diff --git a/CHANGELOG.markdown b/CHANGELOG.markdown index 11f14af9..d474e38b 100644 --- a/CHANGELOG.markdown +++ b/CHANGELOG.markdown @@ -1,3 +1,28 @@ +# [1.15.0](https://github.com/favonia/cloudflare-ddns/compare/v1.14.2...v1.15.0) (2024-10-01) + +This is a major release with many improvements: + +1. **New `CLOUDFLARE_*` variables**: Cloudflare is transitioning its tools to use the new prefix `CLOUDFLARE_*`. Therefore, the updater now accepts `CLOUDFLARE_API_TOKEN` and `CLOUDFLARE_API_TOKEN_FILE`. The old `CF_API_TOKEN` and `CF_API_TOKEN_FILE` will still be fully supported until 2.0.0, then deprecated (but still supported) until 3.0.0. +2. **Improved custom IP providers**: The updater now forces IPv4 or IPv6 when connecting to custom IP providers `url:`. This solves a long-standing issue where custom providers couldn't be used on dual-stack machines supporting both IPv4 and IPv6. This enforcement ensures predictable IPv4/IPv6 detection on such machines. +3. **Stricter IP validation**: The updater now rejects unusual IP addresses for updating DNS records, such as link-local addresses or IPv4-mapped IPv6 addresses for AAAA records. These addresses are unsuitable and may cause trouble. +4. **Experimental support of using a network interface’s IP address** (not finalized until 1.16.0): Experimental support lets you use the address assigned to a specific network interface, bypassing the routing table used by the `local` provider. The syntax for this feature is under development and will not be finalized until 1.16.0. Please refer to [README](./README.markdown) and join the discussion on [GitHub issue #713](https://github.com/favonia/cloudflare-ddns/issues/713) if you are interested. + +As a reminder, since 1.13.0, **the updater no longer drops superuser privileges and `PUID` and `PGID` are ignored.** Please use Docker’s built-in mechanism to drop privileges. The old Docker Compose template may grant unneeded privileges to the new updater, which is not recommended. Please review the new, simpler, and more secure template in [README](./README.markdown). In a nutshell, **remove the `cap_add` attribute and replace the environment variables `PUID` and `PGID` with the [`user: "UID:GID"` attribute](https://docs.docker.com/reference/compose-file/services/#user)**. Similar options may exist for systems not using Docker Compose. + +### Bug Fixes + +- **ipnet:** reject IPv4-mapped IPv6 addresses for updating IPv6 records ([#936](https://github.com/favonia/cloudflare-ddns/issues/936)) ([be5b3a7](https://github.com/favonia/cloudflare-ddns/commit/be5b3a7232225d5d9db251357e0caa1326a57aba)) +- **ipnet:** tighten the checking of IP addresses ([#942](https://github.com/favonia/cloudflare-ddns/issues/942)) ([640d30b](https://github.com/favonia/cloudflare-ddns/commit/640d30b1a3d6aa91479391766d90a977e002d84c)) +- **pp:** print blank lines to separate each round of updating ([#958](https://github.com/favonia/cloudflare-ddns/issues/958)) ([0a6c71b](https://github.com/favonia/cloudflare-ddns/commit/0a6c71beeb8cf3bb507f9da3862725441e6f90b7)) +- **provider:** fix the name and messages of custom URL providers ([#940](https://github.com/favonia/cloudflare-ddns/issues/940)) ([2d95d69](https://github.com/favonia/cloudflare-ddns/commit/2d95d69290bb406f6d006e5651613d120de195e5)) +- **provider:** force IPv4/IPv6 for custom URL providers ([#939](https://github.com/favonia/cloudflare-ddns/issues/939)) ([3e80358](https://github.com/favonia/cloudflare-ddns/commit/3e803584db697ff9d89581f5e79df79465dc6521)) +- **updater:** actively close idle connections for IP detection ([#943](https://github.com/favonia/cloudflare-ddns/issues/943)) ([05cbf7e](https://github.com/favonia/cloudflare-ddns/commit/05cbf7e1239fac3197d93c9322dadd92fd8d3609)) + +### Features + +- **config:** accept `CLOUDFLARE_*` and all compatible token settings ([#948](https://github.com/favonia/cloudflare-ddns/issues/948)) ([4fc883c](https://github.com/favonia/cloudflare-ddns/commit/4fc883c45cb3068572d0fa55740ecd338c4ccd4f)) +- **provider:** get IP from a specific network interface ([#941](https://github.com/favonia/cloudflare-ddns/issues/941)) ([69f8cf2](https://github.com/favonia/cloudflare-ddns/commit/69f8cf2f62c533cffb7652fe6377f7a6ba8959cb)) ([#947](https://github.com/favonia/cloudflare-ddns/issues/947)) ([4518fac](https://github.com/favonia/cloudflare-ddns/commit/4518faca43c375545ee3dd6828b571b327579b6b)) + # [1.14.2](https://github.com/favonia/cloudflare-ddns/compare/v1.14.1...v1.14.2) (2024-09-13) This is an urgent hotfix that resolves a nil pointer dereference issue introduced in version 1.14.1. diff --git a/README.markdown b/README.markdown index 6234cfb3..cce9c84a 100644 --- a/README.markdown +++ b/README.markdown @@ -314,14 +314,14 @@ _(Click to expand the following items.)_ > 📡 Available IP address providers: > -> | Provider Name | Explanation | -> | ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -> | `cloudflare.doh` | Get the IP address by querying `whoami.cloudflare.` against [Cloudflare via DNS-over-HTTPS](https://developers.cloudflare.com/1.1.1.1/dns-over-https). 🤖 The updater will connect `1.1.1.1` for IPv4 and `2606:4700:4700::1111` for IPv6. Since version 1.9.3, the updater will switch to `1.0.0.1` for IPv4 if `1.1.1.1` appears to be blocked or intercepted by your ISP or your router (which is still not uncommon). Since version 1.14.0, the blockage detection uses a variant of [the Happy Eyeballs algorithm](https://en.wikipedia.org/wiki/Happy_Eyeballs) to reduce delay. | -> | `cloudflare.trace` | Get the IP address by parsing the [Cloudflare debugging page](https://one.one.one.one/cdn-cgi/trace). **This is the default provider.** 🤖 The updater will connect `1.1.1.1` for IPv4 and `2606:4700:4700::1111` for IPv6. Since version 1.9.3, the updater will switch to `1.0.0.1` for IPv4 if `1.1.1.1` appears to be blocked or intercepted by your ISP or your router (which is still not uncommon). Since version 1.14.0, the blockage detection uses a variant of [the Happy Eyeballs algorithm](https://en.wikipedia.org/wiki/Happy_Eyeballs) to reduce delay. | -> | `local` | Get the IP address via local network interfaces and routing tables. The updater will use the local address that _would have_ been used for outbound UDP connections to Cloudflare servers. (No data will be transmitted.) ⚠️ The updater needs access to the host network (such as `network_mode: host` in Docker Compose) for this provider, for otherwise the updater will detect the addresses inside [the default bridge network in Docker](https://docs.docker.com/network/bridge/) instead of those in the host network. | -> | 🧪 `local.iface:` (since version 1.15.0) | 🧪 Get the IP address via the specific local network interface `iface`. The updater will choose the first global unicast IP address of the matching IP family (IPv4 or IPv6). ⚠️ The updater needs access to the host network (such as `network_mode: host` in Docker Compose) for this provider, for otherwise the updater cannot access host network interfaces. | -> | `url:` | Fetch the IP address from a URL. The provider format is `url:` followed by the URL itself. For example, `IP4_PROVIDER=url:https://api4.ipify.org` will fetch the IPv4 address from . Since version 1.15.0, the updater will enforce the matching protocol (IPv4 or IPv6) when connecting to the provided URL. Currently, only HTTP(S) is supported. | -> | `none` | Stop the DNS updating for the specified IP version completely. For example `IP4_PROVIDER=none` will disable IPv4 completely. Existing DNS records will not be removed. ⚠️ The IP addresses of the disabled IP version will be removed from WAF lists; so `IP4_PROVIDER=none` will remove all IPv4 addresses from all managed WAF lists. 