Dynamic DNS with Cloudflare does not work, change my mind

blackburd

I have setup my domain on cloudflare.

Cloudflare reports the domain is "the primary DNS provider for this domain, it's authoritaviley answers all DNS queries."

On Cloudflare ai created an A record for pfsense, I entered my current IP address. I am doubleNAT on Starlink. It is set to DNS only, not proxy and TTL is auto.

In PFSense I added a new client under ServicesDynamic DNSDynamic DNS Clients. Interface is WAN Service is Cloudlfare. Host name is correct pfsense.mydomain.cloud Cached IP is N/A.

I created a new API Token on Cloudflare with the permission of Zone.DNS I used this as "password" on pfsense.

Logs report failures:
Jan 1 08:24:33 check_reload_status 699 Syncing firewall
Jan 1 08:24:33 php-fpm 99675 /services_dyndns_edit.php: Dynamic DNS: updatedns() starting
Jan 1 08:24:33 php-fpm 99675 /services_dyndns_edit.php: Dynamic DNS cloudflare (pfsense.mydomain.cloud): _checkIP() starting.
Jan 1 08:24:33 php-fpm 99675 /services_dyndns_edit.php: Dynamic DNS cloudflare (pfsense.mydomain.cloud): REDACTED extracted from Check IP Service
Jan 1 08:24:33 php-fpm 99675 /services_dyndns_edit.php: Dynamic DNS (pfsense.mydomain.cloud): running get_failover_interface for wan. found mvneta0
Jan 1 08:24:33 php-fpm 99675 /services_dyndns_edit.php: Dynamic DNS cloudflare (pfsense.mydomain.cloud): _update() starting.
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: HTTP/2 400
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: date: Wed, 01 Jan 2025 14:24:34 GMT
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: content-type: application/json
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: cf-ray: REDACTED
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: cf-cache-status: DYNAMIC
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: expires: Sun, 25 Jan 1981 05:00:00 GMT
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: set-cookie: __cflb=REDACTED; SameSite=Lax; path=/; expires=Wed, 01-Jan-25 16:54:35 GMT; HttpOnly
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: strict-transport-security: max-age=31536000
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: pragma: no-cache
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: cf-auditlog-id: REDACTED
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: x-content-type-options: nosniff
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: x-frame-options: SAMEORIGIN
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: set-cookie: __cf_bm=REDACTED; path=/; expires=Wed, 01-Jan-25 14:54:34 GMT; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: set-cookie: __cfruid=REDACTED; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header: server: cloudflare
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header:
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Header:
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Response Data: {"success":false,"errors":[{"code":6003,"message":"Invalid request headers","error_chain":[{"code":6103,"message":"Invalid format for X-Auth-Key header"}]}],"messages":[],"result":null}
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Dynamic DNS cloudflare (pfsense.mydomain.cloud): _checkStatus() starting.
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: phpDynDNS (pfsense): PAYLOAD: {"success":false,"errors":[{"code":6003,"message":"Invalid request headers","error_chain":[{"code":6103,"message":"Invalid format for X-Auth-Key header"}]}],"messages":[],"result":null}
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: phpDynDNS (pfsense): UNKNOWN ERROR - Invalid request headers
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Dynamic DNS cloudflare (pfsense.mydomain.cloud): _checkStatus() ending.
Jan 1 08:24:34 php-fpm 99675 /services_dyndns_edit.php: Dynamic DNS cloudflare (pfsense.mydomain.cloud): _update() ending.
Jan 1 08:25:01 php-cgi 15793 servicewatchdog_cron.php: Service Watchdog detected service openvpn stopped. Restarting openvpn (OpenVPN client: PIA)

To me this looks like a software error and I cannot imagine how basic Cloudflare DDNS would make it out of the door of QA without it working?

I would like to think this was my error but there are not a lot of settings here...?

Gertjan

@blackburd said in Dynamic DNS with Cloudflare does not work, change my mind:

To me this looks like a software error and I cannot imagine how basic Cloudflare DDNS would make it out of the door of QA without it working?

A basic QA exist ^^
Test for yourself : cloudflare invalid format for x-auth-key header and the very first link is a 100 % match (identical issue).

I used Google here, but any search engine would yield the same result.

Have a look at the other proposed search results also.

You are using pfSense 2.7.2 or 24.11, right ?

edit : I knew I've seen this one before : https://forum.netgate.com/topic/189759/cloudflare-ddns-update-request-no-longer-valid

blackburd

@Gertjan 24.11-RELEASE (arm64)
built on Wed Nov 27 12:22:00 CST 2024
FreeBSD 15.0-CURRENT

"A basic QA exsist ^^"
"The for yourself : cloudflare invalid format for x-auth-key header and.."

I am a new user to pfsense and not a network expert. If you could put your reply in plain English I would understand it.

I think I have narrowed my problem down myself to an issue with Starlink and CGNAT. Perhaps the only solution to get open ports in the public for me is to use a VPN that attaches to my domain name?

