Duck DNS – free dynamic DNS hosted on AWS

Duck DNS – free dynamic DNS hosted on AWS(duckdns.org)

174 points by phantom_oracle 4 years ago | 100 comments

mittermayr 4 years ago |

For anyone hosting their domain on Google Domains, there's a neat API endpoint they're offering for updating the DNS with a simple CURL. I've been using this for years now for a public Raspberry PI behind a home router that changes IPs every other day.

  curl -s -k --user "username:password" "https://domains.google.com/nic/update?hostname=yourdomain.com"

There's more parameters (and you can specify an IP, the above request only takes the caller's IP).

Here are the docs: https://support.google.com/domains/answer/6147083?hl=en#zipp...

petercooper 4 years ago | |

I don't know if it's relevant but there was an article the other day about how Google is phasing out username:password logins for most Google related services and APIs, so if you have a script running quietly for years doing this task, it might be worth double checking if it will continue to be fine. (It might be, if this u/p is unique to the domain as the docs suggest - but I thought I'd mention it just in case!)

imaginator 4 years ago | | |

This is with an application specific username/password pair that GoogleDNS gives you. And will only update that specific record.

sa3dany 4 years ago | | |

Would enabling 2-factor auth and using an app-specific passowrd in this case still work? worth a try I guess: https://support.google.com/accounts/answer/185833

haxxorfreak 4 years ago | |

I had no idea about this, really handy!

Quick question, is there a reason the -k (--insecure) flag is included? I imagine that https://domains.google.com would use a cert trusted by curl so it seems unnecessary and adds a risk that your traffic could be MitM.

benmanns 4 years ago | | |

I could see people doing this on old routers with outdated CA certs and etc. But agreed, it seems like a bad idea unless absolutely necessary.

remram 4 years ago | |

Not only did I have no idea about this, but I was certain this didn't exist on purpose as there is a paid "Cloud DNS" in Google Cloud.

Does this mean Let's Encrypt dns-01 challenges could be automated?

[edit: Oh the API only allows changing an A record, for dynamic DNS, not updating anything else in the zone. That makes more sense.]

compsciphd 4 years ago | |

so I mentioned the same thing, though one thing to note (which I doubt duck dns helps with either). Is one can't use google's dynamic dns with AAAA records (i.e. ipv6). Personally, I think this is massive oversight on their part.

rahimnathwani 4 years ago | | |

I have dynamic A and AAAA records with Google Domains. I'm not sure why it doesn't work for you.

Here's the relevant portion of my ddclient config:

  protocol=googledomains                                  
  login=XXXXXXX
  password=XXXXXXX                            
  host4.mydomain.com

  protocol=googledomains                                  
  use=web                                                 
  web=checkipv6.dyndns.org/                               
  ipv6=yes                                                
  login=XXXXXXXC                                  
  password=XXXXXXX                             
  host6.mydomain.com

vxNsr 4 years ago | | |

Likely because the person/team that built this got their annual bonus for making something new and moved on to other things before ipv6 became relevant in their eyes.

nickweb 4 years ago | |

It seems unsafe to me to be passing your username and password over the open every second day. Especially one that links to Google - which for the majority of people is their life.

As a side note - will the recent announcement by Google about unsafe logins being denied affect you?

ignoramous 4 years ago | | |

In the open? I believe u:pwd is HTTP Basic Auth, which is not "in the open" when over TLS.

https://en.wikipedia.org/wiki/Basic_access_authentication#Se...

jffry 4 years ago | | |

In this case, the username and password are NOT your Google credentials. When you set up a dynamic DNS subdomain in Google Domains, it autogenerates a username/password pair that is unique to that subdomain, and that's what you use.

https://support.google.com/domains/answer/6147083?hl=en&ref_...

jzzskijj 4 years ago |

I was quite surprised to learn this has nothing to do with DDG. Interesting how DDG seem to have taken the meaning of "duck" in (my) mind.

godelski 4 years ago | |

What's more interesting is that DDG had disputes with Google over the ownership of the duck.com domain. Google was squatting on the domain and redirected it to Google (dirty tactic). But I guess it could just as easily have gone to the Oregon Ducks or some duck based website. (interestingly "ducks.com" doesn't go anywhere for me)

ca98am79 4 years ago | | |

Google became the owner of Duck.com back in 2010 when it acquired On2 Technologies, a company formerly known as The Duck Corporation. It gifted the domain to DuckDuckGo in 2018

GordonS 4 years ago | | |

Hmm, I remember it differently, with Google redirecting duck.com to DDG, and then later just handing the domain over to them.

bil7 4 years ago | | |

google already does enough atrocious things, you don't have to make them up.

treesknees 4 years ago |

I have been using Cloudflare Tunnel for several months now to get around dynamic DNS requirements and port forwarding. It creates a secure tunnel between your server and their edge, and supports name-based service config (domain X points to localhost Y.) Downside is they only supports HTTP(s).

