Dynamic DNS (DDNS) fails to obtain public IP

70tas

@Gertjan Here is what I see a few seconds before DDNS, in the Unboud log:

Jul 15 08:31:21 unbound 62262 [62262:0] info: generate keytag query _ta-4f66-9728. NULL IN
Jul 15 08:31:20 unbound 62262 [62262:0] info: start of service (unbound 1.22.0).
Jul 15 08:31:20 unbound 62262 [62262:0] notice: init module 1: iterator
Jul 15 08:31:20 unbound 62262 [62262:0] notice: init module 0: validator
Jul 15 08:31:20 unbound 62262 [62262:0] notice: Restart of unbound 1.22.0.
Jul 15 08:31:20 unbound 62262 [62262:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
Jul 15 08:31:20 unbound 62262 [62262:0] info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Jul 15 08:31:20 unbound 62262 [62262:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
Jul 15 08:31:20 unbound 62262 [62262:0] info: server stats for thread 2: 1 queries, 0 answers from cache, 1 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Jul 15 08:31:20 unbound 62262 [62262:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
Jul 15 08:31:20 unbound 62262 [62262:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Jul 15 08:31:20 unbound 62262 [62262:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
Jul 15 08:31:20 unbound 62262 [62262:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Jul 15 08:31:20 unbound 62262 [62262:0] info: service stopped (unbound 1.22.0).
Jul 15 08:31:20 unbound 62262 [62262:2] info: generate keytag query _ta-4f66-9728. NULL IN
Jul 15 08:31:20 unbound 62262 [62262:0] info: start of service (unbound 1.22.0).
Jul 15 08:31:20 unbound 62262 [62262:0] notice: init module 1: iterator
Jul 15 08:31:20 unbound 62262 [62262:0] notice: init module 0: validator
Jul 15 08:31:18 unbound 11265 [11265:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
Jul 15 08:31:18 unbound 11265 [11265:0] info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Jul 15 08:31:18 unbound 11265 [11265:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
Jul 15 08:31:18 unbound 11265 [11265:0] info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Jul 15 08:31:18 unbound 11265 [11265:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
Jul 15 08:31:18 unbound 11265 [11265:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Jul 15 08:31:18 unbound 11265 [11265:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
Jul 15 08:31:18 unbound 11265 [11265:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Jul 15 08:31:18 unbound 11265 [11265:0] info: service stopped (unbound 1.22.0).
Jul 15 08:31:18 unbound 11265 [11265:0] info: start of service (unbound 1.22.0).

I also see the following in General log:

Jul 15 08:31:47 php-fpm 30381 /services_dyndns_edit.php: Dynamic DNS (kerveros.70tas.us) There was an error trying to determine the public IP for interface - wan (igc0 ).
Jul 15 08:31:47 php-fpm 30381 /services_dyndns_edit.php: Dynamic DNS: updatedns() starting
Jul 15 08:31:47 check_reload_status 590 Syncing firewall
Jul 15 08:31:47 php-fpm 30381 /services_dyndns_edit.php: Configuration Change: admin@128.244.221.135 (Local Database): Dynamic DNS client configured.
Jul 15 08:31:20 check_reload_status 590 Reloading filter
Jul 15 08:31:20 php-fpm 493 /system.php: NTPD is starting up.
Jul 15 08:31:16 root 45579 /etc/rc.d/hostid: WARNING: hostid: unable to figure out a UUID from DMI data, generating a new one
Jul 15 08:31:16 check_reload_status 590 Syncing firewall
Jul 15 08:31:16 php-fpm 493 /system.php: Configuration Change: admin@128.244.221.135 (Local Database): System:
Jul 15 08:30:04 php-fpm 2106 /index.php: Successful login for user 'admin' from: 128.244.221.135 (Local Database)
Jul 15 08:15:36 nginx 2025/07/15 08:15:36 [error] 24554#100354: *1888 open() "/usr/local/www/actuator/gateway/routes" failed (2: No such file or directory), client: 79.124.58.198, server: , request: "GET /actuator/gateway/routes HTTP/1.1", host: "76.151.201.197:443"
Jul 15 08:02:58 nginx 2025/07/15 08:02:58 [error] 24554#100354: *1883 open() "/usr/local/www/KVfU" failed (2: No such file or directory), client: 96.126.104.20, server: , request: "GET /KVfU HTTP/1.1", host: "76.151.201.197"
Jul 15 07:41:46 nginx 2025/07/15 07:41:46 [error] 24554#100354: *1880 open() "/usr/local/www/logincheck" failed (2: No such file or directory), client: 198.135.51.111, server: , request: "POST /logincheck HTTP/1.1", host: "76.151.201.197"
Jul 15 07:16:00 nginx 2025/07/15 07:16:00 [error] 24554#100354: *1871 open() "/usr/local/www/_ignition/execute-solution" failed (2: No such file or directory), client: 79.124.58.198, server: , request: "GET /_ignition/execute-solution HTTP/1.1", host: "76.151.201.197:443"
Jul 15 06:54:39 nginx 2025/07/15 06:54:39 [error] 24234#100286: *1864 "/usr/local/www/console/index.php" is not found (2: No such file or directory), client: 79.124.58.198, server: , request: "GET /console/ HTTP/1.1", host: "76.151.201.197:443"

Not sure what the next to last error is about not finding /usr/loca/www/console/index.php

Gertjan

@70tas

During the 2 seconds interval, from 08:31:18 to 08:31:20, the resolver 'Unbound' stopped and started twice [ ].

