Hacker News new | past | comments | ask | show | jobs | submit login
Duck DNS (duckdns.org)
159 points by axiomdata316 on Aug 5, 2023 | hide | past | favorite | 60 comments



Fond memories of using DDNS on old Netgear routers at home in the aughts and port forwarding services with some rudimentary firewall rules and tcpwrappers to try and lock down access.

Now I use a combination of Tailscale[1] for private services only to me and Tailscale Funnels[2], and Cloudflare Tunnels[3] for public service exposure.

This accomplishes the same thing I was doing with DDNS and my ISP IP, but in a much more secure and stable manner.

1. https://tailscale.com/

2. https://tailscale.com/kb/1223/tailscale-funnel/

3. https://developers.cloudflare.com/cloudflare-one/connections...


Do you have any recommendations for tutorials on setting this all up with docker?

How do you connect outside the network?

I am running DDNS to access my home services and it has been very error prone and frustrating. I moved some services back to the cloud because the bots were using all my DSL upload that we didn’t have enough bandwidth to work even with cloudflare firewalls.


I have an artisanal handcrafted docker-compose stack for them, so everything is containerized. It's on my todo to write a blog post about the setup.

There's an nginx reverse-proxy container in the stack that routes traffic to the individual service containers via the servername; eg nitter.tail.net goes to the nitter container, teddit.tail.net goes to the teddit container, etc.

The nginx proxy only listens on the Tailnet interface and only accepts connections from the Tailnet CIDR, therefore any device I have on my tailnet can access them. Letsencrypt is also setup so everything is over https.

This allows me to access them from my phone, laptop, whatever when connected using Tailscale.

Tailscale essentially let me completely remove any need for port forwarding on my router and still have global access. It's truly amazing.


While not a blog post, I created a Privacy Frontends with Tailscale repo on Github with this this setup using Tailscale MagicDNS and Caddy.

https://github.com/ecliptik/tailscale-privacy-frontends

I've tested it out on a new Tailnet on a t3.medium EC2 instance and it works relatively well. Adding new services should be relatively easy.

I'm planning to write up a post about the more technical details on the stack still.


I have a similar-ish setup, but using nomad as my executor, and traefik running on a public machine doing the routing.

Basically all the services on nomad listen on the tailnet, and traefik straddles the tailnet and the public internet. It then loads the service configurations from nomad and exposes them using let’s encrypt certificates.


+1 Would very much welcome you authoring something on this topic.


+1 for the blog post howto idea


+1 as well. right now I'm using route 53 and some funky scripts to pull ip from DNS and update it for site to site links


If you wouldn't mind, any chance you can ping me once you publish this? You can reach me at collect.metadat attt gmail.


Do you still secure your personal services with passwords?


Not the internal services. I have Letsencrypt setup for services on my tailnet using the Cloudflare DNS plugin for certbot so they're all over https.

Combined with only allowing connections to hosts from the Tailnet and https, forgoing passwords makes them easier to manage and use.

Granted most these personal services are things like Audiobookshelf, Nitter, Plex, and Newsblur. While important to me, they're not exactly high value targets.

My internal Gitea is locked down more and has MFA enabled since I always see git as something to secure.


Yes.


Since you’re already using Cloudflare why did you choose tailscale over Cloudflares WARP?


I don't use Tailscale Funnel as much, mostly on an adhoc basis since tailscale serve is relatively lightweight if a host is already connected to a Tailnet.

WARP is primarily used for long running services I have, like GotoSocial or Lemmy that need public ingress over https for federation.


This doesn't work for game of hosting services does it? Http only?


Tailscale does, https://tailscale.com/


Their announcement about no longer supporting logging in via reddit is interesting: https://www.duckdns.org/reddit.jsp

Reddit's rationale for the C&D was that "Offering this login option misleads and confuses consumers by implying Reddit’s endorsement, association or sponsorship of your application", which is

1. complete bullshit; and

2. hypocritical, given that it's possible to log into reddit with one's Google and/or Apple account


Generally, Reddit is uninterested in being an OAuth provider for anything other than a few bot-related tools. I don't necessarily disagree with their prognosis that being a public OAuth provider sometimes looks like endorsement or association, as it has been used in a lot of phishing attacks. But it's surprising they aren't interested in the prospect of more Reddit accounts.


I was looking at the login links at the top… it's interesting eh.

- Persona is dead.

- Twitter has been rebranded and its future is uncertain.

- Reddit took them down

Github and Google are both reliable oauth providers. Though the github oauth is linked to a personal account, not an org, which is all kinds of awful for reliability of the app.

