Unifi USG DynDNS limitations

The grass is not always greener...

I will have to rant separately about my recent switch from pfSense to Ubiquiti's Unifi line of products for my home network. Suffice for now to mention that this post is to document (and complain) about some really odd decisions made within the Unifi line that seems amateur.

Overall Unifi has some neat concepts, but I warn those out there that are considering the same switch that I went through... a slicker interface is not always the better option.

The problem: Dynamic DNS

Most residential Internet connections have dynamic IPs. That is to say, unless you explicitly ask (and probably pay) for a static IP, your IP address can and will change at seemingly random times. It may change:

  • When you reboot your modem
  • When you hit your monthly data cap
  • When you replace the router behind your modem (or overall spoof MAC addresses behind your modem)
  • When your WAN's DHCP lease is up and the renewal doesn't allocate the previous IP
  • When Comcast decides it is time to introduce a little change chaos for kicks and giggles

When this happens, if you have a domain name that points to your WAN edge, you must remember to update your A (or AAAA, fancy you) record(s):

$ dig lolnope.us @8.8.8.8

; <<>> DiG 9.10.6 <<>> lolnope.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18353
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;lolnope.us.                    IN      A

;; ANSWER SECTION:
lolnope.us.             60      IN      A       24.4.223.218

;; Query time: 50 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun May 06 16:57:04 PDT 2018
;; MSG SIZE  rcvd: 55

My A record shows my current IP to be 24.4.223.218. But this can change since I don't pay for a static IP.

The solution: Dynamic DNS

The solution proposed to address this problem is known as dynamic DNS, which is just a piece of code that runs locally whenever it detects an IP change. During the execution of this code, it records what the current, potentially dynamic, IP address is and pings the domain hosting service. It provides a username and password for the hosting service, and says (roughly):

Hey, I just saw that lolnope.us's IP just changed to 123.123.123.123. Please update the A record to point to 123.123.123.123.

There are various protocols out there over which this exchange occurs, the most common I've come to see is dyndns. Google Domains happens to support dyndns, as does Unifi, but there is a limitation...

Because "lol, reasons"

Unifi doesn't allow more than one dyndns entry in the "Dynamic DNS" section of their UI. If you only have one domain that points to your WAN's IP, then this will do. However, if you have multiple domains that resolve to the A record of your WAN IP, Unifi's GUI immediately blocks the ability to add a second dyndns entry:

I've seen that there are ways to get around this by hacking on the Unifi backend -- modifying some JSON file(s) by hand12. But I also found out about DNS-O-Matic3.

DNS-O-Matic essentially acts as a dyndns proxy. You send a single dyndns update to DNS-O-Matic, and it will send updates to the various DDNS providers you're using:

  
digraph G {  
  rankdir = LR;
  label = "DNS-O-Matic proxying dyndns updates";
  labelloc = "t";
  fontname = "Arial";

  "USG" [shape=rect, color=blue, ]

  "DNS-O-Matic" [shape=rect, color=orange, ]

  subgraph cluster_c {
    label = "DDNS Providers";
    labelloc = "t";
    node [shape=rect, color=green, ]

    "Google DNS"
    "Namecheap"
    "Others"
  }

  "USG" -> "DNS-O-Matic" [label = "IP: 123.123.123.123", ]
  "DNS-O-Matic" -> "Google DNS" [label = "Domain: lolnope.us", ]
  "DNS-O-Matic" -> "Google DNS" [label = "Domain: ellebannaq.com", ]
  "DNS-O-Matic" -> "Namecheap"
  "DNS-O-Matic" -> "Others"
}

This relieves Unifi's shortcoming in limiting you to a single dyndns "backend".

Make sure it works

The Unifi settings for this dyndns backend may seem strange:

Service:  dyndns  
Hostname: all.dnsomatic.com  
Username: $USERNAME  
Password: $PASSWORD  
Server:   updates.dnsomatic.com  

Here we're telling updates.dnsomatic.com, that all domains owned by $USERNAME and $PASSWORD should be updated to the IP reported by the USG. Once set, you can query the USG directly to see its status with DNS-O-Matic:

$ show dns dynamic status
interface    : eth0  
ip address   : 24.4.223.218  
host-name    : all.dnsomatic.com  
last update  : Sat May 12 10:58:28 2018  
update-status: good  

  1. Ubiquiti forum post about manually setting multiple dyndns providers via the CLI

  2. Third-party blog post with helpful commands to set/get USG settings

  3. A Ubiquiti forum user mentioned DNS-O-Matic and how to use it.