Be the 🌟 best DDNS tool 🌟 that favonia wants to use.
-
Support all features favonia wants, including emojis.
-
Be secure as much as possible and practical.
- Prefer open security over security through obscurity.
- Use code analysis, unit testing, fuzzing, and other techniques to discover bugs.
- Detect common misconfigurations.
-
Be efficient in network usage, CPU usage, memory usage, and whatnot.
-
Support other useful features that are easily maintainable.
The source code follows the standard Go project layout, where /cmd/ holds the command-line interface and /internal/ holds the internal packages. The updater is factored into many internal packages, each in charged of a small part of the program logic. See the Go Reference for a detailed documentation of the code structure.
See Issues and Milestones.
- The adversary cannot access or tamper with end devices (your machine and Cloudflare’s servers) or their local networks.
- The adversary can forge IP packets but cannot monitor, modify, or significantly delay existing IP packets.
- The adversary may know your machine’s exact hardware, software, and configurations (except authentication credentials).
The goal is to stop the adversary from tricking the updater into updating managed domains with an incorrect IP address.
The connection to Cloudflare’s servers is always protected by HTTPS, making it more resistant to forged IP packets. Many other DDNS tools use simple DNS lookups to detect public IP addresses, which is less secure because of DNS spoofing.
Public IP addresses, by their own definition, depend on how other machines (in our case, Cloudflare’s servers) see the current machine over the internet. Therefore, if the adversary can control the network the updater can access, then it is impossible to secure it. This means one should avoid using this updater (or any DDNS updater) in the following scenarios:
- Your machine is connected to the internet via unsafe Wi-Fi. This can include WPA2 Enterprise if your machine does not verify the identity of the RADIUS servers. In general, it is much more challenging to protect Wi-Fi connections.
- The adversary can access networks close to Cloudflare’s servers and intercept your IP packets. Note that the adversary does not need to break HTTPS---HTTPS does not protect the source and target IP addresses.
- The adversary can access the cable between your machine and the internet, or that you are within a country-scale firewall. (Although they can already redirect the traffic in this case, and thus whether the updater is secure or not is no longer relevant.)
There is no way to securely detect the intended public IP address in these scenarios. If you wish to be immune to these attacks, it is recommended to buy static IP addresses instead of using this tool (or any DDNS updater).