The error

@70tas said in Dynamic DNS (DDNS) fails to obtain public IP:

Jul 15 08:31:47 php-fpm 30381 /services_dyndns_edit.php: Dynamic DNS (kerveros.70tas.us) There was an error trying to determine the public IP for interface - wan (igc0 ).

was shown at 08:31:47, that 27 seconds later ... what happened at that moment (20 sec before, 0 sec after).
If unbound was still stopping and starting, then you've found the issue.

Normally, unbound never stops (or : gets restarted).
unbound will get restarted if you hook up physically an internet cable -or deactivate a device hooked up on to that cable. Or the device gets powered down / up. (solution : place pnly switches on your LAN and WAN interfaces, and power these with an UPS)
unbound can get restarted under the the control of pfBlockerng - example : if you ask to sync the pfBlockerng feeds every hour, don't be surprised unbound can also get restarted every hours.

But yours restarted twice in 2 seconds. Does it do that all the time ?

About this :

Not sure what the next to last error is about not finding /usr/loca/www/console/index.php

Look two lines up, you posted yourself where that request came from :

Who is this 79.124.58.198 ? you've Bulgarian friends ?

Did you really open up the WAN interface ?? [ ]

Same thing for 198.135.51.111, 96.126.104.20 etc dono what the entire Internet is doing against your pfSense GUI, consider that as 'bad' practice.

70tas

Unbound keeps restarting a few times, but not lately.

Yes I did open 443, so I can get in. 76.151.201.197 is my assigned IP. I can get it via curl and use it to connect temporarily. 76.151.xxx.xxx is my current outbound NAT.
79.124.58.198 is 4vendeta.com a Communication provider, which looks like I am currently hopping from. However, I am still concerned that it cannot find /usr/loca/www/console/index.php. Any ideas?

Tas

70tas

@70tas I ran a traceroute to checkip.dyndns.org, seems okay.

I can resolve checkip.dyndns.org, so that means I have a good DNS.
I can curl checkip.dyndns.org and other IP checkers and I get the proper address back.

I just don't see how this has anything to do with IP addresses, or I wouldn't be able to resolve checkip.dyndns.org. I think the problem has to do with the DDNS updater; the logs don't show that it even tries to connect to Cloudflare, it is just saying it can't get my IP.

70tas

Well, I guess I have to go back to 2,72. I may try reinstalling 2.80 for the third time, but I don’t expect it to work. I wish there were more logs available as to where the (dydns) service is failing, that would make it a lot easier to troubleshoot. I am using Xfinity, pfsense and Cloudflare, it should just work.
Tas

Gertjan

@70tas said in Dynamic DNS (DDNS) fails to obtain public IP:

more logs available as to where the (dydns) service is failing

You checked : Services > Dynamic DNS > Dynamic DNS Clients > Edit :

Plan B :
According to the documentation there is a debug mode.
See here : the source.
Go to line 3377.
Place '//' in front of the return; statement.
Save.

From now on, according to line 239, there will be a log file here /var/etc/, the filebname starts with with "dyndns_" that will contain the debug info.

Don't forget to remove the '//' when your done.

70tas

@Gertjan Thanks for the help. A '//' on that line, which is the end of the conditional crashed the app. I placed a '//' on each of the lines in the conditional, but I do not see any log files in the stated directory. I will have to read the script again to try to figure out where it puts the output; however, I'm a bash guy, so we'll see.

Thanks again.
Tas

Gertjan

@70tas said in Dynamic DNS (DDNS) fails to obtain public IP:

A '//' on that line, which is the end of the conditional crashed the app.

Like this :

worked for me.
No issues / errors.
I did found a log file now :

but not very helpful - it contained just one line :

07-17-25 03:15:27 - (6013287) - [freedns2] - 82.127.26.108/1752758073

let's say that's ok because "all went well".

edit :
bash ? That' way to complicated.
This is PHP, which is somewhat comparable to BASIC.

70tas

Ok, so the equivalent line on my 2.8 is 3369.
No errors this time, but I can't find a log file. I searched the entire file system.
Tas

Gertjan

@70tas

If one is created, its in /var/etc/

If none is created, the the update was deemed not necessary, and was skipped.
You can force an update of course. Delete the 'cache' file, you'll find it in /cf/conf/ - and the file starts with dyndns.... and end with dot cache.

70tas

@Gertjan See this thread, https://forum.netgate.com/post/1219168 for a working method. It appears Cloudflare may only work with API Tokens now; Either way the pfSense DDNS client does not work with CloudFlare.

