sjmayotte / route53-dynamic-dns Goto Github PK

Update AWS Route53 hosted zone with current public IP address. Alternative to Dynamic DNS services such as Dyn, No-IP, etc

Home Page: https://sjmayotte.dev/route53-dynamic-dns/

License: MIT License

JavaScript 88.61% Dockerfile 11.39%

route53 dns docker dynamic-dns ddns aws nodejs dynamic-dns-updater ddns-updater scheduler

route53-dynamic-dns's Introduction

Route53 Dynamic DNS

What is route53-dynamic-dns?

A lightweight cli application written in Node that will update an Amazon Route53 hosted zone with your current public IP address on a scheduled interval. This project is a no cost alternative to DynamicDNS services such as Dyn, No-IP, etc. Designed to be simple and efficient and run via a docker container or node.js process.

Documentation

https://sjmayotte.dev/route53-dynamic-dns/

License

MIT

Route53 Dynamic DNS is licensed under the MIT License. A copy of MIT License is included in this repository.

Attribution

The following 3rd-party software components may be used by or distributed with route53-dynamic-dns

route53-dynamic-dns's People

Contributors

Stargazers

Watchers

route53-dynamic-dns's Issues

Security vulnerability in `node v18.14.0` and `aws-sdk v3.267.0`

Snyk container scanning has identified 3 high and 9 medium severity vulnerability in node and several high severity vulnerabilities in aws-sdk.

This can be resolved by updating to latest release.

certificate issue on https://diagnostic.opendns.com/myip

Hi,

Using the docker version of your program.

On 2019-08-20, got this error in my mail :

An error occurred that needs to be reviewed. Here are logs that are immediately available.

unable to verify the first certificate

Error: unable to verify the first certificate at TLSSocket. (_tls_wrap.js:1098:38) at emitNone (events.js:105:13) at TLSSocket.emit (events.js:207:7) at TLSSocket._finishInit (_tls_wrap.js:628:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:458:38)

Since then, IP address does not seems to be updated anymore.
Here are the logs :

[2019-08-20T18:48:38.045] [INFO] default - HTTPS GET https://diagnostic.opendns.com/myip
[2019-08-20T18:48:38.156] [ERROR] default - { Error: unable to verify the first certificate
    at TLSSocket.<anonymous> (_tls_wrap.js:1098:38)
    at emitNone (events.js:105:13)
    at TLSSocket.emit (events.js:207:7)
    at TLSSocket._finishInit (_tls_wrap.js:628:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:458:38) code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }
[2019-08-20T18:48:38.157] [INFO] default - Email notification already sent.  Suppressing email notification to avoid spamming admin.

curl'ing the OpenDNS endpoint give:

$ curl -v https://diagnostic.opendns.com/myip
*   Trying 172.217.18.179...
* TCP_NODELAY set
* Connected to diagnostic.opendns.com (172.217.18.179) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

No clue why this error is popping just now, but it seems that the intermediate CA certificate (DigiCert SHA2 Secure Server CA) is neither present in the ca-certificates Alpine package, nor in the CA certificate chain sent back from diagnostics.opendns.com/myip. Confirmed by https://www.ssllabs.com/ssltest/analyze.html?d=diagnostic.opendns.com&s=172.217.6.83

This server's certificate chain is incomplete. Grade capped to B.

Does not seem to be directly related to your code. Consider using an other ip check endpoint ? or add the intermediate CA to the container ?

cheers

Updating AAAA record fails, grabs IPv4 address instead of IPv6

Hello, I am trying to use this container to update an AAAA record but am receiving the following errors:

} InvalidChangeBatch: [Invalid Resource Record: 'FATAL problem: AAAARRDATAIllegalIPv6Address (Value is not a valid IPv6 address) encountered with '73.151.xxx.xx'']
    at de_InvalidChangeBatchRes (/usr/src/app/node_modules/@aws-sdk/client-route-53/dist-cjs/protocols/Aws_restXml.js:5168:23)
    at de_ChangeResourceRecordSetsCommandError (/usr/src/app/node_modules/@aws-sdk/client-route-53/dist-cjs/protocols/Aws_restXml.js:1922:25)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /usr/src/app/node_modules/@smithy/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24
    at async /usr/src/app/node_modules/@aws-sdk/middleware-signing/dist-cjs/awsAuthMiddleware.js:14:20
    at async /usr/src/app/node_modules/@smithy/middleware-retry/dist-cjs/retryMiddleware.js:27:46
    at async /usr/src/app/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:7:26

