Haha, no, I didn’t! Honestly, I didn't put much thought into this project either. I needed it for myself to host a game we're developing (it’s 11GB per download) and was frustrated with the Noip client. I made this in about an hour and thought I’d share it too! Just seeing all the upvotes today :)

Nice, there seem to be a lot of these! I personally use https://github.com/qdm12/ddns-updater, it’s from the creator of gluetun

I have been using this for a couple of years, ticking away on an RPi. Works perfectly.

As the other commenter says, you can get pretty granular with the permissions. If you want to go even further, you can build a Cloudflare Worker that performs exactly the request that you want to do, and nothing else. Then you can configure your router to hit that instead of the API directly.

Yes you can generate a key which, for example, only allows you to edit DNS of a specific domain

you can setup the job on your trusted machine behind the router, could be raspberry pi or your desktop

For standard, legal web traffic Cloudflare will always be free. If you’re using us for just that and anyone on our sales team ever pressures you to upgrade, email me because it’s an explicit violation of our policies. Sales people are humans, so sometimes they make mistakes, but I can set it straight. Here’s my email:

matthewatcloudflaredotcom

So what are the cases you may have read about. They fall into two big buckets:

1. Streaming Video

A video stream is just a series of image files strung together. So some people have tried to use our free service to serve video. This causes two problems. First, a second of video is often as much as 10x the bandwidth as a typical web page load. We’ve done a lot to make bandwidth costs low, but it can add up fast.

Second, the people who tend to do this sort of janky video streaming are often streaming pirated video content. When that happens and we don’t shut it down we get sued. That’s costly.

We do offer a service to stream video. It’s creatively named Stream. It’s elegant and not janky and designed to be the least costly way to stream video content. It’s cheap but it’s not free.

2. Illegal Content

The site that is in the link you referenced was serving a gambling site to a jurisdiction where gambling is illegal. The problem was, the jurisdiction retaliated by blocking their IPs. If that only blocked the one gambling site, that’s their problem. But we share IPs between customers on our low end plans. So if a customer does something illegal somewhere and it causes an IP to get blocked then it causes harm to a bunch of other customers.

The solution is dedicated IP addresses. In a case like this we have a product called BYOIP (which is exactly what you think it is). It’s bespoke and expensive for us to maintain and customers who care about it tend to be customers who have budgets to pay for it, so it’s expensive. We could probably invest engineering resources to make it less bespoke, but there’s really not a ton of demand.

This customer was doing something illegal somewhere according to some government. We said — no judgment — but you’re getting our IPs banned and causing harm to other customers and we can’t let that happen. We presented a solution (albeit an expensive one). They balked and wrote a blog post. And now people assume there’s a bait-and-switch sales strategy. There’s not. Turns out people who use our Free plan rarely turn into million dollar customers. And people who are million dollar customers don’t really even consider our Free plan. So the world generally sorts itself correctly.

We get stymied by our policy of not talking about the details of customers without their permission, so it makes it hard to respond to blog posts like that one. But enough people have asked me about it and I’m tired enough about it that I’m going to make the decision to revise the policy: we won’t publicly disclose any details about a customer without their permission; but if you write a blog post complaining about us and leave out the salient details, then we’ll reserve the right to fill those details in.

Anyway, in 99.99% of cases, and especially if you’re not janky streaming or doing something illegal, our Free plan will work great for you and you’ll never hear from anyone on our Sales team.

> But from quick googling (I think it's Reddit), some people said Cloudflare uses bait-and-switch where at some point you will need certain features that are only available in enterprise plan or something, basically significant cost increase.

Cloudflare is only "free" for hosting websites; doing something like hosting just images or binary data and pushing hundreds of gigabytes or terabytes a month is likely to get your domain dropped from Cloudflare [0]. However, they do allow these non-website use cases (like hosting binary files, tons of images, etc) when using their third party products like R2 and/or Workers.

But, even with those stipulation, they do have a somewhat dubious sales tactic where, if you're pushing a lot of data, they:

- send you an email saying "you're using a lot of data"

- Have a line threatening you to "pay us to safeguard your website from potential suspension or restricted access"

- If you don't pay, you're in limbo on whether or not you're actually violating T&S and should make plans for being dropped by CF

Going over X0 TB/mo seems to be the threshold for getting put in this sales funnel, based on the few instances i've seen, but I can't confirm it. In some of these cases, the accounts survived, and in others they were dropped, so this isn't always a death sentence.

I would be incredibly grateful if Matthew Prince / eastdakota commented on this sales tactic, because it's obvious that some sales EVP at some point in time said "When Trust & Safety flags a customer for bandwidth reasons, we need to try to upsell them before T&S can review and make a determination for the account", which seems incredibly bad manners with how often CF speaks about their anti-"bandwidth rent seeking" philosophy[1].

0: https://community.cloudflare.com/t/the-way-you-handle-bandwi...

