any way to get it to build on osx?

kernel.org/pub/linux/libs/security/libcap/cap
../../go/pkg/mod/kernel.org/pub/linux/libs/security/libcap/[email protected]/syscalls.go:16:10: undefined: psx.Syscall3
../../go/pkg/mod/kernel.org/pub/linux/libs/security/libcap/[email protected]/syscalls.go:17:10: undefined: psx.Syscall6
../../go/pkg/mod/kernel.org/pub/linux/libs/security/libcap/[email protected]/cap.go:229:29: undefined: syscall.SYS_PRCTL
../../go/pkg/mod/kernel.org/pub/linux/libs/security/libcap/[email protected]/cap.go:241:29: undefined: syscall.SYS_PRCTL
../../go/pkg/mod/kernel.org/pub/linux/libs/security/libcap/[email protected]/cap.go:253:29: undefined: syscall.SYS_PRCTL
../../go/pkg/mod/kernel.org/pub/linux/libs/security/libcap/[email protected]/cap.go:266:29: undefined: syscall.SYS_PRCTL
../../go/pkg/mod/kernel.org/pub/linux/libs/security/libcap/[email protected]/cap.go:279:22: undefined: syscall.SYS_CAPGET
../../go/pkg/mod/kernel.org/pub/linux/libs/security/libcap/[email protected]/cap.go:346:37: undefined: syscall.SYS_CAPGET
../../go/pkg/mod/kernel.org/pub/linux/libs/security/libcap/[email protected]/cap.go:366:29: undefined: syscall.SYS_CAPSET
../../go/pkg/mod/kernel.org/pub/linux/libs/security/libcap/[email protected]/convenience.go:277:25: undefined: sysSetGroupsVariant
../../go/pkg/mod/kernel.org/pub/linux/libs/security/libcap/[email protected]/convenience.go:277:25: too many errors
bash-5.1$

Problem

The current template system is working but does not seem to be well-engineered.

1. Currently, the template engine increases the size of the (compressed) image by ~1MB.
2. TTL currently supports templates (for fun), but that is probably overkill.
3. For PROXIED, only Boolean expressions are needed. No need to support variables, template inclusion, looping, etc.

Proposal

1. TTL should not support templates.
2. PROXIED should support only very restricted templates as a Boolean expression consisting of
   a. Constants supported by strconv.ParseBool
   b. &&, ||, !
   b. is(a, b, c)
   c. sub(a, b, c): subdomains of a.b.c (not including a.b.c itself)

Benefits

1. Extremely fast
2. Extremely small (again)
3. No ugly string quotations for domains!

Examples

• is(a.org) || is(b.org)
• sub(org) && !sub(favonia.org)

Heya!

I was using your container to update my ipv4 and 6 for my own domain from my pi using this template:
https://github.com/novaspirit/pi-hosted/blob/d3d7e5de51d3296568c29a0f10ee334a040df943/template/portainer-v2-arm64.json#L616

But i saw in my logs that it is having some troubles with detecting my ipv6 adres:

🌐 Detected the IPv4 address: my.correct.public.ip
🤷 The A records of "mydomain.ext" are already up to date
😞 Failed to send HTTP(S) request to "https://[2606:4700:4700::1111]/cdn-cgi/trace": Get "https://[2606:4700:4700::1111]/cdn-cgi/trace": dial tcp [2606:4700:4700::1111]:443: connect: cannot assign requested address
😞 Failed to detect the IPv6 address
⏰ Checking the IP addresses in about 5m0s . . .

Outside the container doing a curl to that adres works, also on my own machine.
But i can't go into the container to test and see what the error exactly is.

Do you have any suggestions what i might have wrong? I didn't touched the TZ variable but have set it to my local timezone to see if that might change something. But sadly this also didn't fix the error i'm having.

Now the server always returns 0.0.0.0. For example,

dog --class=CH --type=TXT -H @https://1.1.1.1/dns-query whoami.cloudflare.

shows 0.0.0.0. Workaround: use cloudflare.trace (after #102) or ipify.

I am getting following error while it is trying to update the IP address, but in CF, ip getting updated successfully.

🌐 Detected the IPv4 address: X.X.X.X
😞 Failed to update a stale A record of "home.domain.fqdn" (ID: 294fcde3fbf00433d8c36b6cf47125d9): operation aborted during backoff: context deadline exceeded
😞 Failed to delete a stale A record of "home.domain.fqdn" (ID: 294fcde3fbf00433d8c36b6cf47125d9): operation aborted during backoff: context deadline exceeded
😞 Failed to add a new A record of "home.domain.fqdn": operation aborted during backoff: context deadline exceeded
😞 Failed to (fully) update A records of "home.domain.fqdn"
😞 Failed to retrieve records of "domain.fqdn": operation aborted during backoff: context deadline exceeded
😞 Failed to (fully) update A records of "domain.fqdn"
😞 Failed to send HTTP(S) request to "https://[2606:4700:4700::1111]/cdn-cgi/trace": Get "https://[2606:4700:4700::1111]/cdn-cgi/trace": dial tcp [2606:4700:4700::1111]:443: connect: cannot assign requested address
😞 Failed to detect the IPv6 address

• oznu/cloudflare-ddns
  • TODO
    • CRON #2
  • Will not supported:
    • CUSTOM_LOOKUP_CMD: there will not be any useful programs in the minimal Docker image.
• joshuaavalon/cloudflare-ddns
  • CRON #2

1. Group similar outputs together when parsing environment variables.
2. Remove the zone-finding messages.
3. Don't show the same IP addresses; refactor the checking logic out of the updater.
4. Confirm that there are no records.