Clearly, the container is trying to pull the IPv4 address rather than IPv6. I'm not sure how this container grabs the IPv4 address, but in the case that ROUTE53_TYPE=AAAA, it should grab the IPv6 address instead.

Perhaps there's an alternative IP checker that will return IPv6 that I'm not aware of?

aws6.env:

AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_REGION=us-west-1
ROUTE53_HOSTED_ZONE_ID=
ROUTE53_DOMAIN=my.server.addr
ROUTE53_TYPE=AAAA
ROUTE53_TTL=60
UPDATE_FREQUENCY=60000
TZ=America/Los_Angeles
LOG_TO_STDOUT=true
IPCHECKER=ifconfig.co

docker-compose:

services:
  wg_ddns6:
    image: sjmayotte/route53-dynamic-dns:latest
    container_name: wg_ddns6
    env_file:
      - ./aws6.env

Running the container in network_mode: host appears to resolve this problem... but is there another way besides host networking?

Case sensitive documentation issue on Docker Hub page

The Docker Hub page contains text like "LOG_TO_STDOUT=True is recommended...", using True and False instead of true and false. The uppercase examples will not work and causes an exception with the JSON parser.

Provide a Docker Health Check Mechanism

It would be great if this container could provide some sort of docker health check mechanism that would verify the container is up, able to speak to AWS, successfully authenticating, etc... I have a health check command configured on all of my other containers but can't figure out a great way to implement one for this one.

Feature request

Is it possible to add the ability to set more than 1 domain (same IP)

I have several A records I need to update when my public IP changes

opendns certificate error

When using OpenDNS to check the IP address, it returns a certificate error

Last-Known-IP.log conflict with running as alternate user

I'm using the project in a docker container and it is working well except for one issue. I'd like to run the container as a different user as the default is user 1000 which is a real user account on my server. I also don't want to run the container as root. Because of this, the application does not have access to Last-Known-IP.log and even if I mount that file via docker, that also causes an issue because it cannot be removed on startup.

To fix this, it would be nice if Last-Known-IP.log was saved to /tmp (or to a log subdirectory) or the command chmod 777 /usr/src/app was added during build so that any user can save the log file. If either of these are acceptable, I'll happily make a PR to make the change.

Thanks for the project!

Not possible to specify wildcard and base domain at the same time.

I have a wildcard cert and an A record for the domain itself. In the docker container I can only update one. My config looks like:
environment:

      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
      - AWS_REGION=${AWS_REGION}
      - ROUTE53_HOSTED_ZONE_ID=${ROUTE53_HOSTED_ZONE_ID}
      - ROUTE53_DOMAIN=*.${DOMAIN}
      - ROUTE53_TYPE=A
      - ROUTE53_TTL=60
      - UPDATE_FREQUENCY=60000

The manual for ROUTE53_DOMAIN calls for:
ROUTE53_DOMAIN string AWS Route53 FQDN; ex: "home.example.com"
It'd be great if it was a comma delimited list of domains so I could specify *.${DOMAIN},${DOMAIN}

Migrate AWS SDK to v3

After upgrading the aws-sdk dependency to v2.1314.0 following message is displayed in the console log:

ddns-route53  | (node:1) NOTE: The AWS SDK for JavaScript (v2) will be put into maintenance mode in 2023.
ddns-route53  | 
ddns-route53  | Please migrate your code to use AWS SDK for JavaScript (v3).
ddns-route53  | For more information, check the migration guide at https://a.co/7PzMCcy

The migration to v3 seems pretty straight forward, so I can fix this! I also want to take the opportunity and replace use of callbacks (to avoid callback hell) with promises, and separate the AWS service calls to separate file to make the code in server.js more readable.