1: https://blog.cloudflare.com/aws-egregious-egress

it's only a bait and switch if you pay for something that they then pull out from under you. this is just called a free trial

Last I checked AWS has the same limitation. One workaround is creating a separate sub-zone and giving access only to that to whatever you need. But for a "cheap homelab" solution, that's gonna cost you a bit more per month.

I created an account just to comment on this: I tell you something, you are "throwing shade" on the author - even if this is a "kid", were you born and immediately started to invent (insert complex tech) from scratch? This guy did a nice job and wanted to share his work with us and appearently many others appreciate it and thus it ended up on the front page. Comments which's only intention is to make some other's work smaller and seemingly "unworthy" are just sad and unnecessary.

If you set {proxied: false} - it'll resolve to your IP directly.

router to provider network

Thanks for that, I agree.

From the discussions I've read, it's not as clear cut, e.g.:

https://old.reddit.com/r/PleX/comments/152wfdh/can_i_use_a_c...

This is a small thing, but I think you should decouple providers in case shit hits the fan with one of them.

Let Cloudflare do DNS, let your registrar be a registrar.

Not a web browser, the client has to install cloudflared to connect. It's pretty much exactly the Tailscale feature, but clunkier.

https://developers.cloudflare.com/cloudflare-one/connections...

could you not retrieve your ipv6 directly from the system?

My email is jgc@cloudflare.com. You can email me about this.

Well, one of the "challenges" is the one in a different comment: most registrars don't allow fine-grained control over who can update what DNS records.

Can it be done? Sure. But do I want to spend money on this for my home lab if I can work around it? Not a chance.

I'm kinda sensitive to the "MITM as a service" argument, but for my use case, it's not a problem.

Parent did not say it was challenging.

I find fiddling with LE tedious because it has to be repeated too often.

so public server via http only then?

This depends. The point of TLS is to protect your application from hostile networks. Cloudflare hasn't proven hostile yet.

Interesting! also asked Claude Opus:

Using the same provider for both domain registration and DNS hosting can introduce several risks. Here are some of the main risks and ways to mitigate them:

1. Single point of failure: If the provider experiences an outage or security breach, both your domain registration and DNS hosting could be affected simultaneously. This can cause your website or services to become unavailable. Mitigation: Consider using separate providers for domain registration and DNS hosting to reduce the impact of a single provider's issues.

2. Provider lock-in: Some providers make it difficult to transfer your domain or DNS management to another provider, leaving you dependent on their services. Mitigation: Choose a provider that allows easy domain transfers and supports standard DNS management protocols like EPP (Extensible Provisioning Protocol). Familiarize yourself with the transfer process before committing to a provider.

3. Security vulnerabilities: If the provider's security measures are inadequate, attackers may be able to gain unauthorized access to your domain and DNS settings, potentially leading to domain hijacking or DNS tampering. Mitigation: Select a reputable provider with strong security practices, such as two-factor authentication, IP restrictions, and regular security audits. Enable additional security features like DNSSEC (Domain Name System Security Extensions) to protect against DNS spoofing.

4. Lack of redundancy: Relying on a single provider for both domain registration and DNS hosting means you don't have a backup if that provider experiences issues. Mitigation: Consider using secondary DNS services from a different provider to ensure redundancy and failover capabilities.

5. Limited control and flexibility: Some providers may offer limited control over your DNS settings or have restrictions on the types of records you can configure. Mitigation: Opt for a provider that offers a comprehensive and user-friendly DNS management interface with support for various record types and advanced features like GeoDNS or failover.

To further mitigate risks, consider the following best practices:

1. Keep your domain registration and DNS hosting accounts secure with strong, unique passwords and enable two-factor authentication.

2. Regularly monitor your domain and DNS settings for any unauthorized changes.

3. Keep your contact information up to date with your domain registrar to ensure you receive important notifications and can respond promptly to any issues.

4. Familiarize yourself with the domain transfer process and keep backups of your DNS configuration to ease migration to another provider if needed.

5. Choose reputable providers with a track record of reliability, security, and customer support.

By being aware of these risks and implementing appropriate mitigation measures, you can minimize the potential impact of using the same provider for domain registration and DNS hosting.

I asked Perplexity: Using the same provider for both domain registration and DNS hosting can present several risks. Here are the primary risks and ways to mitigate or prevent them:

## Risks

1. *Single Point of Failure*: - If the provider experiences an outage, both your domain registration and DNS services could be affected, leading to downtime for your website and email services[2].

2. *Security Vulnerabilities*: - Using a single provider increases the risk of DNS hijacking, DNS cache poisoning, and other DNS attacks if the provider's security is compromised[3][4].

3. *Limited DNS Features*: - Some domain registrars that offer DNS services may not provide advanced DNS features like DNSSEC, Anycast, or DDoS protection, which are crucial for security and performance[2][5].

4. *Vendor Lock-in*: - It may be more challenging to transfer your domain or DNS services to another provider if both are managed by the same company, potentially leading to higher costs or service disruptions[1].

