Friday, January 18, 2019

dynv6.com: IPv6 dynamic DNS done right

Sometimes, your home PC or router does not have a static IP address. In this case, if you want to access your home network remotely, a common solution is to use a dynamic DNS provider, and configure your router to update its A record (a DNS record that holds an IPv4 address) each time the external address changes. Then you can be sure that your domain name always points to the current external IPv4 address of the router.

For accessing PCs behind the router, some trickery is needed, because usually there is only one public IPv4 address available for the whole network. Therefore, the router performs network address translation (NAT), and home PCs are not directly reachable. So, you have to either use port forwarding, or a full-blown VPN. Still, you need only one dynamic DNS record, because there is only one dynamic IP — the external IP of your router, and that's where you connect to.

Enter the IPv6 world. There is no NAT anymore, the ISP allocates a whole /64 (or maybe larger) prefix for your home network(s), and every home PC becomes reachable using its individual IPv6 address. Except, now all addresses are dynamic. On "Rostelecom" ISP in Yekaterinburg, Russia, they are dynamic even if you order a static IP address, i.e. only IPv4 is static then, and there is no way to get a statically allocated IPv6 network.

A typical IPv6 network has a prefix length of 64. It means that the first 64 bits denote the network, and are assigned (dynamically) by the ISP, while the lower 64 bits refer to the host and do not change when the ISP assigns the new prefix. Often but not always, the host part is just a MAC address with the second-lowest bit in the first octet inverted, and ff:fe inserted into the middle. This mechanism is often called EUI-64. For privacy reasons, typically there are also other short-lived IPv6 addresses on the interface, but let's ignore them.

Unfortunately, many dynamic DNS providers have implemented their IPv6 support equivalently to IPv4, even though it does not really make sense. That is, a dynamic DNS client can update its own AAAA record using some web API call, and that's it. If you run a dynamic DNS client on the router, then only the router's DNS record is updated, and there is still no way to access home PCs individually, short of running DynDNS clients on all of them. In other words, the fact that the addresses in the LAN are, in fact, related, and should be updated as a group, is usually completely ignored.

The dynv6.com dynamic DNS provider is a pleasant exception. After registration, you get a third-level domain corresponding to your home network. You can also add records to that domain, corresponding to each of your home PCs. And while doing so, you can either specify the full IPv6 address (as you can do with the traditional dynamic DNS providers), or only the host part, or the MAC address. The ability to specify only the host part (or infer it from the MAC address) is what makes their service useful. Indeed, if the parent record (corresponding to your whole network) changes, then its network part is reapplied to all host records that don't specify the network part of their IPv6 address explicitly. So, you can run only one dynamic DNS client on the router, and get domain names corresponding to all of your home PCs.

Let me illustrate this with an example.

Suppose that your router has obtained the following addresses from the ISP:

2001:db8:5:65bc:d0a2:1545:fbfe:d0b9/64 for the WAN interface
2001:db8:b:9a00::/56 as a delegated prefix

Then, it will (normally) use 2001:db8:b:9a00::1/64 as its LAN address, and PCs will get addresses from the 2001:db8:b:9a00::/64 network. You need to configure the router to update the AAAA record (let's use example.dynv6.net) with its LAN IPv6 address. Yes, LAN (and many router firmwares, including OpenWRT, get it wrong by default), because the WAN IPv6 address is completely unrelated to your home network. Then, using the web, create some additional AAAA records under the example.dynv6.net address:

desktop AAAA ::0206:29ff:fe6c:f3e5   # corresponds to MAC address 00:06:29:6c:f3:e5
qemu AAAA ::5054:00ff:fe12:3456   # corresponds to MAC address 52:54:00:12:34:56

Or, you could enter MAC addresses directly.

As I have already mentioned, the beauty of dynv6.com is that it does not interpret these addresses literally, but prepends the proper network part. That is, name resolution would actually yield reachable addresses:

example.dynv6.net. AAAA 2001:db8:b:9a00::1   # The only record that the router has to update
desktop.example.dynv6.net. AAAA 2001:db8:b:9a00:206:29ff:fe6c:f3e5   # Generated
qemu.example.dynv6.net. AAAA 2001:db8:b:9a00:5054:ff:fe12:3456    # Also generated

And you can, finally, connect remotely to any of those devices.

9 comments:

Unknown said...

Hi Alexander,

I am planning to set up dynv6 on my Raspberry PI but I don't see any HOW-TO on their(dynv6) website. Would you happen to have a guide to this?

Thanks.

Alexander E. Patrakov said...

Make sure your Raspberry PI has a global IPv6 address.

Register on the dynv6.com website, add a zone. Then install ddclient. Then copy-paste the ddclient configuration from the "Instructions" tab to /etc/ddclient.conf. Don't forget to append "use=if, if=eth0" (well, not eth0, but what ever the interface is called) before your domain name.

This script should also work as an alternative to ddclient: https://gist.github.com/corny/7a07f5ac901844bd20c9

There are many other "dynamic dns update" projects.

Unknown said...

Your examples above:
"desktop AAAA ::0206:29ff:fe6c:f3e5 # corresponds to MAC address 00:06:29:6c:f3:e5
qemu AAAA ::5054:00ff:fe12:3456 # corresponds to MAC address 52:54:00:12:34:56"
either have typos or I don't understand how you arrived at these numbers. I can be slow on the uptake sometimes, so I'm not ruling that out.

Alexander E. Patrakov said...

The IPv6 address is derived from the MAC address, with the bit 0x02 in the upper byte flipped. This has been done because in MAC addresses that are assigned manually (and not from the factory) this bit should be up, and would stand as a sore thumb in the generated IPv6 addresses if they start with 02:00:00.

See https://networklessons.com/ipv6/ipv6-eui-64-explained

Unknown said...

Thank you for taking the time to enlighten me, and for the link, Mr. Patrakov.

Joe said...

I think it is even cleaner and easier to understand to update the ipv6 prefix directly using the corresponding parameter offered by dynv6.com. Of course the router needs to support this. Why would the default host always point to the router itself? You would like to forward it as well.

Alexander E. Patrakov said...

Joe, of course you are right. Even worse, nowadays updating the default device IPv6 address does not update the prefix associated with the domain. So, for OpenWRT, here is the correct setting (which is not the same as the default):

option update_url 'https://dynv6.com/api/update?hostname=[DOMAIN]&token=[PASSWORD]&ipv6=[IP]/64'

The stuff in the square brackets is something that you should still enter literally, these placeholders will be automatically expanded by ddns-scripts.

Unknown said...

Very informative article, thanks Alexander.

I'm just curious to know how secure the communications are. I believe IPSec is an optional part of IPv6, but I'm not sure how to implement it in this scenario.

Alexander E. Patrakov said...

IPSec is inapplicable here. Dynv6 update endpoint is secured by https.