🧪 As the support of WAF lists is experimental, this behavior is subject to changes and please [provide feedback](https://github.com/favonia/cloudflare-ddns/issues/new). | +> | Provider Name | Explanation | +> | ---------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +> | `cloudflare.doh` | Get the IP address by querying `whoami.cloudflare.` against [Cloudflare via DNS-over-HTTPS](https://developers.cloudflare.com/1.1.1.1/dns-over-https). 🤖 The updater will connect `1.1.1.1` for IPv4 and `2606:4700:4700::1111` for IPv6. Since version 1.9.3, the updater will switch to `1.0.0.1` for IPv4 if `1.1.1.1` appears to be blocked or intercepted by your ISP or your router (which is still not uncommon). Since version 1.14.0, the blockage detection uses a variant of [the Happy Eyeballs algorithm](https://en.wikipedia.org/wiki/Happy_Eyeballs) to reduce delay. | +> | `cloudflare.trace` | Get the IP address by parsing the [Cloudflare debugging page](https://one.one.one.one/cdn-cgi/trace). **This is the default provider.** 🤖 The updater will connect `1.1.1.1` for IPv4 and `2606:4700:4700::1111` for IPv6. Since version 1.9.3, the updater will switch to `1.0.0.1` for IPv4 if `1.1.1.1` appears to be blocked or intercepted by your ISP or your router (which is still not uncommon). Since version 1.14.0, the blockage detection uses a variant of [the Happy Eyeballs algorithm](https://en.wikipedia.org/wiki/Happy_Eyeballs) to reduce delay. | +> | `local` | Get the IP address via local network interfaces and routing tables. The updater will use the local address that _would have_ been used for outbound UDP connections to Cloudflare servers. (No data will be transmitted.) ⚠️ The updater needs access to the host network (such as `network_mode: host` in Docker Compose) for this provider, for otherwise the updater will detect the addresses inside [the default bridge network in Docker](https://docs.docker.com/network/bridge/) instead of those in the host network. | +> | 🧪 `local.iface:` (available since version 1.15.0 but not finalized until 1.16.0) | 🧪 Get the IP address via the specific local network interface `iface`. The updater will choose the first global unicast IP address of the matching IP family (IPv4 or IPv6). ⚠️ The updater needs access to the host network (such as `network_mode: host` in Docker Compose) for this provider, for otherwise the updater cannot access host network interfaces. | +> | `url:` | Fetch the IP address from a URL. The provider format is `url:` followed by the URL itself. For example, `IP4_PROVIDER=url:https://api4.ipify.org` will fetch the IPv4 address from . Since version 1.15.0, the updater will enforce the matching protocol (IPv4 or IPv6) when connecting to the provided URL. Currently, only HTTP(S) is supported. | +> | `none` | Stop the DNS updating for the specified IP version completely. For example `IP4_PROVIDER=none` will disable IPv4 completely. Existing DNS records will not be removed. ⚠️ The IP addresses of the disabled IP version will be removed from WAF lists; so `IP4_PROVIDER=none` will remove all IPv4 addresses from all managed WAF lists. 