Duck DNS – free dynamic DNS hosted on AWS
duckdns.orgFor anyone hosting their domain on Google Domains, there's a neat API endpoint they're offering for updating the DNS with a simple CURL. I've been using this for years now for a public Raspberry PI behind a home router that changes IPs every other day.
curl -s -k --user "username:password" "https://domains.google.com/nic/update?hostname=yourdomain.com"
Here are the docs: https://support.google.com/domains/answer/6147083?hl=en#zipp...
I don't know if it's relevant but there was an article the other day about how Google is phasing out username:password logins for most Google related services and APIs, so if you have a script running quietly for years doing this task, it might be worth double checking if it will continue to be fine. (It might be, if this u/p is unique to the domain as the docs suggest - but I thought I'd mention it just in case!)
This is with an application specific username/password pair that GoogleDNS gives you. And will only update that specific record.
Would enabling 2-factor auth and using an app-specific passowrd in this case still work? worth a try I guess: https://support.google.com/accounts/answer/185833
I had no idea about this, really handy!
Quick question, is there a reason the -k (--insecure) flag is included? I imagine that https://domains.google.com would use a cert trusted by curl so it seems unnecessary and adds a risk that your traffic could be MitM.
I could see people doing this on old routers with outdated CA certs and etc. But agreed, it seems like a bad idea unless absolutely necessary.
Not only did I have no idea about this, but I was certain this didn't exist on purpose as there is a paid "Cloud DNS" in Google Cloud.
Does this mean Let's Encrypt dns-01 challenges could be automated?
[edit: Oh the API only allows changing an A record, for dynamic DNS, not updating anything else in the zone. That makes more sense.]
so I mentioned the same thing, though one thing to note (which I doubt duck dns helps with either). Is one can't use google's dynamic dns with AAAA records (i.e. ipv6). Personally, I think this is massive oversight on their part.
I have dynamic A and AAAA records with Google Domains. I'm not sure why it doesn't work for you.
Here's the relevant portion of my ddclient config:
protocol=googledomains login=XXXXXXX password=XXXXXXX host4.mydomain.com protocol=googledomains use=web web=checkipv6.dyndns.org/ ipv6=yes login=XXXXXXXC password=XXXXXXX host6.mydomain.comok, so you're doing a manual update?
when I go into the web ui for my domain and go to create a dynamic dns name, it only gives me an option for only an A record.
My "guess" is that your solution is to create a normal AAAA record and ddclient can update that record with the info retrieved from checkipv6.dyndns.org? so not using google's UI to setup a AAAA dyn dns record? and my guess is that username/password scoping that you got for host4 worked the same for the "fake static" AAAA record?
or you could have the ability to create AAAA dyn dns records via the UI and for some reason I'm just blind.
When you create the dynamic DNS record in the UI, it will be of type A.
But after you update the record using ddclient or whatever, the UI will show the correct type:
ah, ok. thanks for the info!
Likely because the person/team that built this got their annual bonus for making something new and moved on to other things before ipv6 became relevant in their eyes.
It seems unsafe to me to be passing your username and password over the open every second day. Especially one that links to Google - which for the majority of people is their life.
As a side note - will the recent announcement by Google about unsafe logins being denied affect you?
In the open? I believe u:pwd is HTTP Basic Auth, which is not "in the open" when over TLS.
https://en.wikipedia.org/wiki/Basic_access_authentication#Se...
~~It's still passing credentials for the entire account, rather than something explicity scoped to "just update these A records, and these A records only".~~
~~Also as the parent noted, Google have the last few years been very aggressive about "unsafe login" (using usr+pass outside of Google) and this might disappear.~~
Edit: Never mind, buried in the docs it appears the user:pass are scoped.
In this case, the username and password are NOT your Google credentials. When you set up a dynamic DNS subdomain in Google Domains, it autogenerates a username/password pair that is unique to that subdomain, and that's what you use.
https://support.google.com/domains/answer/6147083?hl=en&ref_...
I was quite surprised to learn this has nothing to do with DDG. Interesting how DDG seem to have taken the meaning of "duck" in (my) mind.
What's more interesting is that DDG had disputes with Google over the ownership of the duck.com domain. Google was squatting on the domain and redirected it to Google (dirty tactic). But I guess it could just as easily have gone to the Oregon Ducks or some duck based website. (interestingly "ducks.com" doesn't go anywhere for me)
Google became the owner of Duck.com back in 2010 when it acquired On2 Technologies, a company formerly known as The Duck Corporation. It gifted the domain to DuckDuckGo in 2018
Hmm, I remember it differently, with Google redirecting duck.com to DDG, and then later just handing the domain over to them.
You're remembering things correctly. The WHOIS record for duck.com shows that it's owned by Duck Duck Go, Inc.
google already does enough atrocious things, you don't have to make them up.
I have been using Cloudflare Tunnel for several months now to get around dynamic DNS requirements and port forwarding. It creates a secure tunnel between your server and their edge, and supports name-based service config (domain X points to localhost Y.) Downside is they only supports HTTP(s).