Are you using the new per-domain proxy settings PROXIED_DOMAINS and NON_PROXIED_DOMAINS? Please help me come up with a good design by sharing your case. 🙂

It is possible to set up access control so that members of certain groups are explicitly forbidden to access certain resources, and thus dropping supplementary groups is not always desirable.

It might be useful update SPF records that contain IP addresses.

After golang/go#51833, we can re-implement the IPv6 case in ipnet.NormalizeIP in a better way:

• golang/go#51833

It is possible to factor out the caching, especially when the tool starts to support other DDNS services (which it does not).

This will provide per-domain settings without using new environment variables.

Completing #76 should automatically fix this bug.

The idea is to update the subnet masks and prefixes but keep the rest of the IP addresses. Difficulty: no way to (re)create those DNS records from scratch.

Possible settings

WEBHOOK_ENDPOINT=
WEBHOOK_HEADERS=
WEBHOOK_BODY=
WEBHOOK_BODY_FILE=

All parameters support template, with getenv functions getting the string from environment variables.

It was implemented, but is disabled until cloudflare/cloudflare-go#674 is merged and released. A small value of UPDATE_TIMEOUT would easily trigger the deadlock bug described in the pull request.

The major difficulty is that testing the Linux capabilities seems complicated. We can test the mocking itself, but that might not be super useful.

Hi, thanks for your work.

I have a domain in another registrar and the NS's pointing to Cloudflare. I'd set these up as websites rather than as a managed domain.

I'm expecting that that's the reason why I get the following messages.

Failed to find the zone of "domain.com"
Failed to (fully) update A records of "domain.com"

Is there a method to work with Cloudflare Websites instead of Domains ?

Thanks!

🤷

https://healthchecks.io provides a very simple status updating mechanism with lots of hooks available

It seems something about the timezone has been changed. The code still works, but perhaps the TZ environment variable and/or timezone data in the Ubuntu images used by GitHub Actions have been modified, causing the mismatch between the expected output and the real one. More investigations are needed.

https://github.com/patrickmn/go-cache is no longer maintained and should be replaced.

Hi, what an awesome service you have created!

I've a minor thing as I can't seem to figure out how to fully disable ipv6 using docker-compose. Hence my logs are full of

😞 Failed to send HTTP(S) request to "https://[REMOVED]/cdn-cgi/trace": Get "https://[REMOVED]/cdn-cgi/trace": dial tcp [REMOVED]:443: connect: cannot assign requested address
😞 Failed to detect the IPv6 address
🔧 If you are using Docker, Kubernetes, or other frameworks, IPv6 networks often require additional setups.
🔧 Read more about IPv6 networks in the README at https://github.com/favonia/cloudflare-ddns

Under highlights it says "Ability to enable or disable IPv4 and IPv6 individually." I've tried to disable ipv6 by adding the following to the env in docker-compose: - IP6_PROVIDER=none

If I set IP4_POLICY=none which is listed as a valid value in the readme I get:

   🔸 Use default IP4_POLICY=cloudflare.trace
   😡 Failed to parse "none": not a valid policy

I've tried both the bridge and host methods. Both only pull the machine ipv6 address. Thanks

I should also mention that I set it up in portainer.

A guide for Kubernetes like the one for Docker Compose.

1. Slightly better design for function calls.
2. Seemingly faster.

The development of https://github.com/robfig/cron seems to be stopped and thus it should probably be replaced.

• DOMAINS: both IP4 and IP6
• IP4_DOMAINS: only IP4
• IP6_DOMAINS: only IP6

Currently, signals are checked between each round of updates. We could use asynchronous goroutines to enable cancellation while waiting for responses from Cloudflare.

Because why not? This now makes even more sense as MIPS is adopting RISC-V now.

Cloudflare seems to be very permissive about the (sub)domain names one can use.

This would be a breaking change.

• Add IP4/6_PROVIDER
• Deprecate IP4/6_POLICY
• Rename the "unmanaged" policy to the "none" provider

I can't seem to find this information in the readme page.
What's the right way to tell the script to proxy the domain foo.bar and not proxy the subdomain test.foo.bar with docker compose?
And while i'm at it. What about the TTL?
Also, if i write *.foo.bar , will the script update every single subdomain?
Thanks in advance.

• Parsing cron
  • More mature: https://github.com/robfig/cron
• Timezone support (this might need tzdata), which I think will increase the Docker image size to ~5MB

Approaches in comparison

• Current approach: find ip= in the output of https://1.1.1.1/cdn-cgi/trace
• Proposed approach: query whoami.cloudflare with class ch and type txt via https://1.1.1.1/dns-query (DoH)

Pros

1. Potentially more stable
   The DoH protocol is more documented.
2. Cleaner
   The tracing interface contains useless information, while the DNS response only has the IP address. No additional parsing is needed after the DNS parsing. The current parser based on regular expressions is terrible.
3. Other DNS methods
   This could facilitate the transition to other DNS-based mechanisms, such as DNSSEC and DNS-over-TLS.
4. Built-in parsers probably available
   https://pkg.go.dev/golang.org/x/net/dns/dnsmessage should be sufficient to handle DNS responses.
5. Privacy
   It has the same privacy guarantee as the current approach, much more than DNSSEC.

Cons

1. I could not find official information about the DNS query whoami.cloudflare.
2. The footprint would likely be larger than DNSSEC.

Noncommittal

1. DoH could have a slightly smaller footprint (6328 bytes v.s. 6391 bytes in one experiment using curl without much optimization), but the differences seem neglegible.
2. The comparison with DNS-over-TLS was not done, though it is likely that TLS would still induce significant overhead.

Now the DNS message generator/parser has been isolated and can be easily tested.