Since I use 1Password, I've started to always retain backup login+PW methods for every website I use oauth for anyway. And if I do use oauth, it's ALWAYS gonna be using Google (which is reliable and I pay for) or nothing except for very specific scenarios where oauth perms are relevant. I think the federated auth dream is just entirely dead at this point.


Why is persona dead? I've never used them, their site appears to be online (still), though.

> I think the federated auth dream is just entirely dead at this point.

That you had to support individual auth providers, none of which were reliable, was a major issue. Had they been "oh here's my auth provider" and you stuck it into a site, that would have been grand. No need to have a bunch of "login with" providers up top.

That sort-of worked with OAuth 1.0, IIRC that protocol had issues which is why we had OAuth 2.0 which sorta worked (and I've never seen an easy impl, where you just "stand up" an oauth server and then clients easily use it). Back when you could use the likes of Yahoo to OAuth you around.


That announcement is… from 2021! :X


Thankfully, reddit inc. has continued to uphold their commitment to being completely out of touch with reality.


Related:

Duck DNS – About - https://news.ycombinator.com/item?id=33367767 - Oct 2022 (48 comments)

Duck DNS – free dynamic DNS hosted on AWS - https://news.ycombinator.com/item?id=30539059 - March 2022 (100 comments)

Duck DNS – free dynamic DNS hosted on AWS - https://news.ycombinator.com/item?id=28383113 - Sept 2021 (1 comment)

Free DNS from Duck DNS - https://news.ycombinator.com/item?id=6425925 - Sept 2013 (2 comments)


As much as I appreciate what they offer at no cost, I have experienced more downtime from their service then I would like. My Uptime Kuma dashboard reports a 99.98% 30-day uptime from their service (mainly small 1-2min down-times every couple of weeks), but I have experienced at least one 7ish hour period a few months back where no duckDNS queries were resolving for any domains I checked. And I never found any official source giving a reason or even acknowledging this this outage. Again, free service, I do appreciate what they offer.


They probably don't want to have the extra headache of having made a promise of uptime in anyway, if anyone uses a free service for stuff that can't go down the fault is on them


Yeah I've noticed that too. I have a systemd service that periodically updates a DNS record on duckdns.org and it fails quite often.


Can someone inform me as to why some random dynamic DNS service is trending on HN? I went to their site, read their FAQ, etc. Nothing about this service seems unique compared to the countless other dynamic DNS services out there.

Am I missing something?


Most likely related to the recent discussion about Cloudflare's DNS handling 1.3T queries/day [0]

You tend to get a few echoes relating to popular posts (or comments from those posts that suggest alternatives and/or pros and cons)

0: https://news.ycombinator.com/item?id=36984419


A lot of the other free dynamic DNS services don't cut the mustard, or have vanished over the years. Some of them have weird rules like that your IP address has to be dynamic and change every once in a while, some of them have terrible software and don't have a clean API, some of them require you to check your email every month to click a renew button, and most of them don't have a web UI you can use to manually type in an IP address.

DuckDNS just kinda sits there and does its thing. So it may be interesting for a HN audience to know that a decent usable dynamic DNS service is still around.


For me, duckdns.org is what I usually see on SMS spams. I won't use it due to this, but it's a sort of proof of existence.


At least it's more trustworthy than .tk!

(Side note: Earlier this year, Freenom has temporarily stopped giving away free domains due to an ongoing cybersquatting lawsuit from facebook. Very sad.)


It's the most friendly free DNS I have encounter.

- It's really free instead of "annoyingly free" that requires you to confirm every month that you are still using it.

- It lets you update with a simple HTTP request + token (e.g. "curl ..." command), no login protocol, nor any special login protocol that good luck if it's supported by your router or DVR.

- Simple copy-paste instructions for dozens of systems, instead of others DNSs that have no docs and their only instructions is to make you install their adware/spyware app

- No ads. Just a simple donate button at the end of the admin page which I haven't visited in months/years


No idea why it’s trending, but it is not very random. It’s probably the most popular DDNS out there right now. A lot of docker images have built in support or plugins to use it in conjunction with lets encrypt for HTTPS support.


Anything can trend on HN any time, it's not unlike any other social news website.


Some domain name registrars and dns providers also support dynamic dns. For example Joker and NameCheap (likely many others as well).

[1] https://joker.com/faq/content/11/427/en/what-is-dynamic-dns-... [2] https://www.namecheap.com/support/knowledgebase/subcategory/...


Namecheap has a limit of 150 hostnames [1].

1. https://www.namecheap.com/support/knowledgebase/article.aspx...


Hurricane Electric DNS does too. No charge.


Google's was actually a really good implementation that was pretty well supported (edgeOS and synology), too bad it's going away. Switched to namecheap and its implementation is OK but a bit crusty


I've been using them since I let my personal domain expire. The personal domain on Namecheap allowed for DynDNS updating, but I couldn't really justify the $10/y cost for no real gain.