There is a free tier, although you need to provide them a full domain (not a subdomain) for it to work, and then each site/tunnel will create a subdomain. It does work with free domains like .tk if you really want to go that route.
https://developers.cloudflare.com/cloudflare-one/connections...
There are also open-source alternatives using VPNs like Wireguard + nginx, but typically these solutions require you to run a publicly-accessible server already to host the proxy.
Tunnel is one feature that make me like cloudlfare a lot
I'm currently on the search for a service to facilitate DDNS. Duck DNS seems popular, but I'm skeptical of things that are simply offered for free. What assurance do we have that Duck DNS is secure, or that it will not just disappear one day? The alternative that seems better to me is Namecheap with their API.
I cobbled together a bash script that used the cloudflare API to update the A record when my IP changed. It worked well.
Prior to that i used https://freedns.afraid.org which is free if you are willing to share your domain (people can create subdomains that point to their IP) or you can pay to keep it private. It's been around for a very long time, so it's unlikely to vanish. It's a very good service.
+1 on Cloudflare’s API for this. You can generate an API key (per domain only, I think) and it’s a simple curl call from there.
And it works on their free account level! Maybe someday they’ll kill that, but they have a history of keeping features in free going.
they have a history of keeping features in free going.
Correct.
https://freedns.afraid.org has been running forever and a day, has thousands (?) of domain names donated for use, two APIs (v1 and v2), and the free tier is subsidized by paying premium members (premium gets extra features). Highly recommended.
Why does it matter if it just disappears one day if you are not paying for it anyways?
Because then you have a ticking time problem. Some automatic service might just silently start failing deep in your tech stack. And yes, you can monitor that. But then your monitoring software might fail, etc.
If you are having a serious (= where failures matter a lot) tech stack, use something that is paid and supported or host it yourself.
I think I see your point, however, what I'm saying is I'd rather pay for something in exchange for some semblance of availability and security guarantees.
That's ok. But I think for private projects something like this is fine. That's why I meant that even if it disappears it doesn't matter.
I would definitely not use something like this commercially.
I think any commercial use of, or reliance on, dynamic DNS is a terrible idea.
If it disappears how do you get a refund?
this comment hit me pretty hard. why do we expect longevity in the free open source world?
I’m using ddclient [0] with Google Domains. Pretty easy to set up on a raspberry pi.
My router supports Route53, so I just pay the $0.50/month for them to host the domain. I don't foresee Route53 going away anytime soon.
How does your router support Route53? Does your router have a static IP address and you just created an entry in Route53 mapping a subdomain.example.com to the static IP of your router? DuckDNS is a Dynamic DNS and can work with common dynamic IPs... How do you update the entry in Route53 when the IP address of your router changes?
OPNSense saves an AWS keypair. When it detects my IP changes, it updates a Route53 record using the AWS API. It’s one of the options alongside a bunch of other DDNS providers.
My router supports no-ip and other dyndns providers. I expect if that particular router supports Route 53 than it'll do the same: just update the entry in Route53.
I went the API way but with Gandi, works like a charm!
Gandi is my registrar! Yes, I'm a fan. I may be mistaken, but something I worry about after trying Gandi's API for Let's Encrypt is the API keys provide permission for everything. I would love it if the permissions could be narrowed down to specific domains, records, and operations on them... AWS Route53 comes to mind, but my router (OPNsense) didn't have it available as an option. :(
Maybe I'm missing something obvious, but why not just pay for a domain and run a cronjob to update the IP in case it changes?
How long does it take to propagate the changed IP?
Generally a few seconds from my experience with outside friends using services I've set up.
Depends on your TTL. For me 15 minutes.
Anecdote: I am happily using DNS Made Easy (paid) with ‘ddclient’ for dynamic updates via their API
ddnss.de
This service is infamous to be abused by spammer.
I can imagine. Last year I tried to sign up to create a domain for my home server. Despite having my own IP address and a Google account I pay for recaptcha v3 they use would not let me through.
I love DuckDNS but we seriously need a more automated and integrated solution to this kind of thing. It's the missing piece that holds self hosted back.
Something that:
* Lets you set up a domain with a single command
* Handles security for you. There shouldn't be any manual admin needed to make a secure context site
* Works offline on the LAN if possible, and on Yggdrasil meshes.
I should be able to buy a device, plug it in, then scan the QR code on it's display and be instantly taken to its website, no setup or account creation.
Unfortunately the web blocks all insecure requests from within secure contexts, and has no MDNS type functionality, so building a P2P solution with service workers or something is very hard/impossible.
DuckDNS is really almost there. It's the security that makes it hard, Let's Encrypt is not exactly consumer grade.
Why is let’sencrypt not consumer grade? I dont think it uses any inferior algorithm. Am I missing something?
An average user probably wouldn't want to set it up though.
The security is fine, but it's definitely not plug and play like I'd expect a commercial NAS or something to be.
That is true but then again, it is designed to be used automated afaik may be thats why it became instant hit among developers. There are services like ZeroSSL which would be a better fit for average user.
I've been using noip.com for my projects, works quite well except that you have to confirm you still want your noip domain reserved every once in a while. I'll try Duck Dns in my next project. Thanks for the share.
Be aware that Facebook Messenger blocks URLs with duckdns.org as unsafe links. The workaround is probably to find a cheap domain (not free, these are blocked as well) and attach it using CNAME.
This has nothing in common with DuckDuckGo?
DDG (unfortunately) is bigger and bigger with every year. They are developing desktop browser, email proxy etc.
I wouldn't be surprised if they'd lunched DDGDNS.
Why is it unfortunate that DDG is bigger and bigger every year?
The larger the crowd the more likely the company is to monetise the service? Or just sell the eyeballs?
I'd like to think DDG were too principled to do this, but money can really direct moral compasses in large enough quantities.
That's exactly what I meant :)
There are many companies / sites / blogs / YT channels etc that put quantity over quality.
I’ve been using DuckDNS for a couple of years now but one day I discovered that Reddit login is no more so I’m locked out of my account, still works though!
In the past I've tried using the free tier of other DynDNS services but with 2 commercial routers I had it always boiled down to the firmware being crap and having some bug that wasn't working with the free DynDNS. Many people recommend OpenWRT but you need to plan in advance which router you are going to buy to be compatibile with OpenWRT and I never planned so much in advance.
I have my own domain and run a Cloudflare Workers endpoint that updates a DNS record. It’s quite simple to run one’s own dDNS service.
I have used DuckDNS for nearly a decade. I highly, highly recommend them. It's never not worked, super simple to set up on any server or always on system, and just is exactly what you want if you're a hobbyist.
The only possible downside is that you end up with a url with "duckdns.org" in it, but I don't mind
That's great and all but since dyndns providers are hardcoded in my router this does not help.
If you have a machine running all the time anyways you can have it update the IP instead of the router. They have instructions for a bunch of different ways to do it on various OSs.
Then I rather use my own DNS solution.
You can use DuckDNS through DNSOMatic. That's in many routers. That's what I do
I use Cloudflare, and there are also tons of APIs for update IP of DNS configuration.
I remember using it years ago to be able to point from the outside to a dynamic IP.
I used an old Android phone with their app to keep the IP updated. Like the old no-ip but without a PC.
Just curious, how does this project pays bills?
It's not expensive to run a project like this to begin with but donations.
I wonder about that too.
When a pro duck needs another roll of duct tape from his industrial supplier, they just put it on his bill and he's good to go.
Donation. Just like many projects like this.
Happy user here. DuckDNS is one of those great things that does one thing simply and just works
For some time I kept getting SMS phishing mails with duckdns.org urls here in Japan.
DuckDNS is sadly often abused for malware and phishing.
Thank you. This was exactly what I've been looking for for a while now.
It is a great service - I have been using it for over 6 years now.
anyone knows why reddit doesnt like them using the reddit api?
>We unfortunately do not allow use of Reddit’s API for account authentication with third-party sites or applications that have no partnership, affiliation, or connection with Reddit. Reddit does not offer or support “log in with Reddit” or “use Reddit” to login services. Use of any sort of button, including a “use Reddit” login button like the one currently featured on your site, is unauthorized.
I know it is significantly less easy and not free, but wouldn’t a dedicated $6 vps running a level 4 haproxy to get access be a lot safer? A script to ssh to the vps to update your backend ip is pretty trivial.
This is not a proxy though. Its just a DNS entry.
To me, this domain is synonymous with phishing.
to avoid reverse proxy, dynamic dns to access servers at home, maybe try tailscale to achieve same thing
one could just pay a small yearly fee to register their domain with google and get easy/unlimited ddns.
You can also host your zone with Hurricane Electric and skip the part about paying a small yearly fee to Google.
there's no cost to google besides the registration fee, if it's your zone, you're paying that fee anyways. The only way to not pay a fee is to go through a free dyndns provider that you have to use a hostname off of their zone.
Is the DNS free, even if you use other registrar than Google?
I have some domains with country-specific tlds, and I'm using small registrars there. he.net is free even in this case.
I don't believe this solves the issue if your IP changes all the time.
Why not? As OP said you'll get an easy way to update the dns entry with the new IP.
Why AWS? How about we start building services that work anywhere instead of targeting a platform owned by a company that avoids paying billions in taxes?
Edit - I'll leave my original comment up but I originally thought this was a service that users could deploy themselves into their own AWS accounts which it is not. It is, as it says, a DDNS service which is free. The fact that it's hosted in AWS should be neither here nor there.
It kinda gives a sense of how it works. AWS means it's not just a handwritten script on a VPS somewhere, it's probably maintained with lots of automation, etc.
It kind of gives it a sense of professionalism for marketing purposes.
New to this. "Practically", it seems the same as ngrok or tor onion services. Is that right?
I'm familiar with DNS and read the FAQ. But, "Practically", it's used for external services(ssh, http) to get to your device. Right? Are there practical use differences?
It's a name system. It allows you to get the name, it does not provide access. You're basically saying "the yellow pages are the same as cell phone towers, they allow you to phone people".