Fond memories of using DDNS on old Netgear routers at home in the aughts and port forwarding services with some rudimentary firewall rules and tcpwrappers to try and lock down access.
Now I use a combination of Tailscale[1] for private services only to me and Tailscale Funnels[2], and Cloudflare Tunnels[3] for public service exposure.
This accomplishes the same thing I was doing with DDNS and my ISP IP, but in a much more secure and stable manner.
Do you have any recommendations for tutorials on setting this all up with docker?
How do you connect outside the network?
I am running DDNS to access my home services and it has been very error prone and frustrating. I moved some services back to the cloud because the bots were using all my DSL upload that we didn’t have enough bandwidth to work even with cloudflare firewalls.
I have an artisanal handcrafted docker-compose stack for them, so everything is containerized. It's on my todo to write a blog post about the setup.
There's an nginx reverse-proxy container in the stack that routes traffic to the individual service containers via the servername; eg nitter.tail.net goes to the nitter container, teddit.tail.net goes to the teddit container, etc.
The nginx proxy only listens on the Tailnet interface and only accepts connections from the Tailnet CIDR, therefore any device I have on my tailnet can access them. Letsencrypt is also setup so everything is over https.
This allows me to access them from my phone, laptop, whatever when connected using Tailscale.
Tailscale essentially let me completely remove any need for port forwarding on my router and still have global access. It's truly amazing.
Not the internal services. I have Letsencrypt setup for services on my tailnet using the Cloudflare DNS plugin for certbot so they're all over https.
Combined with only allowing connections to hosts from the Tailnet and https, forgoing passwords makes them easier to manage and use.
Granted most these personal services are things like Audiobookshelf, Nitter, Plex, and Newsblur. While important to me, they're not exactly high value targets.
My internal Gitea is locked down more and has MFA enabled since I always see git as something to secure.
I don't use Tailscale Funnel as much, mostly on an adhoc basis since tailscale serve is relatively lightweight if a host is already connected to a Tailnet.
WARP is primarily used for long running services I have, like GotoSocial or Lemmy that need public ingress over https for federation.
Reddit's rationale for the C&D was that "Offering this login option misleads and confuses consumers by implying Reddit’s endorsement, association or sponsorship of your application", which is
1. complete bullshit; and
2. hypocritical, given that it's possible to log into reddit with one's Google and/or Apple account
Generally, Reddit is uninterested in being an OAuth provider for anything other than a few bot-related tools. I don't necessarily disagree with their prognosis that being a public OAuth provider sometimes looks like endorsement or association, as it has been used in a lot of phishing attacks. But it's surprising they aren't interested in the prospect of more Reddit accounts.
I was looking at the login links at the top… it's interesting eh.
- Persona is dead.
- Twitter has been rebranded and its future is uncertain.
- Reddit took them down
Github and Google are both reliable oauth providers. Though the github oauth is linked to a personal account, not an org, which is all kinds of awful for reliability of the app.
Since I use 1Password, I've started to always retain backup login+PW methods for every website I use oauth for anyway. And if I do use oauth, it's ALWAYS gonna be using Google (which is reliable and I pay for) or nothing except for very specific scenarios where oauth perms are relevant. I think the federated auth dream is just entirely dead at this point.
Why is persona dead? I've never used them, their site appears to be online (still), though.
> I think the federated auth dream is just entirely dead at this point.
That you had to support individual auth providers, none of which were reliable, was a major issue. Had they been "oh here's my auth provider" and you stuck it into a site, that would have been grand. No need to have a bunch of "login with" providers up top.
That sort-of worked with OAuth 1.0, IIRC that protocol had issues which is why we had OAuth 2.0 which sorta worked (and I've never seen an easy impl, where you just "stand up" an oauth server and then clients easily use it). Back when you could use the likes of Yahoo to OAuth you around.
As much as I appreciate what they offer at no cost, I have experienced more downtime from their service then I would like. My Uptime Kuma dashboard reports a 99.98% 30-day uptime from their service (mainly small 1-2min down-times every couple of weeks), but I have experienced at least one 7ish hour period a few months back where no duckDNS queries were resolving for any domains I checked. And I never found any official source giving a reason or even acknowledging this this outage. Again, free service, I do appreciate what they offer.
They probably don't want to have the extra headache of having made a promise of uptime in anyway, if anyone uses a free service for stuff that can't go down the fault is on them
Can someone inform me as to why some random dynamic DNS service is trending on HN? I went to their site, read their FAQ, etc. Nothing about this service seems unique compared to the countless other dynamic DNS services out there.
A lot of the other free dynamic DNS services don't cut the mustard, or have vanished over the years. Some of them have weird rules like that your IP address has to be dynamic and change every once in a while, some of them have terrible software and don't have a clean API, some of them require you to check your email every month to click a renew button, and most of them don't have a web UI you can use to manually type in an IP address.
DuckDNS just kinda sits there and does its thing. So it may be interesting for a HN audience to know that a decent usable dynamic DNS service is still around.
- It's really free instead of "annoyingly free" that requires you to confirm every month that you are still using it.
- It lets you update with a simple HTTP request + token (e.g. "curl ..." command), no login protocol, nor any special login protocol that good luck if it's supported by your router or DVR.
- Simple copy-paste instructions for dozens of systems, instead of others DNSs that have no docs and their only instructions is to make you install their adware/spyware app
- No ads. Just a simple donate button at the end of the admin page which I haven't visited in months/years
No idea why it’s trending, but it is not very random. It’s probably the most popular DDNS out there right now. A lot of docker images have built in support or plugins to use it in conjunction with lets encrypt for HTTPS support.