Upgrade base node image to 18.16.1 and npm dependencies

Upgrade base node image to v18.16.1 and npm dependencies to latest version

Add minimum AWS IAM policy to README

I've got this running successfully, and found that the following IAM policy reflects the minimum permissions required:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "route53:TestDNSAnswer",
            "Resource": "*"
        }
    ]
}

I think it might be worthwhile to add this to the README to help others.

Upgrade base node image to `18.16.0`

There are currently 28 security alerts (7 high, 21 medium or low), all related to openssl and certificate vulnerabilities in alpine. This might be resolved by upgrading the base image to 18.16.0-alpine3.17

disable email

It appears to be impossible to prevent the sending of emails from happening, even though the documentation hints that SEND_EMAIL_SES would do that.

The only workaround I know was to give the IAM user no permission to send emails.

Issues with armv7l

Hi, very much love this app!

I just tried to get it running on my raspi (32bit, otherwise ZFS won't work 😞 ) and got the following errors (both when using your prebuilt docker image with armv7 and docker build .)

...
Step 9/14 : RUN npm install
 ---> Running in 5f41f199dfa9


#
# Fatal error in , line 0
# unreachable code
#
#
#
#FailureMessage Object: 0xbed8962c

Might totally not be related to this app, I will try to figure out whats going on.

Edit: Running npm install and npm start locally shows no issues, maybe it is an issue with the alpine base image?

ifconfig.co returning Cloudflare JS protection page

Recently ifconfig.co has been returning the Cloudflare javascript-based bot protection page. The issue is described here: mpolden/echoip#163

For me setting IPCHECKER=ipify.org fixed it. I had UPDATE_FREQUENCY=120000 (2 minutes) but I'm going to double it.

Thank you for this project!

Update/rebuild Docker Image to resolve vulnerabilities

The docker image, at this point, is 13 months old. As such, there are a large number of vulnerabilities in packages installed in the image. While not absolutely critical as this doesn't serve up any endpoints, can we get a new build. Bonus points for a regular rebuild via GH Actions - I'd be willing to help set this up. :)

 ✔ Cataloged packages      [596 packages]
 ✔ Scanned image           [50 vulnerabilities]