There is a free tier, although you need to provide them a full domain (not a subdomain) for it to work, and then each site/tunnel will create a subdomain. It does work with free domains like .tk if you really want to go that route.

https://developers.cloudflare.com/cloudflare-one/connections...

There are also open-source alternatives using VPNs like Wireguard + nginx, but typically these solutions require you to run a publicly-accessible server already to host the proxy.

anaganisk 4 years ago | |

Tunnel is one feature that make me like cloudlfare a lot

1MachineElf 4 years ago |

I'm currently on the search for a service to facilitate DDNS. Duck DNS seems popular, but I'm skeptical of things that are simply offered for free. What assurance do we have that Duck DNS is secure, or that it will not just disappear one day? The alternative that seems better to me is Namecheap with their API.

fomine3 4 years ago |

This service is infamous to be abused by spammer.

lewantmontreal 4 years ago | |

I can imagine. Last year I tried to sign up to create a domain for my home server. Despite having my own IP address and a Google account I pay for recaptcha v3 they use would not let me through.

eternityforest 4 years ago |

I love DuckDNS but we seriously need a more automated and integrated solution to this kind of thing. It's the missing piece that holds self hosted back.

Something that:

* Lets you set up a domain with a single command

* Handles security for you. There shouldn't be any manual admin needed to make a secure context site

* Works offline on the LAN if possible, and on Yggdrasil meshes.

I should be able to buy a device, plug it in, then scan the QR code on it's display and be instantly taken to its website, no setup or account creation.

Unfortunately the web blocks all insecure requests from within secure contexts, and has no MDNS type functionality, so building a P2P solution with service workers or something is very hard/impossible.

DuckDNS is really almost there. It's the security that makes it hard, Let's Encrypt is not exactly consumer grade.

anaganisk 4 years ago | |

Why is let’sencrypt not consumer grade? I dont think it uses any inferior algorithm. Am I missing something?

eternityforest 4 years ago | | |

An average user probably wouldn't want to set it up though.

The security is fine, but it's definitely not plug and play like I'd expect a commercial NAS or something to be.

adrianomartins 4 years ago |

I've been using noip.com for my projects, works quite well except that you have to confirm you still want your noip domain reserved every once in a while. I'll try Duck Dns in my next project. Thanks for the share.

RicoElectrico 4 years ago |

Be aware that Facebook Messenger blocks URLs with duckdns.org as unsafe links. The workaround is probably to find a cheap domain (not free, these are blocked as well) and attach it using CNAME.

scim-knox-twox 4 years ago |

This has nothing in common with DuckDuckGo?

DDG (unfortunately) is bigger and bigger with every year. They are developing desktop browser, email proxy etc.

I wouldn't be surprised if they'd lunched DDGDNS.

samtheprogram 4 years ago | |

Why is it unfortunate that DDG is bigger and bigger every year?

mPReDiToR 4 years ago | | |

The larger the crowd the more likely the company is to monetise the service? Or just sell the eyeballs?

I'd like to think DDG were too principled to do this, but money can really direct moral compasses in large enough quantities.

mattrighetti 4 years ago |

I’ve been using DuckDNS for a couple of years now but one day I discovered that Reddit login is no more so I’m locked out of my account, still works though!

giorgioz 4 years ago |

In the past I've tried using the free tier of other DynDNS services but with 2 commercial routers I had it always boiled down to the firmware being crap and having some bug that wasn't working with the free DynDNS. Many people recommend OpenWRT but you need to plan in advance which router you are going to buy to be compatibile with OpenWRT and I never planned so much in advance.

m-s 4 years ago |

I have my own domain and run a Cloudflare Workers endpoint that updates a DNS record. It’s quite simple to run one’s own dDNS service.

mrguyorama 4 years ago |

I have used DuckDNS for nearly a decade. I highly, highly recommend them. It's never not worked, super simple to set up on any server or always on system, and just is exactly what you want if you're a hobbyist.

