pfSense

In pfSense 2.8.0, the Dynamic DNS client fails to update AAAA records when using certain Dynamic DNS providers. This appears to affect any provider whose API endpoint is only accessible over IPv4 (i.e., does not have a AAAA record). Confirmed affected services include Route53-v6 and No-IP-v6, though other providers may be impacted as well.

Here's a forum thread about the issue:
https://forum.netgate.com/topic/197632/how-to-update-no-ip-ipv6-dynupdate-no-ip-com-does-not-have-an-aaaa-record?_=1749485466098

Here's a reddit thread about the same issue:
https://www.reddit.com/r/PFSENSE/comments/1l6qzev/possible_bug_route53_dynamic_dns_fails_for_ipv6/

Steps to Reproduce
1. Configure a WAN interface with and IPv4 and IPv6 address.
2. Add a Dynamic DNS client using an affected DDNS provider like Route53-v6 or noip-v6.
3. Click "Save & Force Update" to trigger the AAAA record to update.

Expected Behavior

The Dynamic DNS client should update the AAAA record. The DDNS client should use IPv4 to access the endpoint when the provider does not offer an IPv6 endpoint.

Actual Behavior
The DDNS update fails. The logs show an error like this:

/rc.newwanipv6: Curl error occurred: Could not resolve host: route53.amazonaws.com

Root Cause Analysis

I attempted to track down the root cause in this forum post:
https://forum.netgate.com/post/1217413

The source of the problem appears to be in dyndns.class. When updating an IPv6 address, the class sets _addressFamilyRequest to AF_INET6 (line 416). Later, this leads to setting CURLOPT_IPRESOLVE to CURL_IPRESOLVE_V6 (line 572). This forces curl to use only IPv6 to contact the API endpoint, which fails when the provider does not publish a AAAA record.

Relevant source code: https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/master/entry/src/etc/inc/dyndns.class

Note: the link to the source code may become outdated over time, so I’ve also attached a copy of the code as it exists today.

I think the information presented in the forum post 1217413 is mostly correct but it might contain a small error where it says:

In a previous commit, someone already figured out what API endpoints are IPv4 only, here's the code:
https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/ddb0771962b2e1e974a908f1b02ddd94423c2903/entry/src/etc/inc/dyndns.class#L334
A possible solution might involve copy-pasting this...

I describe why I think this quote is wrong in a follow up post: https://forum.netgate.com/post/1217424

Possible Solution
Apply provider-specific overrides to avoid forcing IPv6-only resolution. Curl can use the CURL_IPRESOLVE_WHATEVER option when accessing IPv4-only DDNS APIs.

curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_WHATEVER);