A New Future for Icanhazip

Reminds me of `echo $(dig @ns1.google.com o-o.myaddr.l.google.com TXT +short | tr -d \")`. I have no idea where this DNS query came from, because searching all of Google turns up nothing but https://github.com/GoogleCloudPlatform/cloud-self-test-kit/b..., which is never referenced by anyone. I had to track it down myself for a bootstrap.sh, but I don't like using undocumented sources for critical infrastructure.

My use case was needing to set the result of `hostname -f` in /etc/hosts in an automated fashion if a VPS provider didn't already add a line for the public Internet address in that file. You need to do this so that sendmail doesn't fail on `apt install` when it attempts to read your FQDN. So I couldn't use the NGINX example posted elsewhere here.

It seems like https://checkip.amazonaws.com/ is much more "reliable" in that it is publicly documented at https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/s....

To anyone who needs to read this: please don't use "services" like icanhazip for your provisioning. Even my examples above are bad.

It does strike me as weird that there is seemingly no POSIX-compliant way to get your public Internet address, from my readings.

Edit: Oh goodness... even Amazon's documentation recommends using Google's undocumented DNS query.[1]

[1]: https://aws.amazon.com/premiumsupport/knowledge-center/route...

> It does strike me as weird that there is seemingly no POSIX-compliant way to get your public Internet address, from my readings.

It is not possible to know your public IP address, except by fetching the information from a known entity on the public network.

And in some scenarios, your public IP will change frequently. There is no guarantee that it will be consistent across multiple requests.

> It does strike me as weird that there is seemingly no POSIX-compliant way to get your public Internet address, from my readings.

There is no singular thing called a "public Internet address". Imagine you're writing paper letters to someone. You write a letter, you put your own From address, you drop it in the slot. When the mailperson comes to collect the letter, they replace your mailing address with a special other codeword. And when they receive mail, they replace that codeword back with your original address. You would never know it was intercepted unless you asked around. There's no official protocol to ask for your codeword, it's just a trick the mail service does on your behalf.

Your home router does exactly this; it's known as "Network Address Translation", or NAT. It's not an official part of IPv4, and there's no protocol to ask what it is. Your computer thinks its local IP address (typically some variety of 192.168.0.1) is its real, public address, and your router does the swap behind your back.

> There is no singular thing called a "public Internet address".

There sort of is, it just doesn't help answer the question.

Both types of addresses have blocks explicitly carved out which are not unicast addresses to be routed over the public Internet. If you have one of those addresses, such as 192.168.0.1, that definitely isn't your "public Internet address" because people can't route stuff to it.

This is explicitly wrong. There absolutely is such a thing as a "public Internet" address, which is the exact terminology used by the IETF. NAT isn't a part of the Internet Protocol, but it is well-defined in other related RFCs.

Yes it is? I'm not talking about a situation where you send a packet to a DHCP server with 0.0.0.0 in the headers, I'm talking about what happens after the fact.

Once you have been allocated an IP address, there should be a way to fetch said address. That's the whole mechanism behind forging UDP packets. If I didn't know what my source IP address was, it would be OK to send 0.0.0.0 out into the world all the time.

Practically speaking, today, it is, considering most, but not all, ISPs won't let you do this and they will rewrite UDP packets that attempt to forge their source.

Edit: OK, since I'm not being clear, let me be explicit: There should be a mechanism in DHCP which allows for the querying of your public Internet address when receiving a packet from a client in one of the Private-Use Networks as defined in RFC 6890. This query should be exposed as a feature of ifconfig or ip, lest a user be forced to manually write such a packet to receive the data.

`ip a` will tell you your IP addresses. As far as I can tell, for IPv6 it actually does know it's public address since that is globally unique with no need for a public/private split.

> Once you have been allocated an IP address

Well, there’s assumption 1 that isn’t true, often, you aren’t allocated a public IP address…at least in IPv4 world

The issue is that ifconfig and ip do not recognize the Private-Use Networks under any flag and thusly query DHCP for the public address, nor does DHCP have such a query. (To my knowledge.)

This is why running this (completely trivial) service yourself is helpful -- you can get the external IP from the perspective you desire.

Yes, I know about what the IETF considers a "public Internet address", but it's sort of ill-defined for a lot of standard network topologies. NAT is a technique, not an explicit protocol. The RFCs simply cover the technique as it existed in practice.

dig myip.opendns.com resolver1.opendns.com is another option

> querying of your public Internet address

Upnp allows you to do that. But that relies on a lot of assumptions. Your address when connecting to X and Y could be different. It could be different depending on the port. It could be load-balanced and come randomly from a pool. It could vary depending on time of day. And many many other cases.

> It does strike me as weird that there is seemingly no POSIX-compliant way to get your public Internet address, from my readings.

Because traditionally if you're doing things right, you're not using NAT, which is against IP specs and a nonstandard kludge. So you just take your socket and query its local endpoint address using getsockname and voila.

you could be behind NAT or reverse proxies or any number of virtual or physical network components. This service helps account for all of that.

Why the extra `echo` and subshell $(...) ?

dig... | tr... works fine without it.

also, `dig -4 ... ` to get your IPv4 address, for us dual-stacked folks. Otherwise it returns your V6 address by default.

Private-use networks connected to the public internet are an ugly hack. If you don't have a public address, you don't have a public address in any meaningful sense, so any effort to figure out "your" address is doomed from the start.

Particularly in these days of IPv6, just give everything a notionally publicly routable address and then every device can know its real address (of course this doesn't have to mean you actually route public traffic to every address if you don't want to).

Yes, I pulled it out of a shell script which had more concatenated to it and didn’t bother cleaning it up.

I guess you can pick an empty or safe spot from here[1] and send patches to major DHCP server implementations, feels like option 81 "Client FQDN" is already close to that though.

Also do keep in mind that an OS instance can have multiple Ethernet interfaces, and that each interface can have multiple IPs, and that not all DHCP gives out private addresses(University Wi-Fi gave me 133.xx back in the days ... behind NAT!), and that double NAT exists.

1: https://www.iana.org/assignments/bootp-dhcp-parameters/bootp...

What kind of documentation would you like to see for a service like this?

Genuinely asking because I've always used the query

    dig +short myip.opendns.com @resolver1.opendns.com

to resolve the public IP my ISP has assigned me so I can update my homelab's IP.

I use Route53 and I either completely missed the checkip link or they simply don't mention it

When the host has a private-use address, there's not necessarily a single public IP (through NAT etc). Packets from my computer will currently appear from two possible public addresses, depending if they've been routed through the work VPN.

When the host has a non-private-use address, there might still be NAT, or there might be no Internet access. I have servers in 128...* without Internet access.

The "public" address might differ depending on the destination or anything else.

"ip ad" shows the address(es) the network interfaces has, nothing more.

I'm not sure I follow your model of IP networking, but the problem boils down this:

In live networks, you don't always know which device presents your last-hop routable address to the public network, so it is not clear who can authoritatively answer the whatismyip question.

You can get an instantaneously-correct answer (i.e. correct in the instant, not necessarily quickly-answered) from an empirical test, but you need to choose an known (and trusted) entity on the public network to query. Querying multiple different entities might very well get you multiple different answers, depending on how your packets are routed and manipulated before they reach the public network.

And in all cases, there is no guarantee that your public address will be stable over time or location.

Indeed. I like to include two convenience endpoints in my webserver configs (except in cases where I'd need to justify them to compliance/audit, etc):

  * /ip   responds with the src ip of the request
  * /req  responds with the full headers and body of the request

The latter is useful for debugging HTTP clients.