usr/local/opnsense/scripts/ddclient/lib/account/dyndns2.py (line 37/38)


     35     _services = {
     36         'dyndns2': 'members.dyndns.org',
     37         'desec(v4)': 'update.dedyn.io',
     38         'desec(v6)': 'update6.dedyn.io',
     39         'dns-o-matic': 'updates.dnsomatic.com',


The configuration for desec and the opnsense backend look then like this:

- Services: Dynamic DNS: Settings: General Settings
Enabled [X]
Verbose [X]
Allow Ipv6 [X]
Interval [300]
Backend [OPNsense]

I added 2 services under the same desec account:

- Services: Dynamic DNS: Settings: Edit Account
Enabled [X]
Service [desec (v6)]
Protocol  [DynDNS2]
Username [Your Domain]
Password [Your DeSec Token]
Hostname(s) [Your Domain]
Check ip method [Interface [IPv6]]
Force SSL [X]
Interface to monitor [Your WAN Interface]

- Services: Dynamic DNS: Settings: Edit Account
Enabled [X]
Service [desec (v4)]
Protocol  [DynDNS2]
Username [Your Domain]
Password [Your DeSec Token]
Hostname(s) [Your Domain]
Check ip method [Interface [IPv4]]
Force SSL [X]
Interface to monitor [Your WAN Interface]

After activating, the ddclient logs look like

<165>1 2023-06-08T16:45:53+02:00 OPNsense.zuhause.xx ddclient 60835 - [meta sequenceId="4"] Account yyyyyyyyyy-18d2-47a7-b45a-4468975dc2e7 [desecv6 - dedyn]  set new ip 2003:XXXX:XXXX:XXXX:XXXX:efff:fe57:21ce [good]
<165>1 2023-06-08T16:45:53+02:00 OPNsense.zuhause.xx ddclient 60835 - [meta sequenceId="5"] Account yyyyyyyyy-18d2-47a7-b45a-4468975dc2e7 [desecv6 - dedyn]  changed
<165>1 2023-06-08T16:45:53+02:00 OPNsense.zuhause.xx ddclient 60835 - [meta sequenceId="6"] Account zzzzzzzzzz-f19d-4b4e-98a8-1bf71b62ee24 [desecv4 - dedyn]  execute
<163>1 2023-06-08T16:45:59+02:00 OPNsense.zuhause.xx ddclient 60835 - [meta sequenceId="7"] Account zzzzzzzzzz-f19d-4b4e-98a8-1bf71b62ee24 [desecv4 - dedyn]  failed to set new ip 87.XXX.XXX.236 [429 -
Request was throttled. Expected available in 55 seconds.]


After the mentioned 55sec, also the ipv4 address is visible at desec as an A record.

Means desec is bacically working on the new OPNsense backend for ipv4 AND ipv6 with some very simple and straight extensions to the dyndns.py code; only oddity is the throttling of the sequential request to the same desec account for v4 and v6 which allows obviously only one update per minute. Perhaps there is a possibility to add an additional throttling config item into the new opnsense backend code.

Several reboots and reconnects leading to different ipv4 and ipv6 addresses confirmed that it is working.

I think that this example could open potentially a pretty fast integration path for some more dyndns2 based service providers into the new opnsense backend python code and facilitate therewith at least in parts a catch up to the legacy dyndns solution as far as support of providers is concerned. Indeed there are many non dyndns2 providers for which more code needs to be written.

If this report is perceived positive perhaps it could be taken into the mainstream code base or you let me know how I could do this.

Br br

Regarding rate limit they probably want you to update both IPs/all hostnames in one request and I think ddclient itself (not our backend) is capable of this. However, looking at the above code it has at least one bug in dyndns2 support...

Can you update to the snapshot package to see if that makes a difference?

# opnsense-revert -z ddclient-devel

(needs a service restart)

For reference: https://github.com/ddclient/ddclient/pull/542


Cheers,
Franco

June 09, 2023, 10:24:58 AM #2 Last Edit: June 09, 2023, 10:27:15 AM by bringha
Hi Franco,

I did not mention the steps which did NOT work. ;) Sorry for that one...

desec support recommends to use the update server https://update6.dedyn.io/ with the ipv4 address which shall (sometimes) enable that both (ipv4 and ipv6) addresses are updated. (if it doesn't they nicely refer to the 'folks of OPNsense who could help out').

I could not get it to work with none of the dyndns options on opnsense (legacy and both ddclient backends) yet. Even more any trial with split calls for ipv4 and ipv6 failed (which is also written in the desec docs). result has been either A or AAAA record but never both.

So it has been a very positive surprise that the new opnsense backend somehow manages to have an A and an AAAA record with two separate calls.

I reverted to the devel snapshot, so far all fine (I can just not force a reconnect as some videoacalls are going on but will do it asap and then feedback).

Br br

Hi,

I could meanwhile reboot the machine and got a new set of ip addresses - the throttling does behave the same  as in the old version. I hope that did not misunderstood you and the revert is relevant for the ddclient backend only ?!?

@Franco: You furthermore mentioned that the new backend is not supporting to update both IPs in one request while ddclient itself does. However, it is a functionality which seem an increasing number of DNS service provider to require.

Is it possible to refactor the
_current_address=checkip(...

logic in the BaseAccount class in such a way that both addresses are made available as a property there, eg.  as a result of two subsequent calls of checkip()?  The addresses would then be available for the individual accounts code to be used. Or is the idea of the new backend architecture that such a case shall be handled directly with two subsequent checkip calls in the account code. Imho I would prefer the first solution.

Eg: I just going to try to create account code for Ionos and the only way to get both A and AAAA records is via an URL which look like:
https://ipv4.api.hosting.ionos.com/dns/v1/dyndns?q=NDFjZmM3YmVjYjQzNDRhMTkxMzliZDAwYzA2OGU3NzEuU2FvNlhuR2U4UmtxNGdiQzlMN19TLWpZanM4LWZBdGsxX2Ixa2FFUmRFWUp4Z1pmR3NWOVFpUjZYZGQ5TTZ5QjBIZkxSRFAyN2lzeHhCRWNuNVpSU0E&ipv4=<ipaddr>&ipv6=<ip6addr>

What is your view on this?

Looking forward to your reply

Br br

I'm not sure what the restrictions are that Ad wants to set in place for the OPNsense backend, but best way to find out is make a feature request on GitHub to discuss.

I'm more involved in the native ddclient part of the plugin.


Cheers,
Franco


BTW, the POST method landed in 23.7.1 and I think someone is working on a GET method as well, but I don't entirely know if it will be accepted (since it puts credentials in the URL).


Cheers,
Franco

This got me where I needed to go. The road was long and bloody, but in the end I prevailed!  ;D

This topic and the discussion here helped get me over the hurdle.

https://forum.opnsense.org/index.php?topic=36010
V/r,
John