←back to thread

A New Future for Icanhazip

(major.io)
980 points nkcmr | 7 comments | 06 Jun 21 19:21 UTC | HN request time: 1.138s | source | bottom
Show context
andrewmcwatters ◴[06 Jun 21 22:11 UTC] No.27416836[source]
Reminds me of `echo $(dig @ns1.google.com o-o.myaddr.l.google.com TXT +short | tr -d \")`. I have no idea where this DNS query came from, because searching all of Google turns up nothing but https://github.com/GoogleCloudPlatform/cloud-self-test-kit/b..., which is never referenced by anyone. I had to track it down myself for a bootstrap.sh, but I don't like using undocumented sources for critical infrastructure.

My use case was needing to set the result of `hostname -f` in /etc/hosts in an automated fashion if a VPS provider didn't already add a line for the public Internet address in that file. You need to do this so that sendmail doesn't fail on `apt install` when it attempts to read your FQDN. So I couldn't use the NGINX example posted elsewhere here.

It seems like https://checkip.amazonaws.com/ is much more "reliable" in that it is publicly documented at https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/s....

To anyone who needs to read this: please don't use "services" like icanhazip for your provisioning. Even my examples above are bad.

It does strike me as weird that there is seemingly no POSIX-compliant way to get your public Internet address, from my readings.

Edit: Oh goodness... even Amazon's documentation recommends using Google's undocumented DNS query.[1]

[1]: https://aws.amazon.com/premiumsupport/knowledge-center/route...

replies(6): >>27417302 #>>27417564 #>>27418095 #>>27418333 #>>27418679 #>>27420016 #
1. Jasper_ ◴[07 Jun 21 00:10 UTC] No.27417564[source]
> It does strike me as weird that there is seemingly no POSIX-compliant way to get your public Internet address, from my readings.

There is no singular thing called a "public Internet address". Imagine you're writing paper letters to someone. You write a letter, you put your own From address, you drop it in the slot. When the mailperson comes to collect the letter, they replace your mailing address with a special other codeword. And when they receive mail, they replace that codeword back with your original address. You would never know it was intercepted unless you asked around. There's no official protocol to ask for your codeword, it's just a trick the mail service does on your behalf.

Your home router does exactly this; it's known as "Network Address Translation", or NAT. It's not an official part of IPv4, and there's no protocol to ask what it is. Your computer thinks its local IP address (typically some variety of 192.168.0.1) is its real, public address, and your router does the swap behind your back.

replies(3): >>27417747 #>>27417833 #>>27417909 #
2. tialaramex ◴[07 Jun 21 00:38 UTC] No.27417747[source]
> There is no singular thing called a "public Internet address".

There sort of is, it just doesn't help answer the question.

Both types of addresses have blocks explicitly carved out which are not unicast addresses to be routed over the public Internet. If you have one of those addresses, such as 192.168.0.1, that definitely isn't your "public Internet address" because people can't route stuff to it.

3. andrewmcwatters ◴[07 Jun 21 00:51 UTC] No.27417833[source]
This is explicitly wrong. There absolutely is such a thing as a "public Internet" address, which is the exact terminology used by the IETF. NAT isn't a part of the Internet Protocol, but it is well-defined in other related RFCs.
replies(1): >>27418062 #
4. SilverRed ◴[07 Jun 21 01:06 UTC] No.27417909[source]
`ip a` will tell you your IP addresses. As far as I can tell, for IPv6 it actually does know it's public address since that is globally unique with no need for a public/private split.
replies(1): >>27417946 #
5. andrewmcwatters ◴[07 Jun 21 01:11 UTC] No.27417946[source]
The issue is that ifconfig and ip do not recognize the Private-Use Networks under any flag and thusly query DHCP for the public address, nor does DHCP have such a query. (To my knowledge.)
replies(1): >>27421587 #
6. Jasper_ ◴[07 Jun 21 01:31 UTC] No.27418062[source]
Yes, I know about what the IETF considers a "public Internet address", but it's sort of ill-defined for a lot of standard network topologies. NAT is a technique, not an explicit protocol. The RFCs simply cover the technique as it existed in practice.
7. Symbiote ◴[07 Jun 21 12:08 UTC] No.27421587{3}[source]
When the host has a private-use address, there's not necessarily a single public IP (through NAT etc). Packets from my computer will currently appear from two possible public addresses, depending if they've been routed through the work VPN.

When the host has a non-private-use address, there might still be NAT, or there might be no Internet access. I have servers in 128...* without Internet access.

The "public" address might differ depending on the destination or anything else.

"ip ad" shows the address(es) the network interfaces has, nothing more.