NAME                  INSTALLED   FIXED-IN    TYPE    VULNERABILITY        SEVERITY 
ansi-regex            5.0.0       5.0.1       npm     GHSA-93q8-gq69-wqmw  High      
ansi-regex            3.0.0       3.0.1       npm     GHSA-93q8-gq69-wqmw  High      
async                 1.5.2                   npm     CVE-2021-43138       High      
base                  0.11.2                  npm     CVE-2009-4591        High      
base                  0.11.2                  npm     CVE-2009-4590        Medium    
base                  0.11.2                  npm     CVE-2009-4592        High      
base                  0.11.2                  npm     CVE-2014-2980        Medium    
busybox               1.33.1-r6   1.33.1-r7   apk     CVE-2022-28391       High      
decode-uri-component  0.2.0                   npm     CVE-2022-38900       High      
decode-uri-component  0.2.0       0.2.1       npm     GHSA-w573-4hg7-7wgq  Low       
glob-parent           3.1.0       5.1.2       npm     GHSA-ww39-953v-wcq6  High      
json5                 1.0.1       2.2.2       npm     GHSA-9c47-m6qq-7p4h  High      
libcrypto1.1          1.1.1l-r0               apk     CVE-2021-4160        Medium    
libcrypto1.1          1.1.1l-r0   1.1.1q-r0   apk     CVE-2022-2097        Medium    
libcrypto1.1          1.1.1l-r0   1.1.1n-r0   apk     CVE-2022-0778        High      
libretls              3.3.3p1-r2  3.3.3p1-r3  apk     CVE-2022-0778        High      
libssl1.1             1.1.1l-r0   1.1.1n-r0   apk     CVE-2022-0778        High      
libssl1.1             1.1.1l-r0               apk     CVE-2021-4160        Medium    
libssl1.1             1.1.1l-r0   1.1.1q-r0   apk     CVE-2022-2097        Medium    
log4js                6.3.0       6.4.0       npm     GHSA-82v2-mx6x-wq7q  Medium    
minimatch             3.0.4       3.0.5       npm     GHSA-f8q6-p94x-37v3  High      
minimist              1.2.5       1.2.6       npm     GHSA-xvch-5gv4-984h  Critical  
node                  16.13.0                 binary  CVE-2021-44533       Medium    
node                  16.13.0                 binary  CVE-2022-21824       High      
node                  16.13.0                 binary  CVE-2022-32223       High      
node                  16.13.0                 binary  CVE-2022-0778        High      
node                  16.13.0                 binary  CVE-2022-32212       High      
node                  16.13.0                 binary  CVE-2022-32213       Medium    
node                  16.13.0                 binary  CVE-2021-44532       Medium    
node                  16.13.0                 binary  CVE-2022-32214       Medium    
node                  16.13.0                 binary  CVE-2022-32215       Medium    
node                  16.13.0                 binary  CVE-2021-44531       High      
node                  16.13.0                 binary  CVE-2022-35255       Critical  
node                  16.13.0                 binary  CVE-2022-35256       Critical  
node                  16.13.0                 binary  CVE-2022-43548       High      
npm                   8.1.0       8.11.0      npm     GHSA-hj9c-8jmm-8c52  High      
npm                   8.1.0                   npm     CVE-2021-43616       Critical  
npm                   8.1.0                   npm     CVE-2022-29244       High      
opener                1.5.2                   npm     CVE-2021-27498       High      
opener                1.5.2                   npm     CVE-2021-27500       High      
opener                1.5.2                   npm     CVE-2021-27478       High      
opener                1.5.2                   npm     CVE-2021-27482       High      
ssl_client            1.33.1-r6   1.33.1-r7   apk     CVE-2022-28391       High      
zlib                  1.2.11-r3   1.2.12-r2   apk     CVE-2022-37434       Critical  
zlib                  1.2.11-r3   1.2.12-r0   apk     CVE-2018-25032       High

Unable to load environment variables from .env file

Everything was cool until I pulled the latest update. Now when attempting to start the container I just get:

[2021-02-18T15:53:05.144] [INFO] default - Unable to load environment variables from .env file.  Process is likely running in a container.  Make sure you pass environment variables when starting container.
[2021-02-18T15:53:05.145] [ERROR] default - Error: ENOENT: no such file or directory, open '/usr/src/app/.env'
    at Object.openSync (fs.js:440:3)
    at Object.readFileSync (fs.js:342:35)
    at Object.config (/usr/src/app/node_modules/dotenv/lib/main.js:96:29)
    at Object.<anonymous> (/usr/src/app/server.js:59:29)
    at Module._compile (internal/modules/cjs/loader.js:959:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:995:10)
    at Module.load (internal/modules/cjs/loader.js:815:32)
    at Function.Module._load (internal/modules/cjs/loader.js:727:14)
    at Function.Module.runMain (internal/modules/cjs/loader.js:1047:10)
    at internal/main/run_main_module.js:17:11 {
  errno: -2,
  syscall: 'open',
  code: 'ENOENT',
  path: '/usr/src/app/.env'
}

I'm starting via a docker-compose script

  route53-dynamic-dns:
    container_name: route53-dynamic-dns
    image: sjmayotte/route53-dynamic-dns:latest
    restart: unless-stopped
    environment:
      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
      - AWS_REGION=${AWS_REGION}
      - ROUTE53_HOSTED_ZONE_ID=${ROUTE53_HOSTED_ZONE_ID}
      - ROUTE53_DOMAIN=${DOMAIN}
      - ROUTE53_TYPE=A
      - ROUTE53_TTL=60
      - SEND_EMAIL_SES=false
      - SES_TO_ADDRESS=${SES_TO_ADDRESS}
      - SES_FROM_ADDRESS=${SES_FROM_ADDRESS}
      - UPDATE_FREQUENCY=60000
      - LOG_TO_STDOUT=true
    logging:
      options:
        max-size: "2m"
        max-file: "5"
    labels:
      - traefik.enable=false