I am able to update via script, so I will be trying using a cron job. Hopefully someone from pfSense sees these threads and can make some sense out of them. Apologies for not being more helpful.
70tas

johnpoz

@70tas said in Dynamic DNS (DDNS) fails to obtain public IP:

Either way the pfSense DDNS client does not work with CloudFlare.

Sure it does! Just set it up on my 2.8 - clicky clicky = worky worky.

Not sure what you are doing wrong, or what you have wrong on your system - but clicky clicky and working

Created my testddns entry in cloudflare. Created a new api token, copied the zone id to use for login.. Click and bobs your uncle.

70tas

@johnpoz I understand that it is working for you, but it is not working for me and I can't gather any kind of diagnostic as to why it is failing. The only thing I can think of, is that both myself and @revengineer both started with the WAN on one port and then changed it to a different port. It used to work on 2.7.2 before my box gave up the ghost, and I installed 2.8.0 on a new box, but changed the ports after installation.

If there is anything I can provide to figure out where it is failing, I am willing to do it. However, all I know is "I" can't get the client to work, but I can get the script in @revengineer 's thread to work.

Thank you

johnpoz

@70tas my point to showing it working was to counter your blanket statement.

Clearly it is working so your blanket statement that it is not is false.

If you are having issues because you changed your wan interface - I would blow away your config and start from scratch with your new wan interface.

I don't remember details of your previous thread.. Did you actually get your zone id, did you create a new api token and use the template? This took all couple of minutes to setup from creating the record in cloudflare, creating the token and getting the zone ID from cloudflare dashboard.

And my 2.8 vm is even behind a nat.

What does your xml config look like?

<dyndnses>
	<dyndns>
		<check_ip_mode>always</check_ip_mode>
		<type>cloudflare</type>
		<username><![CDATA[df79e7f73<snipped>4ada2f0]]></username>
		<password><![CDATA[dlVsWC0xW<snipped>mRKNjBudQ==]]></password>
		<host>testddns</host>
		<domainname>snipped.tld</domainname>
		<mx></mx>
		<verboselog></verboselog>
		<enable></enable>
		<interface>wan</interface>
		<zoneid></zoneid>
		<ttl></ttl>
		<maxcacheage></maxcacheage>
		<updateurl></updateurl>
		<resultmatch></resultmatch>
		<requestif>wan</requestif>
		<descr></descr>
		<force></force>
		<id>0</id>
	</dyndns>
</dyndnses>

70tas

@johnpoz you are correct, I should not have made a blanket statement. Of course it works.

In my case something went wrong. By the way, where do I find the xml config?

However, I’m far enough down the road, if the script works I’ll just keep using it. As for CloudFlare, I retrieved everything from scratch, but it didn’t work. It is probably something I’ve done that triggered the issue, I am just trying to figure out what it was. It is all fun and games, after all, my work and my hobby.

SteveITS

@70tas Have you tried the Save & Force Update button?

There are conditions where a normal update doesn't work, like post. (cache file matches WAN, pfSense [wrongly] assumes there is no need to actually update the A record)

Try the force, try deleting the /conf/dyndns_wanprovidername'hostname.example.com'0.cache file.

johnpoz

@70tas said in Dynamic DNS (DDNS) fails to obtain public IP:

where do I find the xml config?

under backup and restore - you can download the whole xml as a backup, or you can just pick the section you want. I just picked the ddns section.

And yeah @SteveITS has a valid point, try the save & force. And deleting the cache can't hurt either.

As to just using your script - that works too, always lots of different ways to skin any cat. But you are right, it should just work - and that it isn't can become an obsession. I have never had any issues with ddns on pfsense as far back as I can remember - and that has been quite some time. And I moved a couple of domains to cloudflare years and years ago.. And has always not been a problem. I believe I have my global token in my current pfsense main install. But have no idea what it is.. But its currently working - I believe its global because its using my email address as the username. And can't recall when last time I messed with that in pfsense has been. I know its been multiple versions some upgrades, and some clean installs with restore from backed up config. The clean installs when was when moved to zfs and when they changed the lay out of zfs volumes, etc.

I don't do much playing with my main install since I have both a CE and + version VM I can just fire up.

70tas

@johnpoz Ok, so I deleted the /tmp/.cache files and /tmp/.lock files.
I then rebuilt the DDNS config, tried it, negative.
I exported a backup of the DDNS to XML and here is what I get:

This XML file does not appear to have any style information associated with it. The document tree is shown below.

I presume the CDATA is encrypted because it doesn't match my token.

Hope this makes some sense to someone.
Tas

johnpoz

@70tas that username sure isn't right for using a api token.. You need to use your Zone ID you get from cloudflare.

That wouldn't even be right for a global token, which would be your email address.

Go to your zone, ie 70tas.us dns settings - scroll down on the right and you should see your zone ID

revengineer

@70tas To note it here as well, I used the script posted in the other thread only for debugging purposes. While you can use it with a cron job, it is not necessary. The DDNS GUI works fine for cloudflare. The important thing is to use the Zone ID for the user name, not the email address. In the past, the email address must have worked because that is what I had in there before. It worked for years but now no longer.