Project

General

Profile

Actions

Feature #6373

closed

RFC2136 DDNS could be more configurable to improve security

Added by Marc Dye over 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Dynamic DNS
Target version:
Start date:
05/19/2016
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Plus Target Version:
Release Notes:

Description

Our RFC2136-style DDNS depends on external determination of the real IP address (usu. DHCP-assigned by the ISP). Such dynamically-assigned addressing is pervasive, but the design is half-baked: there is no specification of any means by which devices inside the boundary created by the client device (e.g. cable router) may officially, authentically, and privately discover their effective external IP from the entity which has assigned it.

So presently this determination is made by querying a hardcoded URL. (To reiterate: this isn't about where the DDNS name-to-address mapping is registered, this is about how pfSense discovers a dynamically-assigned external IP address.)

While this might be tolerable for personal or casual use, we can easily do much better.

There are two improvements needed:

(1) Allow the URL used for external IP discovery to be user-configurable, on a per-mapping basis,

(2) Support "https://" URLs in this configurable item.

The second should essentially 'just work' once the first is done. However, help text and other documentation needs to reference appropriate configuration of, e.g., external CA certificates in a fashion similar to that of certificate-based authentication of IPsec endpoints, etc.

(An ancilliary topic is: to what should the default configurable be set?)


Subtasks 1 (0 open1 closed)

Feature #6374: Provide sample server-side logic to report peer's IP address for use with DDNSResolvedJim Pingle05/19/2016

Actions
Actions #1

Updated by Jim Thompson over 8 years ago

  • Assignee set to Marc Dye
Actions #2

Updated by Chris Buechler over 8 years ago

  • Target version changed from 2.3.2 to 2.4.0
Actions #3

Updated by Jeremy Porter about 8 years ago

This is a quick and dirty way for us to add checkip services to nginx on our production web boxes:
location = /ip {
default_type text/html;
content_by_lua '
ngx.say("<html><head><title>Current IP Check</title></head><body>Current IP Address: ")
ngx.say(ngx.var.remote_addr)
ngx.say("</body></html>")
';
}
We could support https through the *.pfsense.org certificate.
My recommendation is use checkip.pfsenes.org for the host name

Actions #4

Updated by Renato Botelho almost 8 years ago

  • Assignee deleted (Marc Dye)
Actions #5

Updated by Jim Pingle almost 8 years ago

  • Status changed from New to Resolved

Items 1 and 2 were completed under #6591 which was resolved by PR https://github.com/pfsense/pfsense/pull/3037

Actions

Also available in: Atom PDF