The only possible downside is that you end up with a url with "duckdns.org" in it, but I don't mind

bullen 4 years ago |

That's great and all but since dyndns providers are hardcoded in my router this does not help.

goosedragons 4 years ago | |

If you have a machine running all the time anyways you can have it update the IP instead of the router. They have instructions for a bunch of different ways to do it on various OSs.

bullen 4 years ago | | |

Then I rather use my own DNS solution.

awill 4 years ago | |

You can use DuckDNS through DNSOMatic. That's in many routers. That's what I do

quyleanh 4 years ago |

I use Cloudflare, and there are also tons of APIs for update IP of DNS configuration.

Darmody 4 years ago |

I remember using it years ago to be able to point from the outside to a dynamic IP.

I used an old Android phone with their app to keep the IP updated. Like the old no-ip but without a PC.

passerby1 4 years ago |

Just curious, how does this project pays bills?

Dma54rhs 4 years ago | |

It's not expensive to run a project like this to begin with but donations.

fuzzfactor 4 years ago | |

I wonder about that too.

When a pro duck needs another roll of duct tape from his industrial supplier, they just put it on his bill and he's good to go.

k8sToGo 4 years ago | |

Donation. Just like many projects like this.

softwarebeware 4 years ago |

Happy user here. DuckDNS is one of those great things that does one thing simply and just works

aidog 4 years ago |

For some time I kept getting SMS phishing mails with duckdns.org urls here in Japan.

FastEatSlow 4 years ago | |

DuckDNS is sadly often abused for malware and phishing.

zsolt_terek 4 years ago |

Thank you. This was exactly what I've been looking for for a while now.

spants 4 years ago |

It is a great service - I have been using it for over 6 years now.

mlatu 4 years ago |

anyone knows why reddit doesnt like them using the reddit api?

slig 4 years ago | |

>We unfortunately do not allow use of Reddit’s API for account authentication with third-party sites or applications that have no partnership, affiliation, or connection with Reddit. Reddit does not offer or support “log in with Reddit” or “use Reddit” to login services. Use of any sort of button, including a “use Reddit” login button like the one currently featured on your site, is unauthorized.

ectospheno 4 years ago |

I know it is significantly less easy and not free, but wouldn’t a dedicated $6 vps running a level 4 haproxy to get access be a lot safer? A script to ssh to the vps to update your backend ip is pretty trivial.

k8sToGo 4 years ago | |

This is not a proxy though. Its just a DNS entry.

ctxc 4 years ago |

To me, this domain is synonymous with phishing.

dynamohk 4 years ago |

to avoid reverse proxy, dynamic dns to access servers at home, maybe try tailscale to achieve same thing

compsciphd 4 years ago |

one could just pay a small yearly fee to register their domain with google and get easy/unlimited ddns.

vetinari 4 years ago | |

You can also host your zone with Hurricane Electric and skip the part about paying a small yearly fee to Google.

compsciphd 4 years ago | | |

there's no cost to google besides the registration fee, if it's your zone, you're paying that fee anyways. The only way to not pay a fee is to go through a free dyndns provider that you have to use a hostname off of their zone.

shoelessone 4 years ago | |

I don't believe this solves the issue if your IP changes all the time.

dewey 4 years ago | | |

Why not? As OP said you'll get an easy way to update the dns entry with the new IP.

alimbada 4 years ago |

Why AWS? How about we start building services that work anywhere instead of targeting a platform owned by a company that avoids paying billions in taxes?

Edit - I'll leave my original comment up but I originally thought this was a service that users could deploy themselves into their own AWS accounts which it is not. It is, as it says, a DDNS service which is free. The fact that it's hosted in AWS should be neither here nor there.

eternityforest 4 years ago | |

It kinda gives a sense of how it works. AWS means it's not just a handwritten script on a VPS somewhere, it's probably maintained with lots of automation, etc.

It kind of gives it a sense of professionalism for marketing purposes.

vorejdajo 4 years ago |

New to this. "Practically", it seems the same as ngrok or tor onion services. Is that right?

remram 4 years ago | |

No. https://en.wikipedia.org/wiki/Domain_Name_System

vorejdajo 4 years ago | | |

I'm familiar with DNS and read the FAQ. But, "Practically", it's used for external services(ssh, http) to get to your device. Right? Are there practical use differences?