DDNS IPv6 Cloudflare

Bob.Dig · Dec 11, 2019, 1:54 PM

So is it possible that my homeservers get their DDNS-addresses with cloudflare updated with IPv6 by pfSense?
I have dual-stack from my ISP and already doing it with the one IPv4-address for NAT successfully.

JKnott · Dec 11, 2019, 1:54 PM

@Bob-Dig

Is your prefix not pretty much static? The prefix should not normally change. This means you can use any DNS server, without having to worry about DHCP.

Bob.Dig · Dec 11, 2019, 3:26 PM

@JKnott It looks like you are right. I "changed" my IPv4-address with a mac-address change on the modem-connection and I got a new IPv4 but IPv6 stayed the same. Thanks for now.

In the DHCP(v6)-Server, there is an option called Dynamic DNS. Under which circumstances is this option usable, I really want to know.

Bob.Dig · Dec 11, 2019, 3:51 PM

And also, which of the IPv6-addresses should I put in my DNS. There are two (not link-local or temporary) which look almost identical, but one got many Zeros in it.

JKnott · Dec 11, 2019, 4:32 PM

@Bob-Dig

As for the addresses, are you referring to ones on the computers that you want to reach? Or on the firewall? My firewall has 1 global address, with a /128 prefix. The computers on my LAN have one permanent address and up to 7 temporary privacy addresses. Use the permanent one, which is often based on the MAC address.

Also, there's a setting you want to ensure is selected. It's "Do not allow PD/Address release" on the WAN page. If that's not selected, the address might change. I found all it took was to disconnect/reconnect the WAN Ethernet cable.

As for that Dynamic DNS option, I couldn't tell you, as I have never needed to use a dynamic DNS, even on IPv4. While my IPv4 address is DHCP, it changes so seldem, it's virtually static. Also, the host name for it is based on modem and firewall MAC addresses, which won't change, unless I change the hardware. So, with the DNS server, I just created an alias from my domain host name to the MAC based host name.

Bob.Dig · Dec 11, 2019, 4:56 PM

@JKnott Windows doesn't default use the MAC for IPv6. I now also have to change my cname records to A and AAAA ones, because cname is not allowed anymore with IPv6 (dual-stack).
Also I have to create a DDNS-"Client" for every A-Record now.
Interestingly some Windows-machines have those two mentioned IPv6-adresses, others only have one.
I hate IPv6 already!

Gertjan · Dec 11, 2019, 5:06 PM

@Bob-Dig said in DDNS IPv6 Cloudflare:

Windows doesn't default use the MAC for IPv6.

Windows 10 :

The MAC of the Windows PC is tucked into the DUID.
This DUID is important, so the DHCP6 server attributes the same IPv6 to my PC.

@Bob-Dig said in DDNS IPv6 Cloudflare:

because cname is not allowed anymore with IPv6 (dual-stack).

To many messed up to hard. So, this is actually a good thing.

@Bob-Dig said in DDNS IPv6 Cloudflare:

In the DHCP(v6)-Server, there is an option called Dynamic DNS. Under which circumstances is this option usable, I really want to know.

Me too !
Played around with this one a lot.
Nothing 'works' ..... probably because I don't understand what DDNS is doing here (DHCPv6 server). pfSense Manual or usage case are lacking here.

But : knowing that my IPv6 prefix is more fixed a concrete - it didn't change for the mast 7 years - my IPv6 are always pointing to my devices - the IPv6 firewall being the sole frontier.
"Look Maaaaam !! No more NAT !!!!!"
I love IPv6.

johnpoz · Dec 11, 2019, 5:14 PM

So you want your client to register its IPv6 with cloudflare? That wouldn't' be done via pfsense - do that via the client and your cloudflare token and api key..

Bob.Dig · Dec 11, 2019, 5:31 PM

@johnpoz You mean my servers should do it with some form of client for themselves? Wouldn't it be nice if pfsense could to that or is this impossible? Under DHCPv6 Leases I can't even see all of my PCs...

JKnott · Dec 11, 2019, 5:35 PM

@Bob-Dig said in DDNS IPv6 Cloudflare:

Windows doesn't default use the MAC for IPv6.

That's why I said "often". It could be either the MAC address or random number. Both Windows and Linux can be configured to use either.

I'm not sure what you mean by cname is not allowed for IPv6. I have several for IPv6 and an alias for IPv4.

Interestingly some Windows-machines have those two mentioned IPv6-adresses, others only have one.

You will have up to 7 privacy addresses, but you do not use those for the DNS, only the permanent one. I don't know why some only have 1 address.