## Mitigation Strategies

1. *Use DNSSEC*: - Implement DNSSEC (Domain Name System Security Extensions) to protect against DNS hijacking and cache poisoning. DNSSEC adds a layer of security by enabling DNS responses to be verified using digital signatures[3][4].

2. *Redundancy and Backup*: - Use secondary DNS providers to ensure redundancy. This way, if your primary DNS provider experiences an outage, the secondary provider can handle DNS queries, minimizing downtime[2][5].

3. *Choose a Reputable Provider*: - Select a provider that specializes in DNS services and offers robust security features, including DDoS mitigation, Anycast networks, and DNSSEC. This ensures that you are using the latest DNS technologies and security measures[2][7].

4. *Regular Security Audits*: - Conduct regular security audits of your DNS configurations and keep your DNS software updated to protect against vulnerabilities and exploits[7].

5. *Enable Two-Factor Authentication (2FA)*: - Use 2FA for accessing your domain and DNS management interfaces to prevent unauthorized access. Additionally, consider IP whitelisting to restrict access to trusted IP addresses only[3][5].

6. *Client Lock*: - Utilize client lock features provided by your registrar to prevent unauthorized changes to your DNS records without approval from a specific individual within your organization[3][5].

By implementing these strategies, you can significantly reduce the risks associated with using the same provider for domain registration and DNS hosting, ensuring better security, reliability, and performance for your online services.

Sources [1] Everything About Website Domain Registration : Best Practices And ... https://monsterhost.com/everything-about-website-domain-regi... [2] Should you keep your DNS management and domain registration ... https://blog.dnsimple.com/2015/03/benefits-and-drawbacks-of-... [3] What is DNS Hijacking and Mitigation Methods - GlobalDots https://www.globaldots.com/resources/blog/what-is-dns-hijack... [4] DNS Attacks: Tutorial & Prevention Best Practices - Catchpoint https://www.catchpoint.com/dns-monitoring/dns-attack [5] How to Prevent DNS Attacks: DNS Security Best Practices https://www.esecurityplanet.com/networks/how-to-prevent-dns-... [6] Unraveling the roles of domain registrars and web hosting providers https://www.godaddy.com/resources/skills/roles-of-domain-reg... [7] Top Five DNS Security Attack Risks and How to Avoid Them | Blog https://www.humanize.security/blog/cyber-awareness/top-five-...

I found it easier to use ssh over websocat over cloudflared. Then you just need websocat again on clientside and can use regular ssh client with it

Just seeing this. Yeah, you're technically right. But I never sit at my headless boxes. I SSH to them and then from there could SSH Jump if I really needed to use SSH out of those boxes.

Also I wouldn't use Cloudflare Tunnels so this is a moot point.

Ugh, same. You’re right. Nothing is safe at Google or even a safe bet with Google. Look at third-party cookies. I can’t believe there isn’t outrage in the streets over the fact that they beat that drum for four straight years and now they suddenly have a change of heart.

At some point their rationale has to become irrelevant. It’s simply unprofessional behavior.

May I inquire who you're moving to, and where I might browse to in order to follow you away from Squarespace / Google Domains? :)

This is how I ended up on Cloudflare. Burn by Google yet again.

True but there is no such thing as zero maintenance

Which is neatly abstracted away so you don’t have to think about it unless you want to. And therefore reaching out to an external server and having it say where the request came from is the path of least resistance for a script that can work across different hosts with minimal machine specific configuration.

Listen, if you want to check the IPv6 address from the interface list go ahead I’m not trying to stop you.

But because I anyway need to reach a third party to know my own IPv4 address then yeah when that third party can also tell me IPv6 address I’m gonna do it that way.

That requires running it on the router/device which gets the public IP address. By using the service you can update your DNS IP address on a system that is behind the router.

i.e., an arbitrarily-selected interface capable of reaching Cloudflare.

You don't necessarily need to do that, Cloudflare can generate you a long-lived certificate to install on your origin server which isn't publicly trusted but is trusted by their proxies, so it works with Strict TLS. YMMV with other CDNs though, you might need to fall back to using LE with a DNS challenge in some cases.

https://developers.cloudflare.com/ssl/origin-configuration/o...

Not true. I have a CF rule that matches . well-known/acme-challenge and sets SSL off. The main setting is on full strict but the rule disables the auto redirect to https and the strict checking so an acme client behind a CF tunnel can bootstrap a cert with the HTTP-01 method.

It happened that the last S changed from "stupid" to "secure". If I use HTTPS I can safely enough connect to my home services through an open cafe Wifi, for example

That wouldn't work for this use case though would it? AWS doesn't allow downloading the certificate (I could be wrong)? Typically certificates can only be used with other AWS services. E.g. you can't download the certificate and serve it from a home server.

We're talking ipv6 not ipv4

I'll agree to disagree :)

Nating in the context of ipv6 is not a common thing. It is the exception, while it's the rule for ipv4