#! /usr/bin/env python3 """A Dynamic DNS script that can create and modify Cloudflare DNS records To run this, you'll need an API key from Cloudflare. Store this key either in $CFDDNS_API_TOKEN or in ewp-secrets as cfddns.api-token. You can grab a copy of this script from here: https://github.com/ewpratten/ewconfig/raw/master/scripts/cfddns --- usage: cfddns [-h] [-i INTERFACE] [--no-ipv4-subzone] [--no-ipv6-subzone] [--dry-run] [-v] zone_id base_zone A Cloudflare Dynamic DNS script positional arguments: zone_id Zone ID to update base_zone DNS record to update options: -h, --help show this help message and exit -i INTERFACE, --interface INTERFACE If set, bind to this specific interface --no-ipv4-subzone If set, don't create/update an IPv4 subzone --no-ipv6-subzone If set, don't create/update an IPv6 subzone --dry-run Print actions instead of performing them -v, --verbose Enable verbose logging """ import argparse import sys import os import logging import requests import socket import ipaddress import subprocess import shutil import requests.adapters from datetime import datetime from typing import Optional, Union from urllib3.poolmanager import PoolManager CDN_CGI_URL = "https://www.cloudflare.com/cdn-cgi/trace" """This can be the path to *any* cloudflare-proxied website. They all return the same thing.""" logger = logging.getLogger(__name__) class InterfaceAdapter(requests.adapters.HTTPAdapter): """A custom HTTP adapter that can bind to a specific network interface""" def __init__(self, interface: Optional[str] = None, **kwargs): self.interface = interface super().__init__(**kwargs) def init_poolmanager(self, connections, maxsize, block=False, **pool_kwargs): self.poolmanager = PoolManager( num_pools=connections, maxsize=maxsize, block=block, socket_options=( [(socket.SOL_SOCKET, socket.SO_BINDTODEVICE, self.interface.encode())] if self.interface else [] ), ) def get_requesting_ip( session: requests.Session, force_ipv4: bool = False ) -> Optional[Union[ipaddress.IPv4Address, ipaddress.IPv6Address]]: # If we need to force an IPv4 connection if force_ipv4: logger.info("Forcing an IPv4 connection") requests.packages.urllib3.util.connection.HAS_IPV6 = False # Make a request try: response = session.get(CDN_CGI_URL) response.raise_for_status() except requests.RequestException as e: logger.error(f"Failed to get the requesting IP: {e}") return None # Parse the response for line in response.text.split("\n"): if line.startswith("ip="): return ipaddress.ip_address(line.split("=")[1]) def read_secret(secret_id: str) -> Optional[str]: # Attempt to read from the environment env_var = f"CFDDNS_{secret_id.replace('-', '_').upper()}" if env_var in os.environ: return os.environ[env_var] # Otherwise, try to read from ewp-secrets if shutil.which("ewp-secrets"): secrets_proc = subprocess.Popen( ["ewp-secrets", "load", "-n", "cfddns", "-k", secret_id], stdout=subprocess.PIPE, ) if secrets_proc.wait() == 0: return secrets_proc.stdout.read().decode().strip() # If we can't find the secret, return None return None def main() -> int: # Handle program arguments ap = argparse.ArgumentParser( prog="cfddns", description="A Cloudflare Dynamic DNS script" ) ap.add_argument("zone_id", help="Zone ID to update") ap.add_argument("base_zone", help="DNS record to update") ap.add_argument("-i", "--interface", help="If set, bind to this specific interface") ap.add_argument( "--no-ipv4-subzone", help="If set, don't create/update an IPv4 subzone", action="store_true", ) ap.add_argument( "--no-ipv6-subzone", help="If set, don't create/update an IPv6 subzone", action="store_true", ) ap.add_argument( "--dry-run", help="Print actions instead of performing them", action="store_true", ) ap.add_argument("--api-token", help="Cloudflare API token") ap.add_argument( "-v", "--verbose", help="Enable verbose logging", action="store_true" ) args = ap.parse_args() # Configure logging logging.basicConfig( level=logging.DEBUG if args.verbose else logging.INFO, format="%(levelname)s: %(message)s", ) # Read env vars needed for the Cloudflare API cf_api_token = args.api_token or read_secret("api-token") if not cf_api_token: logger.error( "Failed to read the Cloudflare API token. Either set $CFDDNS_API_TOKEN or use ewp-secrets" ) return 1 # Create an HTTP session session = requests.Session() # If needed, use a custom network interface if args.interface: logger.info(f"Binding to network interface {args.interface}") session.mount("http://", InterfaceAdapter(interface=args.interface)) session.mount("https://", InterfaceAdapter(interface=args.interface)) # Figure out our IPs ipv4 = get_requesting_ip(session, force_ipv4=True) ipv6 = get_requesting_ip(session, force_ipv4=False) # If the ipv6 request returns an IPv4 address, we can't use it if ipv6 and ipv6.version == 4: logger.debug("IPv6 request returned an IPv4 address, ignoring it") ipv6 = None # Print the IPs we found logger.info(f"Our IPv4 address is {ipv4}") logger.info(f"Our IPv6 address is {ipv6}") # Look up the contents of the zone zone_contents_response = requests.get( f"https://api.cloudflare.com/client/v4/zones/{args.zone_id}/dns_records", headers={ "Authorization": f"Bearer {cf_api_token}", "Content-Type": "application/json", }, ) try: zone_contents_response.raise_for_status() except Exception as e: logger.error(zone_contents_response.json()) raise e zone_contents = zone_contents_response.json() if "result" not in zone_contents: logger.error("Failed to get the zone contents") print(zone_contents) return 1 # Clear all non-matching A and AAAA records on the base zone has_correct_ipv4_record = False has_correct_ipv6_record = False apex_name = None for record in zone_contents["result"]: if record["name"] == args.base_zone and record["type"] in ["A", "AAAA"]: logger.info( f"Found existing {record['type']} record for {record['name']}. Value: {record['content']}" ) # If this doesn't match the corresponding IP, delete it if (record["type"] == "A" and record["content"] != str(ipv4)) or ( record["type"] == "AAAA" and record["content"] != str(ipv6) ): logger.info( f"Deleting stale record {record['id']} ({record['content']})" ) if not args.dry_run: delete_response = requests.delete( f"https://api.cloudflare.com/client/v4/zones/{args.zone_id}/dns_records/{record['id']}", headers={ "Authorization": f"Bearer {cf_api_token}", "Content-Type": "application/json", }, ) try: delete_response.raise_for_status() except Exception as e: logger.error(delete_response.json()) raise e # Mark the record as OK if it is ok else: if record["type"] == "A": has_correct_ipv4_record = True elif record["type"] == "AAAA": has_correct_ipv6_record = True # Keep track of the apex if not apex_name: apex_name = record["zone_name"] # Figure out *when* we are now = datetime.now().isoformat() # If the base name is the apex, switch it to @ base_name = args.base_zone if args.base_zone != apex_name else "@" # Write new A and AAAA records (if needed) to the base zone if ipv4 and not has_correct_ipv4_record: logger.info(f"Creating new A record for {base_name} with value {ipv4}") if not args.dry_run: create_response = requests.post( f"https://api.cloudflare.com/client/v4/zones/{args.zone_id}/dns_records", headers={ "Authorization": f"Bearer {cf_api_token}", "Content-Type": "application/json", }, json={ "type": "A", "name": base_name, "content": str(ipv4), "ttl": 60, "proxied": False, "comment": f"Auto-generated by cfddns on {now}", }, ) try: create_response.raise_for_status() except Exception as e: logger.error(create_response.json()) raise e if ipv6 and not has_correct_ipv6_record: logger.info(f"Creating new AAAA record for {base_name} with value {ipv6}") if not args.dry_run: create_response = requests.post( f"https://api.cloudflare.com/client/v4/zones/{args.zone_id}/dns_records", headers={ "Authorization": f"Bearer {cf_api_token}", "Content-Type": "application/json", }, json={ "type": "AAAA", "name": base_name, "content": str(ipv6), "ttl": 60, "proxied": False, "comment": f"Auto-generated by cfddns on {now}", }, ) try: create_response.raise_for_status() except Exception as e: logger.error(create_response.json()) raise e # If we should be creating subdomains, do so if not args.no_ipv4_subzone and ipv4: # Look for an existing record already_exists = False for record in zone_contents["result"]: if record["name"] == f"ipv4.{args.base_zone}" and record["type"] == "A": logger.info( f"Found existing A record for {record['name']}. Value: {record['content']}" ) # If the record matches, we're done if record["content"] == str(ipv4): already_exists = True break # Otherwise, delete it logger.info( f"Deleting stale record {record['id']} ({record['content']})" ) if not args.dry_run: delete_response = requests.delete( f"https://api.cloudflare.com/client/v4/zones/{args.zone_id}/dns_records/{record['id']}", headers={ "Authorization": f"Bearer {cf_api_token}", "Content-Type": "application/json", }, ) try: delete_response.raise_for_status() except Exception as e: logger.error(delete_response.json()) raise e # If the record doesn't exist, create it if not already_exists: logger.info( f"Creating new A record for ipv4.{args.base_zone} with value {ipv4}" ) if not args.dry_run: create_response = requests.post( f"https://api.cloudflare.com/client/v4/zones/{args.zone_id}/dns_records", headers={ "Authorization": f"Bearer {cf_api_token}", "Content-Type": "application/json", }, json={ "type": "A", "name": f"ipv4.{args.base_zone}", "content": str(ipv4), "ttl": 60, "proxied": False, "comment": f"Auto-generated by cfddns on {now}", }, ) try: create_response.raise_for_status() except Exception as e: logger.error(create_response.json()) raise e if not args.no_ipv6_subzone and ipv6: # Look for an existing record already_exists = False for record in zone_contents["result"]: if record["name"] == f"ipv6.{args.base_zone}" and record["type"] == "AAAA": logger.info( f"Found existing AAAA record for {record['name']}. Value: {record['content']}" ) # If the record matches, we're done if record["content"] == str(ipv6): already_exists = True break # Otherwise, delete it logger.info( f"Deleting stale record {record['id']} ({record['content']})" ) if not args.dry_run: delete_response = requests.delete( f"https://api.cloudflare.com/client/v4/zones/{args.zone_id}/dns_records/{record['id']}", headers={ "Authorization": f"Bearer {cf_api_token}", "Content-Type": "application/json", }, ) try: delete_response.raise_for_status() except Exception as e: logger.error(delete_response.json()) raise e # If the record doesn't exist, create it if not already_exists: logger.info( f"Creating new AAAA record for ipv6.{args.base_zone} with value {ipv6}" ) if not args.dry_run: create_response = requests.post( f"https://api.cloudflare.com/client/v4/zones/{args.zone_id}/dns_records", headers={ "Authorization": f"Bearer {cf_api_token}", "Content-Type": "application/json", }, json={ "type": "AAAA", "name": f"ipv6.{args.base_zone}", "content": str(ipv6), "ttl": 60, "proxied": False, "comment": f"Auto-generated by cfddns on {now}", }, ) try: create_response.raise_for_status() except Exception as e: logger.error(create_response.json()) raise e return 0 if __name__ == "__main__": sys.exit(main())