External access/ChangeIP issues...

[lost]

Hello,

Since a few weeks, I experienced issues using my changeIP domain name (I was there since years, after dynDNS stopped free service): No more resolution, issues not only affecting myself, sometimes even their web site could not be accessed. Beginning of this month, frequent issues for more than 1 week, managed to connect to my account after several tries: The free subdomain I registered was no more present, not even proposed to register again & only a few possibilities vs those that existed at the time I subscribed. A whois check shows this TLD registered to changeIP since 2001 was set to expire next year (using "whois" command to the TLD of your domain will show this).

=> IMO, changeIP will not renew many TLD's registered to them, probably to save money, removed those from existing user accounts & starting to create glitches for users to notice & get away: If so, that's not fair, dynDNS did mail users when they changed their business model... Anyway, for a free service, nothing to do: A support ticket was answered but they said they could not find any trace of my registration, which seems to confirm my feeling about his.

So, time to go somewhere else, even if this domain still point to my IP again. But for how long?

Don't know if others also using changeIP have such issues? If you suspect so, check your account & TLD expiration...

[lost]

As a consequence, I started to check what's now available for free. Already had to change 2 times (dynDNS then changeIP), I would like the 3rd to be more stable (+this also affect my let's encrypt certificate as this is linked to a domain). A solution would be to register a domain & pay an annual fee for this, but there is another solution: eu.org...

My domain+DNS setup change mostly result from reading this:
https://www.reddit.com/r/selfhosted/com ... er_way_to/

https://nic.eu.org gives out free domains in the format of example.eu.org

Yes those are "real domains", not "subdomains" of eu.org as it may appear.

.eu.org is a "public suffix" like .co.uk or .com.au etc.

These are not a "scam" like Freenom or similar things. The big differences are:

eu.org is their own registry, nobody is taken these domains and control away from them.

They are a non-profit organization. You get no ads, no spam, nothing.

You are the rightful owner of the domain, you have full control over it.

You do not need to be a resident of the EU or anything, or provide any such proof.

You do need to provide a name and address when signing up, but you could provide a fake address if you want, see below.

You can select to keep the provided address out of the public whois information (often called a privacy option or similar). So you can provide a real name and address if you want to. If you chose to supply fake information, keep in mind that if there ever is a issue about the legal ownership of the domain, you might be in a tough spot to proof that you are that fake person... For typical homelab/selfhosting usage, this probably doesnt matter.

You can, and should, have nameservers running somewhere and supply them to nic.eu.org. To keep it free i recommend using deSEC.io which works perfectly well with them, including DNSSEC. deSEC are also a non-profit, no ads or personal data collection etc. and strict data protection laws because they are based in germany. You can have up to 15 domains under one account. There are no paid accounts or anything. In case you need more than 15 domains, you could probably use multiple accounts, or simply contact them and they are happy to increase your limit, for free.

The only actual downside to eu.org is because they are just a simple non-profit service, their validation process for new domain signups appears to be done manually, which means it usually takes a few days but even up to two weeks. Just be patient and wait for an email to notify you of acceptance. Once that is done they provide no real support, you have full access to the domain settings through the panel at nic.eu.org when you log in. Any changes you make are automated and there are no manual wait times etc after the initial wait.

That's a bit more complex than a dynDNS type service, as written, because this is no more an all in one (free domain registration + DNS combined) but eu.org attributed domains are not supposed to end + separate DNS allows keeping independantly registered domain if this side must change.

It's said eu.org takes time to answer: For me this was 3 days! Maybe I'm lucky but IMO if you follow carefully their instructions, using one of prefered eu.org sub-domains (I used fr.eu.org) that don't trigger the same level of verification + don't lie on your name/address/phone (that'll not appear in whois by default) that can be checked in countries phone directories... this may be easier so quickly validated.

Something that is not so clear from eu.org instructions is you have to register DNS side in parallel to eu.org domain: You have to fill the domain to DNS provider (so after being able to check availability/request it on eu.org side), desec for instance & also fill at eu.org registration the DNS that'll have authority on the registered domain from them. So choose your DNS provider carefully before starting th eu.org register process!

On my side, I used the post proposal for desec.io
They currently allow to host DNS for 1 domain for free, which is enough for personal use. You're now ready to register your domain there when chosen&OK from eu.org hereafter.

Doing // registration to nic.eu.org:
OK, the site is a bit 1990's style but this does the job. Take care to read available information on sudomains that can be registered (some may need more checks).
Take care they allocate an account ID that'll not be your email, this is something with format XXXX-FREE, to be kept!
On top of identity, this needs to fill DNS servers that'll have authority on the eu.org domain, for me they showed:

Code: Select all

ns1.desec.io
ns2.desec.org

Then fill domain of the demand to DNS/desec side & wait a bit (1 or 2mn).

Back to eu.org, you can then go-ahead: This'll trigger a DNS server side check and if everything is correct you'll get a message showing no error/request registered for validation. If that's not the case & everything looks correct, go back to previous page and retry (there is a few mn delay for DNS side to answer correctly). As said, for me this was 3 days but looks this can be more but maybe some users did not carefully followed the rules up to a no error final status.

Then only 2 changes to my system where:
1) Finding a tool to update my IPs to Desec: dyndns2 protocol can be used for instance so ddclient on Linux but did not allowed to update IPv4+IPv6 so I wrote a little script (see later message).

Desec is quite nice there as you can generate several API tokens with access rights: So I registered a token only allowing update (some administrative tasks can also be API driven, but if such token is someday hacked you may loose all your DNS account with not possibility to just remove a compromised token with less privilege) that can then be written in an update script.

2) Add a new domain to my current Let's Encrypt certificate already managed by certbot (+ some hooks to tune it for domoticz & open FW for http/80 at times of renewal every 3 months).