Google's was actually a really good implementation that was pretty well supported (edgeOS and synology), too bad it's going away. Switched to namecheap and its implementation is OK but a bit crusty
I've been using them since I let my personal domain expire. The personal domain on Namecheap allowed for DynDNS updating, but I couldn't really justify the $10/y cost for no real gain.
I use DynDNS for a Wireguard VPN with WG Dashboard hosted behind my home firewall on a Proxmox CT (LXC). Works great for allowing me to tunnel traffic on untrusted Wifi, and of course, to hit LAN devices remotely. I'm lucky my home ISP (FIOS) doesn't cheap out and CGNAT me like so many seem to be doing now. In the past, I used to open 80/443 and self-host websites, but that's pretty silly nowadays.
Readit News
Now I use a combination of Tailscale[1] for private services only to me and Tailscale Funnels[2], and Cloudflare Tunnels[3] for public service exposure.
This accomplishes the same thing I was doing with DDNS and my ISP IP, but in a much more secure and stable manner.
1. https://tailscale.com/
2. https://tailscale.com/kb/1223/tailscale-funnel/
3. https://developers.cloudflare.com/cloudflare-one/connections...
How do you connect outside the network?
I am running DDNS to access my home services and it has been very error prone and frustrating. I moved some services back to the cloud because the bots were using all my DSL upload that we didn’t have enough bandwidth to work even with cloudflare firewalls.
There's an nginx reverse-proxy container in the stack that routes traffic to the individual service containers via the servername; eg nitter.tail.net goes to the nitter container, teddit.tail.net goes to the teddit container, etc.
The nginx proxy only listens on the Tailnet interface and only accepts connections from the Tailnet CIDR, therefore any device I have on my tailnet can access them. Letsencrypt is also setup so everything is over https.
This allows me to access them from my phone, laptop, whatever when connected using Tailscale.
Tailscale essentially let me completely remove any need for port forwarding on my router and still have global access. It's truly amazing.
Combined with only allowing connections to hosts from the Tailnet and https, forgoing passwords makes them easier to manage and use.
Granted most these personal services are things like Audiobookshelf, Nitter, Plex, and Newsblur. While important to me, they're not exactly high value targets.
My internal Gitea is locked down more and has MFA enabled since I always see git as something to secure.
WARP is primarily used for long running services I have, like GotoSocial or Lemmy that need public ingress over https for federation.
Reddit's rationale for the C&D was that "Offering this login option misleads and confuses consumers by implying Reddit’s endorsement, association or sponsorship of your application", which is
1. complete bullshit; and
2. hypocritical, given that it's possible to log into reddit with one's Google and/or Apple account
- Persona is dead.
- Twitter has been rebranded and its future is uncertain.
- Reddit took them down
Github and Google are both reliable oauth providers. Though the github oauth is linked to a personal account, not an org, which is all kinds of awful for reliability of the app.
Since I use 1Password, I've started to always retain backup login+PW methods for every website I use oauth for anyway. And if I do use oauth, it's ALWAYS gonna be using Google (which is reliable and I pay for) or nothing except for very specific scenarios where oauth perms are relevant. I think the federated auth dream is just entirely dead at this point.
> I think the federated auth dream is just entirely dead at this point.
That you had to support individual auth providers, none of which were reliable, was a major issue. Had they been "oh here's my auth provider" and you stuck it into a site, that would have been grand. No need to have a bunch of "login with" providers up top.
That sort-of worked with OAuth 1.0, IIRC that protocol had issues which is why we had OAuth 2.0 which sorta worked (and I've never seen an easy impl, where you just "stand up" an oauth server and then clients easily use it). Back when you could use the likes of Yahoo to OAuth you around.
Duck DNS – About - https://news.ycombinator.com/item?id=33367767 - Oct 2022 (48 comments)
Duck DNS – free dynamic DNS hosted on AWS - https://news.ycombinator.com/item?id=30539059 - March 2022 (100 comments)
Duck DNS – free dynamic DNS hosted on AWS - https://news.ycombinator.com/item?id=28383113 - Sept 2021 (1 comment)
Free DNS from Duck DNS - https://news.ycombinator.com/item?id=6425925 - Sept 2013 (2 comments)
Am I missing something?
You tend to get a few echoes relating to popular posts (or comments from those posts that suggest alternatives and/or pros and cons)
0: https://news.ycombinator.com/item?id=36984419
DuckDNS just kinda sits there and does its thing. So it may be interesting for a HN audience to know that a decent usable dynamic DNS service is still around.
- It's really free instead of "annoyingly free" that requires you to confirm every month that you are still using it.
- It lets you update with a simple HTTP request + token (e.g. "curl ..." command), no login protocol, nor any special login protocol that good luck if it's supported by your router or DVR.
- Simple copy-paste instructions for dozens of systems, instead of others DNSs that have no docs and their only instructions is to make you install their adware/spyware app
- No ads. Just a simple donate button at the end of the admin page which I haven't visited in months/years
[1] https://joker.com/faq/content/11/427/en/what-is-dynamic-dns-... [2] https://www.namecheap.com/support/knowledgebase/subcategory/...
1. https://www.namecheap.com/support/knowledgebase/article.aspx...
I use DynDNS for a Wireguard VPN with WG Dashboard hosted behind my home firewall on a Proxmox CT (LXC). Works great for allowing me to tunnel traffic on untrusted Wifi, and of course, to hit LAN devices remotely. I'm lucky my home ISP (FIOS) doesn't cheap out and CGNAT me like so many seem to be doing now. In the past, I used to open 80/443 and self-host websites, but that's pretty silly nowadays.
It's all based on donation and there's not a ton of information, so there's really no way of knowing how reliable it is.