IPv6 Dynamic DNS

[bcjenkins]

Is there a way for the firewall to track IPv6 clients behind it and update dynamic DNS entries on a service like Cloudflare?

[netrixtardis]

I think the way we have it setup, we are getting IPv6 from the prefix delegation off the WAN.  The way to track the IPv6 IPs assigned would be to configure the OPNsense router box as the DHCPv6 server, then dolling out IPs that way.  Currently I think we are still getting IPv6 IPs from the upstream router beyond the OPNsense box.

btw, I'm still trying to understand this stuff, someone correct me if I am completely wrong...

[bcjenkins]

No, I believe you're correct. You could build an application on the router to harvest the IPv6 assignments and correlate them with a MAC -> host table. Sending an update to the IPv6 DDNS platform when a change is detected.

Log on to your router and look at the current discovery information:

Code: [Select]

ndp -an
If your discovery seems light, then you can ping the multicast address to update the neighbor discovery:

Code: [Select]

ping6 -I em0 -c 3 ff02::1 Where em0 is your LAN interface.

As an example, my LAN interface knows about my LAN client and I could write a script to do this very coarsely. I would much rather it be baked in to the GUI and supported by the project. I would be willing to contribute to this effort, too, but I couldn't fund the entirety.

[bcjenkins]

I borrowed a little bit of code from the NDP diagnostics page and can execute this on the firewall to identify my desired host updates.

Code: [Select]

<?php

/*
Copyright (C) 2014 Deciso B.V.
Copyright (C) 2004-2010 Scott Ullrich <sullrich@gmail.com>
Copyright (C) 2011 Seth Mos <seth.mos@dds.nl>
Copyright (C) 2005 Paul Taylor (paultaylor@winndixie.com) and Manuel Kasper <mk@neon1.net>.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/

$hostTable = array("host1" => "aa:bb:cc:dd:ee:f0", "host2" => "aa:bb:cc:dd:ee:f1");


exec("/usr/sbin/ndp -na", $rawdata);
$data = array();
array_shift($rawdata);
foreach ($rawdata as $line) {
    $elements = preg_split('/[ ]+/', $line);
    $ndpent = array();
    $ndpent['ipv6'] = trim($elements[0]);
    $ndpent['mac'] = trim($elements[1]);
    $ndpent['interface'] = trim($elements[2]);
    $data[] = $ndpent;
}

foreach ($hostTable as $key => $value) {
    $entries = array_keys(array_column($data, 'mac'), $value);
    foreach ($entries as $entry => $number) {
        if (substr($data[$number]['ipv6'], -4) === str_replace(':', '', substr($data[$number]['mac'],-5))) {
            echo $key . " has IPv6 address of " . $data[$number]['ipv6'] . "\n";
            /*This is where I would build out the DDNS update. I would start with a query of the DNS
            server to determine what the IP resolves to and then post an update if needed. You could
            also cache the last address locally or in a database, etc. */
        }
    }
}
It would be awesome if something like this could wind up in the UI to set up. I'll continue to hack out my script for my purposes. If anyone is interested in the finished product please shout out.

--bcj

[bcjenkins]

Workable script below. Several assumptions are made

• IPv6 address is based on MAC address. Windows does not default to this. You can fix with the code below and a reboot.
• Domain is 2 levels like example.com and not 3 like example.co.uk

Code: [Select]

netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set privacy state=disabled

PHP code - This can be run as a cron job on the firewall. This works for CloudFlare using their V4 API.

Code: [Select]

<?php

/*
Copyright (C) 2015 CBA Solutions, LLC
Copyright (C) 2014 Deciso B.V.
Copyright (C) 2004-2010 Scott Ullrich <sullrich@gmail.com>
Copyright (C) 2011 Seth Mos <seth.mos@dds.nl>
Copyright (C) 2005 Paul Taylor (paultaylor@winndixie.com) and Manuel Kasper <mk@neon1.net>.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/

$hostTable = array("example.com" => "aa:bb:cc:dd:ee:f0", "server.example.com" => "aa:bb:cc:dd:ee:f1");

$cfEmail = "email@example.com";
$cfAPI = "9a7806061c88ada191ed06f989cc3dac";