🧪 As the support of WAF lists is experimental, this behavior is subject to changes and please [provide feedback](https://github.com/favonia/cloudflare-ddns/issues/new). | @@ -429,18 +429,18 @@ _(Click to expand the following items.)_ ⚠️ [oznu/cloudflare-ddns](https://github.com/oznu/docker-cloudflare-ddns) relies on the insecure DNS protocol to obtain public IP addresses; a malicious hacker could more easily forge DNS responses and trick it into updating your domain with any IP address. In comparison, we use only verified responses from Cloudflare, which makes the attack much more difficult. See the [design document](docs/DESIGN.markdown) for more information on security. -| Old Parameter | | Note | -| -------------------------------------- | --- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `API_KEY=key` | ✔️ | Use `CLOUDFLARE_API_TOKEN=key` | -| `API_KEY_FILE=file` | ✔️ | Use `CLOUDFLARE_API_TOKEN_FILE=file` | -| `ZONE=example.org` and `SUBDOMAIN=sub` | ✔️ | Use `DOMAINS=sub.example.org` directly | -| `PROXIED=true` | ✔️ | Same (`PROXIED=true`) | -| `RRTYPE=A` | ✔️ | Both IPv4 and IPv6 are enabled by default; use `IP6_PROVIDER=none` to disable IPv6 | -| `RRTYPE=AAAA` | ✔️ | Both IPv4 and IPv6 are enabled by default; use `IP4_PROVIDER=none` to disable IPv4 | -| `DELETE_ON_STOP=true` | ✔️ | Same (`DELETE_ON_STOP=true`) | -| `INTERFACE=name` | ✔️ | To automatically select the local address, use `IP4/6_PROVIDER=local`. 🧪 To select the first address of a specific network interface, use `IP4/6_PROVIDER=local.iface:name` (available since version 1.15.0). | -| `CUSTOM_LOOKUP_CMD=cmd` | ❌ | Custom commands are not supported because there are no other programs in the minimal Docker image | -| `DNS_SERVER=server` | ❌ | The updater only supports secure DNS queries using Cloudflare’s DNS over HTTPS (DoH) server. To enable this, set `IP4/6_PROVIDER=cloudflare.doh`. | +| Old Parameter | | Note | +| -------------------------------------- | --- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `API_KEY=key` | ✔️ | Use `CLOUDFLARE_API_TOKEN=key` | +| `API_KEY_FILE=file` | ✔️ | Use `CLOUDFLARE_API_TOKEN_FILE=file` | +| `ZONE=example.org` and `SUBDOMAIN=sub` | ✔️ | Use `DOMAINS=sub.example.org` directly | +| `PROXIED=true` | ✔️ | Same (`PROXIED=true`) | +| `RRTYPE=A` | ✔️ | Both IPv4 and IPv6 are enabled by default; use `IP6_PROVIDER=none` to disable IPv6 | +| `RRTYPE=AAAA` | ✔️ | Both IPv4 and IPv6 are enabled by default; use `IP4_PROVIDER=none` to disable IPv4 | +| `DELETE_ON_STOP=true` | ✔️ | Same (`DELETE_ON_STOP=true`) | +| `INTERFACE=name` | ✔️ | To automatically select the local address, use `IP4/6_PROVIDER=local`. 🧪 To select the first address of a specific network interface, use `IP4/6_PROVIDER=local.iface:name` (available since version 1.15.0 but not finalized until 1.16.0). | +| `CUSTOM_LOOKUP_CMD=cmd` | ❌ | Custom commands are not supported because there are no other programs in the minimal Docker image | +| `DNS_SERVER=server` | ❌ | The updater only supports secure DNS queries using Cloudflare’s DNS over HTTPS (DoH) server. To enable this, set `IP4/6_PROVIDER=cloudflare.doh`. | @@ -467,3 +467,7 @@ _(Click to expand the following items.)_ ## 💖 Feedback Questions, suggestions, feature requests, and contributions are all welcome! Feel free to [open a GitHub issue](https://github.com/favonia/cloudflare-ddns/issues/new). + +## 📜 License + +The code is licensed under [Apache 2.0 with LLVM exceptions](./LICENSE). (The LLVM exceptions provide better compatibility with GPL 2.0 and other license exceptions.)