Feature #6373


RFC2136 DDNS could be more configurable to improve security

Added by Marc Dye almost 8 years ago. Updated about 7 years ago.

Dynamic DNS
Target version:
Start date:
Due date:
% Done:


Estimated time:
(Total: 0.00 h)
Plus Target Version:
Release Notes:


Our RFC2136-style DDNS depends on external determination of the real IP address (usu. DHCP-assigned by the ISP). Such dynamically-assigned addressing is pervasive, but the design is half-baked: there is no specification of any means by which devices inside the boundary created by the client device (e.g. cable router) may officially, authentically, and privately discover their effective external IP from the entity which has assigned it.

So presently this determination is made by querying a hardcoded URL. (To reiterate: this isn't about where the DDNS name-to-address mapping is registered, this is about how pfSense discovers a dynamically-assigned external IP address.)

While this might be tolerable for personal or casual use, we can easily do much better.

There are two improvements needed:

(1) Allow the URL used for external IP discovery to be user-configurable, on a per-mapping basis,

(2) Support "https://" URLs in this configurable item.

The second should essentially 'just work' once the first is done. However, help text and other documentation needs to reference appropriate configuration of, e.g., external CA certificates in a fashion similar to that of certificate-based authentication of IPsec endpoints, etc.

(An ancilliary topic is: to what should the default configurable be set?)

Subtasks 1 (0 open1 closed)

Feature #6374: Provide sample server-side logic to report peer's IP address for use with DDNSResolvedJim Pingle05/19/2016

Actions #1

Updated by Jim Thompson almost 8 years ago

  • Assignee set to Marc Dye
Actions #2

Updated by Chris Buechler over 7 years ago

  • Target version changed from 2.3.2 to 2.4.0
Actions #3

Updated by Jeremy Porter over 7 years ago

This is a quick and dirty way for us to add checkip services to nginx on our production web boxes:
location = /ip {
default_type text/html;
content_by_lua '
ngx.say("<html><head><title>Current IP Check</title></head><body>Current IP Address: ")
We could support https through the * certificate.
My recommendation is use for the host name

Actions #4

Updated by Renato Botelho about 7 years ago

  • Assignee deleted (Marc Dye)
Actions #5

Updated by Jim Pingle about 7 years ago

  • Status changed from New to Resolved

Items 1 and 2 were completed under #6591 which was resolved by PR


Also available in: Atom PDF