Skip to content

ddns-scripts: add API-based registered IP verification for Cloudflare proxied records #28185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bdk38 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ddns-scripts: add API-based registered IP verification for Cloudflare proxied records #28185

bdk38 wants to merge 1 commit into from

Conversation

@bdk38
Copy link

@bdk38 bdk38 commented Dec 27, 2025
edited
Loading

Description

Problem

When using Cloudflare with proxy enabled (orange cloud), DNS lookups return Cloudflare's edge IP instead of the actual origin IP registered in the dashboard. This causes ddns-scripts to incorrectly detect IP mismatches, triggering unnecessary updates and potential rate limiting.

Solution

Add an optional use_api_check configuration option that enables provider scripts to fetch the registered IP directly via their API, bypassing DNS lookups.

Changes

dynamic_dns_functions.sh:

  • Add API check block to get_registered_ip() (~25 lines)
  • When use_api_check is enabled, sources the provider script with GET_REGISTERED_IP=1 flag
  • Falls back to DNS lookup if API check is disabled, unsupported, or fails

update_cloudflare_com_v4.sh:

  • Add handler for GET_REGISTERED_IP mode (~15 lines)
  • Reuses existing cURL setup and authentication to query Cloudflare API for actual record content

Usage

Enable in /etc/config/ddns:

Code
config service 'myddns'
    option use_api_check '1'
    ...

Behavior

use_api_check Provider Support Result
0 or unset N/A DNS lookup (existing behavior)
1 Yes (e.g., Cloudflare) API query for real IP
1 No Falls back to DNS lookup
1 API fails Falls back to DNS lookup

Testing

  • Cloudflare (proxied): Correctly retrieves origin IP via API
  • Cloudflare (non-proxied): Works correctly
  • No-IP: DNS lookup works (no regression)
  • IPv4 and IPv6 records
  • API failure gracefully falls back to DNS

References

Testing Environment

OpenWrt mediatek/filogic 24.10.5 r29087-d9c5716d1d / LuCI openwrt-24.10 branch 25.365.52131~3ac2e08
GL.iNet GL-MT6000 ARMv8 Processor rev 4
ddns-scripts 2.8.2-r64

Test Log Output

Cloudflare with use_api_check '1' (proxied record):

030911 : Using provider API for registered IP check via '/usr/lib/ddns/update_cloudflare_com_v4.sh'
030911 : Registered IP '2600:100f:a020::' detected via Cloudflare API
030911 : Registered IP '2600:100f:a020::' detected via provider API

No-IP without use_api_check (regression test):

115936  note : drill - no support to 'force IP Version' (ignored)
115936       :  #> /usr/bin/drill test.ddnsking.com >/var/run/ddns/noip. dat 2>/var/run/ddns/noip.err
115936       :  Registered IP '75.253. - -  detected

@bdk38 bdk38 marked this pull request as ready for review December 27, 2025 01:38
@bdk38 bdk38 changed the title net/ddns-scripts: add API-based registered IP verification for Cloudflare proxied records ddns-scripts: add API-based registered IP verification for Cloudflare proxied records Jan 2, 2026
@feckert
Copy link
Member

feckert commented Jan 9, 2026

Why are the changes to the core needed? Why does it have to be not only the Cloudflare script that is adjusted? This is a big change, and I can't guarantee that the other providers will work if I merge it. Because I do not have all of them for testing.
So can you please split the change into smaller chunks? So this is easier for me to review.

@bdk38
Copy link
Author

bdk38 commented Jan 9, 2026

Why are the changes to the core needed? Why does it have to be not only the Cloudflare script that is adjusted? This is a big change, and I can't guarantee that the other providers will work if I merge it. Because I do not have all of them for testing. So can you please split the change into smaller chunks? So this is easier for me to review.

Thank you for the feedback. I agree with you about major changes to the core and have already worked on minimizing those changes. I've modified dynamic_dns_functions.sh so that the API IP retrieval is in update_cloudflare_com_v4.sh with a generalized API check in dynamic_dns_functions.sh. This allows for other providers that utilize origin proxies to use the function within their respective scripts. Also, use_api_check defaults to 0 if not specifically set so that it doesn't interfere with with other non-proxied providers.

Should I replace the current files in this PR with the new changes or does this require a new PR?

@bdk38 bdk38 marked this pull request as draft January 9, 2026 18:56
@bdk38 bdk38 marked this pull request as ready for review January 9, 2026 19:18
@bdk38 bdk38 marked this pull request as draft January 9, 2026 23:24
@bdk38 bdk38 force-pushed the feature/cloudflare-api-registered-ip branch from 70e9697 to 1168dfa Compare January 10, 2026 00:08
@bdk38 bdk38 marked this pull request as ready for review January 10, 2026 00:52
@bdk38 bdk38 marked this pull request as draft January 10, 2026 03:26
@bdk38 bdk38 force-pushed the feature/cloudflare-api-registered-ip branch from bf02e55 to 20b95e8 Compare January 10, 2026 16:12
@bdk38 bdk38 force-pushed the feature/cloudflare-api-registered-ip branch from 20b95e8 to d84ffd4 Compare January 10, 2026 16:37
@bdk38 bdk38 marked this pull request as ready for review January 10, 2026 16:52
@bdk38
Copy link
Author

bdk38 commented Jan 10, 2026

Hi @feckert,

I've pushed the simplified changes as discussed. The PR now contains only:

~25 lines added to dynamic_dns_functions.sh (API check block in get_registered_ip())
~15 lines added to update_cloudflare_com_v4.sh (handler for GET_REGISTERED_IP mode)

Key points:

use_api_check defaults to 0 — existing providers are completely unaffected
Falls back to DNS lookup if API check fails or isn't supported
Tested with Cloudflare (proxied) and No-IP (no regression)

Let me know if you'd like any further changes.

feckert
feckert requested changes Jan 12, 2026
View reviewed changes
Copy link
Member

@feckert feckert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The source change is now OK.
However, you must update PKG_RELEASE in the Makefile and also document the new configuration use_api_check option in the uci.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@feckert feckert feckert requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bdk38 @feckert