Thank you for your time.

Gertjan

@blackburd said in Dynamic DNS with Cloudflare does not work, change my mind:

I think I have narrowed my problem down myself to an issue with Starlink and CGNAT

I would have though that Cloudflare would inform you that the IP the (your) dynDNS wants to register isn't applicable. Not this strange looking error "cloudflare invalid format for x-auth-key header".
Registering RFC1918 (IPs like 192.168.1.1) or any IP lying in the CGNAT range range can't (shouldn't) be used for DynDNS as that wouldn't make sense.

@blackburd said in Dynamic DNS with Cloudflare does not work, change my mind:

Perhaps the only solution to get open ports in the public for me is to use a VPN that attaches to my domain name?

Exact.

blackburd

It's been some time since I posted this but I did eventually get at least a domain working with cloudflare. I had to remove everything from the firewall appliance and install a cloudflared docker container where it had access inside the network to allow my services out. Not what I was really looking to do but it just works.

johnpoz

@blackburd if your behind a cgnat, what would be the point of registering a cgnat IP in any public domain?

Sure you use some docker to register the public IP its using to talk to the internet - but what is the point? And that is most likely going to change pretty frequently. And not going to work for any inbound traffic. The only thing I could see it might be used for would using that fqdn in some other system to allow access from that public IP your using at the moment.

But yeah if pfsense public IP is some cgnat IP, your prob going to have a hard time registering that.

I register couple different fqdn with cloudflare using pfsense, no issues at all - but then again my pfsense has a public IP on its wan that it registers.

3 different hosts, with 2 different domain names.

blackburd

@johnpoz As far as I can tell with my limited knowledge, it's very hard to do any of this on Starlink, that's probably the source of my problems.

johnpoz

@blackburd yeah because pretty sure unless you pay extra or have business whatever option for starlink, your behind a nat.. ie cgnat - so there is no inbound traffic to 100.64-127.x.x.. This is cgnat space.. It doesn't route on the public internet..

https://en.wikipedia.org/wiki/Carrier-grade_NAT

if your pfsense wan has a 100.64-127 address, you're behind a nat. When you go to whats my ip and see some public IP like 72.52.32.12 etc.. That is starlink natting your 100.64-127 address to a public IP.. Just like any normal nat router that nats your 192.168.1.x address your running locally to whatever routers wan IP is..

So with cgnat your going to be behind 2 nats really - the one pfsense does from your local 192.168.x.x, 172.16-31.x.x or 10.x.xx addresses to its wan, in your case some 100.64-127.x.x address, and then again inside the starlink network to whatever public IP starlink uses for its users to actually talk to the internet.

But my question was why would you want to register either of those addresses anyway, if someone looks up host.yourdomain.tld and they get back some 100.64.x.x address - they can't get there.. And even if you register what your seeing as your public IP when you go to whats my ip on the internet say 72.52.32.12.. Starlink is not going to forward any unsolicited inbound traffic it sees on that IP to your cgnat IP.

Just like in pfsense when you have a public IP on your wan, unless you setup a port forward that says hey there is inbound traffic to port 443 on its public wan IP, send that to 192.168.1.42 on port 443 behind pfsense.

If your behind a cgnat - just not understanding what use case you would have for registering either your cgnat address or whatever public IP your isp is natting that cgnat too. Its not going to allow you to host any services behind pfsense that someone on the internet can get to.

So you got your cloudflare docker thing to register an IP in some public domain - what are you using or wanting to use that fqdn for exactly?

In the case where pfsense has a public IP.. I register that IP with dns, and billy bob on the internet can look that up and get my actual wan IP and send traffic there.. They go to overseerr.mydomain.tld and they get my IP.. Pfsense sees that inbound traffic on the port I am running that on, and its sends it to my server running overseerr at 192.168.9.10 in my case. And they can can then use that service I am hosting. But if don't port forward that traffic they wouldn't get anywhere.. And if I registered the servers IP 192.168.9.10 they sure couldn't get there because rfc1918 space just like cgnat IPs do not route over the public internet..

Gertjan

@blackburd

@johnpoz said in Dynamic DNS with Cloudflare does not work, change my mind:

so there is no inbound traffic to 100.64-127.x.x.. This is cgnat space.. It doesn't route on the public internet..

Which means that nobody from the Internet can reach your installation.
You're safe !! Your local firewall doesn't have to keep the nasty people out, as they can't reach your routers/firewalls.
You, your traffic can go outside, you can go where ever you want, no issues what so ever.

True, if you want to make something from your LAN accessible from the Internet, like a camera, then that's something that your ISP connection must 'offer'. You have to pick your ISP with this functionality in mind.
More and more people will have an Internet connection using cgnat. Because there are no more free IPv4 left to attribute to everyone.
If your ISP is modern enough, you also have working IPv6. You could also use that. cgnat isn't needed for IPv6, as everybody o earth can have 1 million IPv6 addresses for the next 1000 centuries or so ( 2^64 = huge).