There, that's easy:

Code: Select all

sudo certbot certificates

Will show you what is your current domain attached to your certificate name (by default same as current domain), you may then add new eu.org domain to this certificate using:

Code: Select all

sudo certbot certonly --cert-name CURRENT_DOMAIN -d CURRENT_DOMAIN,NEW_DOMAIN

This allows keeping both domains usable, at least for a start before removing old one...

[lost]

The desec.io combined IPv4+IPv6 to store in a dedicated directory + periodically trigger from a con job fo instance:

Code: Select all

#!/bin/bash
#
# IPs updater for one's domain using desec.io DNS hosting service...
# Needs setting your user settings hereunder.
#
# Reference doc:
# https://desec.readthedocs.io/en/latest/dyndns/update-api.html#determine-ip-addresses
#
# This script updates IPv4+v6 in a single call, if IP changed or last update over 5 days,
# and should be called periodically from a crontab (each hour for instance),
# using "crontab -e" to add:
# 0 * * * * /PATH_TO_SCRIPT_DIRECTORY/ipUpdateDesec.sh > /dev/null 2>&1
#
# Changelog:
#  2024/12/20 : YL, initial version.

###########################
# USER SETTINGS (to edit) #
###########################

UPD_DOMAIN="XXXX.YY.eu.org"
UPD_USER=$UPD_DOMAIN
UPD_TOKEN="MY_UPDATE_TOKEN"
# IPv6 (global), unlike IPv4 (NAT'ed), does not require
# external check URL but WAN reachable interface IP settings,
# so used interface name must be given here:
ETH_WAN="eth0"

LOGLINES_MAX=2016 # 2 weeks/14 days : 6 lines average per update * 336h
LOGLINES_TAIL=$(($LOGLINES_MAX / 2)) # Keep half the max per default

#######################
# DESEC/DEDYN SETINGS #
#######################
UPD_URL="https://update.dedyn.io/"
UPD_CHKv4="https://checkipv4.dedyn.io/"

########
# MAIN #
########

# Log file + IPs storage & tmp files are derived from script name/path.
DN=$(dirname "$0")
BN=$(basename "$0")
BNN=${BN%%.*}
LOGF=${DN}"/"${BNN}.log
IPF_CUR=${DN}"/"${BNN}.ip
IPF_TMP=${DN}"/"${BNN}.tmp

# Create/truncate log file if needed & add log separation.
[ -f "${LOGF}" ] || touch "$LOGF"
LOGLINES=$(wc -l < "${LOGF}")
[ "${LOGLINES}" -gt  "${LOGLINES_MAX}" ] && echo $(tail -n "${LOGLINES_TAIL}" "${LOGF}") > "${LOGF}"

echo "--------------------------------" >> "$LOGF"
date >> "$LOGF"

# Get/validate external IPv4
MY_IPV4=$(curl -s ${UPD_CHKv4})
#echo $MY_IPV4 # DEBUG
if [[ "${MY_IPV4}" =~ ^(([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))\.){3}([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))$ ]]; then
  echo "IPv4=${MY_IPV4}" >> "$LOGF"
else
  echo "Could not get IPv4 from ${UPD_CHKv4}, giving-up!" >> "$LOGF"
  exit 1
fi

# Get/validate external IPv6
MY_IPV6=$(ip -6 -br -json address show ${ETH_WAN} scope global | jq -r '.[0].addr_info[0].local')
#echo $MY_IPV6 # DEBUG
if [[ "${MY_IPV6}" =~ ^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}$ ]]; then
  echo "IPv6=${MY_IPV6}" >> "$LOGF"
else
  echo "Could not get IPv6 (global) from ${ETH_WAN}, giving-up!" >> "$LOGF"
  exit 1
fi

# Set temp IPs in TMP IP file...
echo "IPv4=${MY_IPV4} ; IPv6=${MY_IPV6}" > "${IPF_TMP}"

# Update needed? (IP change or last update older than 5 days)
UPD_NEED=1
if [ -f "${IPF_CUR}" ]; then
  diff "${IPF_TMP}" "${IPF_CUR}" &> /dev/null
  [ $? -ne 0 ] && UPD_NEED=0
  [[ $(find "${IPF_CUR}" -mtime +5 -print) ]] && UPD_NEED=0
else
  UPD_NEED=0
fi

# Process with update when needed...
if [ ${UPD_NEED} -eq 0 ]; then
  echo "Update needed..." >> "$LOGF"
  curl -s --user ${UPD_USER}:${UPD_TOKEN} "${UPD_URL}?myipv4=${MY_IPV4}&myipv6=${MY_IPV6}" | tee -a "$LOGF"
  RET=$?
  printf "\nDONE : " | tee -a "$LOGF"

  if [ $RET -ne 0 ]; then
    echo "Failed..." | tee -a "$LOGF"
  else
    echo "Success!!!" | tee -a "$LOGF"
    mv "${IPF_TMP}" "${IPF_CUR}"
  fi
  exit ${RET}
else
  echo "No update needed." | tee -a "$LOGF"
  #rm "${IPF_TMP}" # Comment to be able to monitor last update date+data
  RET=0
fi

exit ${RET}

Take care to change what's required (domain name, token) at the head of script + eth interface WAN/Internet connected from which external/global-scope IPv6 is retrieved (IPv4 use external service) + crontab line to edit.

This script, named ipUpdateDesec.sh for instance, will log in it's directory ipUpdateDesec.log file & store there current+tmp IPs there as well.

Those having only a IPv4 allocated and no double v4+v6 stack usable should modify the script according to single IPv4 update API from Desec... or use any dyndns2 compatible IP update client.