While the basics of IPv6 are similar to IPv4, there are some significant differences, which you will learn through experience. For example, my computer has 17 addresses, because it's been up over a week. I have the link local address and 8 each global and unique local addresses, of which 7 are privacy addresses. On IPv4, while possible, multiple addresses are rare. You will also have an unbelievably huge address space to yourself. A single /64 has as much address space as the entire IPv4 address space squared. With my /56 prefix, I have 256 /64s! There are some other technical details that were changed to improve performance and security.

Bob.Dig · Dec 11, 2019, 6:03 PM

@JKnott said in DDNS IPv6 Cloudflare:

I'm not sure what you mean by cname is not allowed for IPv6. I have several for IPv6 and an alias for IPv4.

Since now I had an A Record for my wan-IPv4 and the rest was all cname. Now this no longer works because I can not have a cname record and a AAAA-record for the same name.

JKnott · Dec 11, 2019, 6:52 PM

@Bob-Dig

I have to correct myself. I just looked at my DNS config. I have CNAME (alias) for IPv4 names that point to the long MAC based host name and AAAA records for IPv6. One thing I have found is that if I have an alias for IPv4, the AAAA for the same host name won't be used. If I have A and AAAA records, then the appropriate one is used.

Bob.Dig · Dec 11, 2019, 7:07 PM

@JKnott said in DDNS IPv6 Cloudflare:

I have CNAME (alias) for IPv4 names that point to the long MAC based host name and AAAA records for IPv6.

I don't know what you mean by "long MAC based host name"

JKnott · Dec 11, 2019, 7:15 PM

@Bob-Dig said in DDNS IPv6 Cloudflare:

I don't know what you mean by "long MAC based host name"

The host name is very long, as it includes both the modem and firewall MAC addresses. It's cpe<firewall MAC>-cm<cable modem MAC>.cpe.net.cable.rogers.com. The actual MACs have been disguised to protect the guilty.

In the DNS server, I create an alias to that host name for the host name in my domain.

Bob.Dig · Dec 11, 2019, 7:24 PM

@JKnott When you talk about DNS config, you meant your domain-DNS-Hoster (e.g. cloudflare) or do you meant pfsense?

@JKnott said in DDNS IPv6 Cloudflare:

I have to correct myself. I just looked at my DNS config.

JKnott · Dec 11, 2019, 7:35 PM

@Bob-Dig

My DNS is on an Enom server, which I get through Google. I also have my own DNS running on pfSense. The pfSense DNS records point to the unique local addresses and the Enom records point to my global addresses.

johnpoz · Dec 11, 2019, 7:31 PM

You have some IPv6 Global address.. Yeah you can have a lot of them.. But you should have atleast 1 that doesn't change that you use to provide services.

Set this IP as your AAAA in your dns... If this global that your going to serve services off is going to change, then on the box with this IP on it, not your router... Have it register its IPv6 as AAAA record in cloudflare.. That is the whole point of their api.. There are scripts for for whatever OS your running to do this.. using your cloudflare api key and token..

Pfsense isn't going to do this for you..

Serving services off IPs that change be ipv4 or ipv6 is bad idea... If you have a prefix that your going to use to service services off of... Then give your boxes IPs in that prefix, be it static or set to be handed out via dhcp6 so they always have this IP, no put that in dns!! Static record is easiest since this boxes IP isn't going to be changing... Or sure you can dynamically do it... Just make sure your TTLs our short - and expect problems when the IPs change, etc.

Bob.Dig · Dec 11, 2019, 7:33 PM

@JKnott said in DDNS IPv6 Cloudflare:

@Bob-Dig

My DNS is on an Enom server, which I get through Google. I also have my own DNS running on pfSense. The pfSense DNS records point to the unique local addresses and the enom records point to my global addresses.

Sounds interesting but i don't get it.
Is there an article or post or something which explains this?

JKnott · Dec 11, 2019, 7:36 PM

@Bob-Dig

Don't get what? Unique local addresses are the IPv6 version of IPv4 RFC 1918 addresses. It's entirely normal to have both global and unique local addresses on IPv6. As I mentioned above, I have 8 each global and unique local addresses on this computer. I have the pfSense DNS configured with the unique local addresses and Enom with the global. There's nothing difficult about that.

Bob.Dig · Dec 11, 2019, 7:41 PM

@JKnott Ok, so there is no connection between this two and no chance of pfSense updating my DDNS for IPv6. I will look out for Clients on each machine like @johnpoz said.