//Code used from OpnSense Source
exec("/usr/sbin/ndp -na", $rawdata);
$data = array();
array_shift($rawdata);
foreach ($rawdata as $line) {
    $elements = preg_split('/[ ]+/', $line);
    $ndpent = array();
    $ndpent['ipv6'] = trim($elements[0]);
    $ndpent['mac'] = trim($elements[1]);
    $ndpent['interface'] = trim($elements[2]);
    $data[] = $ndpent;
}

foreach ($hostTable as $key => $value) {
    $entries = array_keys(array_column($data, 'mac'), $value);
    foreach ($entries as $entry => $number) {
        if (substr($data[$number]['ipv6'], -4) === str_replace(':', '', substr($data[$number]['mac'],-5))) {
            $domainArray = preg_split("/\./", $key);
            $cfDomain = $domainArray[count($domainArray)-2] . "." . $domainArray[count($domainArray)-1];
            $cfNewIP = $data[$number]['ipv6'];
            $cfURL = 'https://api.cloudflare.com/client/v4/zones';

            //Get the Zone ID
            $curlRequest = curl_init();
            curl_setopt($curlRequest,CURLOPT_HTTPHEADER,array("X-Auth-Email: $cfEmail","X-Auth-Key: $cfAPI","Content-Type: application/json"));
            $cfURL .= '?' . "name=$cfDomain";
            curl_setopt($curlRequest,CURLOPT_URL, $cfURL);
            curl_setopt($curlRequest,CURLOPT_RETURNTRANSFER, true);
            $result = curl_exec($curlRequest);
            curl_close($curlRequest);
            $cfData = json_decode($result);
            $cfDomainID = $cfData->result[0]->id;

            //Get the Zone Record for the FQDN
            $cfURL = 'https://api.cloudflare.com/client/v4/zones/' . $cfDomainID . '/dns_records?type=AAAA&name=' . $key;
            $curlRequest = curl_init();
            curl_setopt($curlRequest,CURLOPT_HTTPHEADER,array("X-Auth-Email: $cfEmail","X-Auth-Key: $cfAPI","Content-Type: application/json"));
            curl_setopt($curlRequest,CURLOPT_URL, $cfURL);
            curl_setopt($curlRequest,CURLOPT_RETURNTRANSFER, true);
            $result = curl_exec($curlRequest);
            curl_close($curlRequest);
            $cfData = json_decode($result);
            $cfOldIP = $cfData->result[0]->content;
            $cfHostID = $cfData->result[0]->id;

            if ($cfOldIP != $cfNewIP){
                // Build request to update current IP
                $curlRequest = curl_init();
                $cfUpdate = array();
                $cfUpdate["id"] = $cfHostID;
                $cfUpdate["type"] = "AAAA";
                $cfUpdate["name"] = $key;
                $cfUpdate["content"] = $cfNewIP;
                $cfUpdate["zone_id"] = $cfDomainID;
                $cfUpdate["zone_name"] = $cfDomain;
                $cfUpdate["ttl"] = 300;
                $cfURL = 'https://api.cloudflare.com/client/v4/zones/' . $cfDomainID . '/dns_records/' . $cfHostID;
                curl_setopt($curlRequest,CURLOPT_HTTPHEADER,array("X-Auth-Email: $cfEmail","X-Auth-Key: $cfAPI","Content-Type: application/json"));
                curl_setopt($curlRequest,CURLOPT_RETURNTRANSFER, true);
                curl_setopt($curlRequest,CURLOPT_CUSTOMREQUEST, "PUT");
                curl_setopt($curlRequest,CURLOPT_POSTFIELDS, json_encode($cfUpdate));
                curl_setopt($curlRequest,CURLOPT_URL, $cfURL);
                $result = curl_exec($curlRequest);
                curl_close($curlRequest);
                $cfData = json_decode($result);
            }
        }
    }
}

[franco]

bcjenkins, I'll happily pick up these pieces of code, but I am unsure about how to structure them, e.g. general purpose IPv6, specialised CloudFlare-Plugin, or bind into DynDNS code itself?

It would also be appreciated to include your name and email into the copyright to make it explicit that you agree with the 2 Clause BSD license.

Thanks so far.

[bcjenkins]

To be honest, this is pretty specific to Cloudflare. My registrar didn't support DDNS for IPv6 and I am looking for a way to track the addresses automatically. Cloudflare's service is free to use and it might be interesting to create a mechanism which would leverage the NDP discovery to select which entries you would like to create records for.

The account email and API key is all you would need to do this. Each entry should have a MAC address, host, domain name, and TTL. If you were to store the zone ID, host ID, in the database and it will save additional calls on updates. The new API (V4) uses FQDN for host entries and domain name for zones. The FQDN can be the zone or sub-domains.

Cloudflare API - https://api.cloudflare.com/#dns-records-for-a-zone-create-dns-record