I use DynDNS for a Wireguard VPN with WG Dashboard hosted behind my home firewall on a Proxmox CT (LXC). Works great for allowing me to tunnel traffic on untrusted Wifi, and of course, to hit LAN devices remotely. I'm lucky my home ISP (FIOS) doesn't cheap out and CGNAT me like so many seem to be doing now. In the past, I used to open 80/443 and self-host websites, but that's pretty silly nowadays.


Why is "hosted on AWS" something worth mentioning or even (from the looks of it) presenting as a "selling point"?


vs randomly at someone's house? Reliability.

It's all based on donation and there's not a ton of information, so there's really no way of knowing how reliable it is.


Duck DNS frequently gets abused to my knowledge, a lot of their subdomains are in a phishing dataset I've seen

Edit: yes

> Unfortunately this service is often abused by phishers.

https://www.malwarebytes.com/blog/detections/duckdns-org


yep, I've gotten loads of phishing SMSs regarding missed deliveries using duckdns.


I've used DuckDNS for over five years. It seems reliable and makes running a gopher server from home quite simple.


It would be nice to be able to create an account that isn't linked to such large corporations. The future seems to be that these players will become gatekeepers, even for things that have nothing to do with them. Piss Google Off? Lose access to your DDNS account.


I've been using Duckdns for a few months, I cannot recommend more!


I use DuckDNS for letting Alexa and Google Assistant access my Home Assistant devices.

Not needing to click on a link to “renew” my host name every month is a huge plus.

The biggest issue however is that it doesn’t support CNAMEs so I can’t migrate to a Tailscale Funnel address without redoing the entire setup, since I have a VPS configured to reverse proxy Home Assistant from home, through Tailscale of course.


It's so sad that we need this. Consumers were all allowed to have their own phone number -- why can't we all have static IPs?


We can all have static IPs, but if you fragment the space too heavily (e.g. your home having an adjacent address as someone else on the other side of the country / world), no AS will want to carry your traffic. It's simply not feasibly to carry traffic to tiny prefixes that big giant routers can't handle in a few TCAM entries. This is kinda why we have IP in the first place (instead of no L3 at all).

This is also similar to the old way the phone system used to work. If you move across the country now, you can keep your cell number no problem (and maybe even landline too?), but in the Bell monopoly days, you most certainly could not move out of an area code and keep your number, as the number itself reflect some sort of hierarchical structure of the network. There may have even been further restrictions on the number prefix (XXX in XXX-YYYY), but I don't know that for sure.


I don't mind having a dynamic IP that changes from time to time (for example every time I restart my router or reconnect). The real troublemaker is CGNAT.

Actually, I prefer having a dynamic IP as it makes blacklisting individual IPs useless.


IPv4 availability is low, IPv6 isn’t implemented everywhere.

My ISP don’t hand them out and charge per IPv4 if you want static at a lovely $10 per month. And they don’t have IPv6 implemented..


The solution should be to use IPv6 everywhere via 4to6 and 6to4 protocols. Then Ipv4 usage will become less important (as fewer people will want to maintain or use it), and ISPs will have an active incentive to switch (less network translation to maintain).

At that point, the main consumers of IPv4 will be old devices and legacy clients that for whatever reason can't support IPv6. Nobody will be paying for ip's otherwise, so ISPs can continue selling their business plans as normal, the rest of us can just use IPv6 and not worry about rent-seeking behavior from the exhausted IPv4 space.

I would guess, around 50-60% penetration, you will start to see real "only works with ipv6" behavior, and the trend will accelerate...its already at 30% which is enough incentive to at least try to get on IPv6 now if possible...


For dial up, sure, but given most home internet connections are now always-on connections, dynamic IPs is just shuffling deck chairs on the Titanic (OK, that's not a great analogy). Unless the ISPs two options are static IP and CGNAT, then a dynamic, non-CGNAT IP is just rent-seeking.


Why do they even capture any data if they don't have a plan to use it. Why does anyone go with so much trust?


This is pretty neat. There used to be free secondary (slave) DNS and it was good. Nowadays not so much and I'm still looking for some way to have secondary ns on a separate network because that's how it's supposed to work.


he.net do free DNS, including secondary slaving. I've used them in a hidden master setup for a few years now for some domains, no complaints.


do most home wan IPs change often?

I have never had mine change in the 10years I have been self hosting, and that included 2 address changes (same town, same ISP).


every few months for me, but only after a modem reboot, or ISP outage.


I am suing quad9.net DNS but now walmart.com is redirecting me to the login page "Sign in or create your account", what kind of bull is this?


At first I thought that said Fuck DNS




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: