Hi everyone,
Edit2: I bought a domain (1,50€ p.m.) from a European service which also offers dynDNS functionality. Just needed to adjust my NGINX config and generated new SSL-certificates via Certbot. I also built a script that only issues the update URL if the actually IP has changed. The system has been running flawlessy now for a couple of days already. No outages or any other connection issues. Learning: even though the dynDNS functionality should work stable in theory (since there is not much going on), the dynDNS service provider actually plays a big role in terms of reliability.
a couple of friends and I have a Jellyfin server running which is exposed to the internet via a reverse-proxy and https by using a free dynDNS provider.
The setup is working fine besides the dynDNS provider. We constantly face connection issues, making the dynamic DNS functionality very unreliable.
So I started looking into possible solutions and one particular would be to buy an own domain which would only cost a few bucks each month. With this I could keep the current setup and would just need to change the domain (and possibly the SSL certificate). I found a provider over which I could buy (rent?) a domain and which also provides dynDNS functionality. But I am not too sure if I understood this correctly:
- if I have an own domain, why would I need the additional dynDNS functionality? I would guess that I would just continue updating your server’s IP address to the domain name like we are doing now
- can the provider over which I rent the domain with servers in my country actually see what our traffic is? Especially since we are streaming our movies etc.
- is there a better way of obtaining and setting up your own domain also in terms of privacy and reliability than with a bigger company offering such services?
Thanks a lot for your feedback!
Edit: An important fact I forgot to add in my main post is that during these issues, the general server connection should be fine since it is located at a friends house and his internet connection is unaffected (e.g. we could still talk in Discord normally and he had no internet issues whatsoever)
Dyndns really shouldn’t affect your connection, as long as you have a local client that updates your record automatically.
I use jellyfin together with caddy and it was pretty seamless to setup. I configured the caddyfile to redirect my incoming domain to my local ip and the rest worked automatically. It sets up a legitimate certificate for the domain using lets encrypt and automatically renews it.
When you have an encrypted connection, the isp can’t see what is being sent between you and the webserver. They can however see your dns-requests unless you have dns over encryption enabled.
The only security measure beyond keeping things up to date that i would recommend is to have a geo-blocker enabled for incoming traffic to your network.
Thanks, yes I also use a script that constantly sends the current IP address to the dynDNS provider. I could be completely wrong, but the internet connection of my friends house where the server stands is fine even during these connection issues. So I would blame the DNS resolution, but it is also my first time running a server.
How frequently do you send these updates? Most of dynDNS provider rate limit the updates you can send, so it is possible that you send a bunch of useless updates when the IP didn’t change and the actual update that is required gets discarded because you hit the limit.
Do you log your script errors somewhere? Are you sure that the IP changes so frequently?
I know at least 3 European fiber providers which offers static IPs. For broadband always on connections IP changes should be pretty rare
I have a cronjob that runs every minute to update the IP address. I could try to increase it to every hour or so. In the beginning I tracked how often the ISP changed the address and it was roughly like once every 24-30 hours, cannot really remember.
Maybe change the script to just send updates whenever the ip really changed.
That does seem excessive. Change it so that it only sends an update to dyndns when it actually changes.
Having a new ip every 30 hours also seems pretty aggressive. I guess the DNS change might be slow to populate servers in that time if it is a “weird” top level domain.
Agree with the other 2 replies that hammering the dyndns server every minute is excessive and you should only send them updates when your IP address actually changes.
You should also check the TTL on the primary name server (the dyndns server) and the DNS server you use (likely your ISP’s DNS server).
https://johncireland.wordpress.com/2020/09/07/viewing-dns-record-ttl-on-windows/
The dyndns server probably has it configured right and it should have a low TTL like 5 minutes or below, but sometimes the DNS server you use can be a server that ignores TTL and caches the result for longer than expected. I don’t think this is the problem if multiple of your friends are having the same problem but it doesn’t hurt to check.
If you have a static IP where you host your jellyfin service you shouldn’t need your dydns anymore.
a domain provider doesn’t know what you are doing. It knows you want to access jellyfin.your.domain but has no clue what you are watching or the specific URLs you are going to.
Think of it like a library reference card, the library knows you want Encyclopaedia Britannica volume 12, but they don’t know what you are actually looking up.I have a domain with porkbun and dont have issues. When my reverse proxy needs a new certificate I do nothing because Traefik uses the porkbun API to do the Let’s Encrypt DNS validation.
Even if you have a dynamic IP it’s trivial to set up automatic DNS updates with a good provider that has an API to do it.
You are probably better off using something like Tailscale. You don’t need to expose your system with a reverse proxy then.
@[email protected] I have a static IP provided by my ISP. I own my own domain name. I use BunnyCDN to manage my DNS.
On my server I run Jellyfin and reverse proxy with Caddy, I also run Fail2Ban. Caddy has built in SSL certification.
After I set it all up (which took me a few tries to get it all right as I was learning on the go) it just runs with no apparent problems. I check logs and monitor it regularly however so far I haven’t had any problems.
The Jellyfin address is shared only to a few family members.
I’m in the EU so GDPR applies and none of the involved companies is datamining my stuff. Their policies are to be non-invasive.
I am in the same boat (learning on the go, living in EU and using fail2ban and reverse proxy although I use nginx). Sounds good that it runs so well for you! Where did you register your domain? I’ll look into BunnyCDN as well.
@[email protected]
It’s a domain I’ve had for 15 years (I keep renewing) and I registered with 123-reg.If you 're in the EU definitely check out Bunny. They’re based in Slovenia. I used their free trial, to test it all out. After that their pricing is competitive, and mostly if you’re a single user homelab type you’ll pay nothing. At least, that’s been my experience for the past 8 months. My use falls well under their provided no charge tier.
I looked at using nginx however I liked what I read and saw of Caddy (it seemed easier for me). I don’t do anything very clever and Caddy is working great for me.
*I’m not associated with them other than to be a customer. Prior to switching to Bunny I used Cloudflare free level but I wanted to get away from anything associated with the USA and their (lack of ) data protection laws.
Thanks a lot for your suggestions and feedback! I also would like to use services within the EU, so I will give Bunny a closer look.
As someone else mentioned, this does not seem to be an issue with the DynDNS itself. But rather the fact that your ISP changes your IP regularly (DHCP, non-static IP). I would really recommend you get a static IP from your ISP. DNS lookups should never fail after that.
I have a script running which sends the current IP to our dynDNS provider. I would assume that this is fine then?
Sure, but until their DNS records update, the server is unreachable at the domain address.
can the provider over which I rent the domain with servers in my country actually see what our traffic is? Especially since we are streaming our movies etc.
That’s what encryption is for, a.k.a. HTTPS in this case.
But that is about the ISP (and all hops in between). The provider, where you buy the domain, does not see the traffic at all. Basically the domain seller just controls the nameservers for that domain, but doesn’t see the traffic that goes to those domains.
Basically by buying a domain you buy an entry into the telephone book
Let’s back up some - a free dynDNS provider would not cause connection issues, unless DNS resolution itself stopped working - which is unlikely. It sounds more like the Internet you’re running off of itself has issues. What in particular is making you blame the dynDNS? Who is it?
… Check duckdns constant resolution issues. There’s lots of threads about their inconsistency and unreliability. Can’t really complain, because it’s truly free, but there’s no full week that goes without issue.
Ha, if he said duckDNS I was going to recommend something more reliable like freedns.afraid.org.
That being said, the description in his post doesn’t make it seem that way.
I am using dynv6.com. The reason I blame the DNS resolution is because when I have issues connecting (as if the domain is not available), it does not mean that my friends cannot connect either. The server is at a friends house who has a fiber connection and who has no issues when we habe trouble connecting again. I could be totally wrong, but to me it sounds like dynv6 has some troubles.
I also have a script running, which constantly updates dynv6 with our current IP address.
Well, it can’t hurt to cross it off. You don’t need to get a domain from a registrar that offers dynamic DNS, you just need to register a domain (or try another dynamic DNS like the other user suggested) and use a DNS provider that is free and offers an API. I personally use Cloudflare, there are plenty of guides for setting up a dynamic record on CF.
For registering a domain you can use an affordable registrar, I’m a Porkbun customer - for a
.comdomain it’s like $11 for a year. No need to spend monthly.
It’s possible that, when the ISP revokes the public address and assigns a new one, the DNS record isn’t updated immediately and still points to the old address. Then every new request would be sent to the old, invalid address.
And this is where I start shilling for Tailscale. It’s a Wireguard-based mesh VPN that is designed to work from behind firewalls, NAT, and CGNAT. It has its own internal split DNS provider, and probably some mechanism to handle public address changes that is transparent to the tunnelled traffic. You can use it to share the server with only the devices that have the client installed, or expose the server to the internet.
I’ve got it set up on my OPNSense firewall as a subnet router that advertises the subnet where my servers are, and often stream from Jellyfin over it. There’s some overhead, but it’s never been disruptive.
Sure but of the 10 plus years I’ve been doing this never had an issue like that. But I have a 5 minute TTL.
