Dynamic DNS Clients not updating even when status has RED X!

SecurityTeam · Nov 25, 2021, 1:25 PM

Have been running pfSense for a number of years and the Dynamic DNS Clients never updates when there is an IP change in the background.

When you head over to Services, Dynamic DNS (X.x.x.x/services_dyndns.php), it shows that the status has failed with a red X (instead of a green checkmark). Right below, it indicates "Entries with a (GREEN CHECKMARK) status column icon and IP address appearing in green are up to date with Dynamic DNS provider. An update can be forced on the edit page for an entry."

Why doesn't the pfSense software update when it knows that the status has failed??? Isn't this the ONLY job of the DDNS package?

stephenw10 · Nov 25, 2021, 2:50 PM

Does it update correctly when you force it manually?

Do you see log entries for DDNS?

Typically this happens if your pfSense device is behind NAT and doesn't see the edge device change WAN IP directly. Is that how yours is setup?

Steve

Gertjan · Nov 25, 2021, 4:06 PM

@securityteam said in Dynamic DNS Clients not updating even when status has RED X!:

Have been running pfSense for a number of years and the Dynamic DNS Clients never updates when there is an IP change in the background.

Same here.
Never saw a red crosses. That is, if there was a red cross, then that's a "admin : work to do" indication. I'll call the admin - myself - and solve the issue.

I have a Tunnelbroker "ipv6" account and an account with OpenDNS, both typical DynDNS clients, with easy 'how to set them up" instructions. If you saw ones one DynDNS client setup, you've seem them all, although they can ask different things to be able to identify yourself.

For my own usage, I've set up some RFC2136 type of DynDNS. As the DNS erver on the other side is hosted on a dedicate server (same admin - me ) things are as easy or as difficult as I want to make it. Support is just great.

All this to say say : "the code works if set up correctly".

So, lets do some testing.
Go to Services > Dynamic DNS > Check IP Services and note down the URL.
This one : http://checkip.dyndns.org

Go to the console, option "answers" or 8 and type

curl http://checkip.dyndns.org

pfSense does exatly the same thing, and it should get back right away a html page, and within you should see your current IPv4 address :

<html><head><title>Current IP Check</title></head><body>Current IP Address: 82.127.xx.254</body></html>

If this IP - your current WAN IP - is not the IP that has been cached in the DynDNS cache files, pfSense will proceed with an update against your DynDNS supplier.
When the update succeeded, the cache file is updated with the new IPv4, the one you just saw in the html, and then pfSense calls it a day.
These steps, failures or success, can be seen in the logs.

Note that "curl http://checkip.dyndns.org" trick works even if your pfSense is behind an ISP router, which means your WAN interface is not your Internet WAN IP, but probably some RFC1918 IPv4.

Of course, DynDNS suppliers are not perfect, can fail ones in while.

Btw : when setting up a DynDNS, you always check this one :

because you want details when things go wring.
( and you don't care about details when things go well )

Have been running pfSense for a number of years and the Dynamic DNS Clients never updates when there is an IP change in the background.

Wait .....
You've been using "DynDNS" and it never worked for you ?
For many years ?
Serious ?
You didn't wanted to know what you did wrong ?
( as I do pretend the software works, so it's the admin misunderstanding something )

SecurityTeam · Nov 25, 2021, 10:45 PM

@stephenw10
Hi Steve,
Yes, the device is behind a NAT. What's weird though, is that pfSense does see that the cached IP address is wrong. If I go in and force it to update, it will update to the correct one and everything is good.

Dave

SecurityTeam · Nov 25, 2021, 11:11 PM

@gertjan

Thanks for your insight.

The Dynamic DNS Status that you've shown is from a widget on the home screen. However, if you go to the Services > Dynamic DNS, it will show you a list of your dynamic DNS Clients with an icon in the status column of either a red X or a green checkmark.

I was thinking about setting up a RFC2136 client with a dedicated DNS server, but not today.

For the Check IP services, were using the default check IP service as you've mentioned (checkip.dyndns.org). and yes, Verbose logging was enabled.

DynDNS will update correctly if we force an update. But many times over the past year, DynDNS will know that it is wrong, but not update unless we force an update.

stephenw10 · Nov 25, 2021, 11:19 PM

If the interface IP that the dyndns client is running on changes it updates immediately. If it's behind NAT it can't do that. Instead it updates using a cronjob and by default that's once a day.
If you install the cron package you can just set that though. Maybe set it once an hour instead if your IP changes frequently.

Steve

SecurityTeam · Nov 25, 2021, 11:20 PM

@stephenw10

Thanks Steve,
I'll try the cronjob.