←back to thread

A New Future for Icanhazip

(major.io)
980 points nkcmr | 1 comments | 06 Jun 21 19:21 UTC | HN request time: 0.203s | source
Show context
andrewmcwatters ◴[06 Jun 21 22:11 UTC] No.27416836[source]
Reminds me of `echo $(dig @ns1.google.com o-o.myaddr.l.google.com TXT +short | tr -d \")`. I have no idea where this DNS query came from, because searching all of Google turns up nothing but https://github.com/GoogleCloudPlatform/cloud-self-test-kit/b..., which is never referenced by anyone. I had to track it down myself for a bootstrap.sh, but I don't like using undocumented sources for critical infrastructure.

My use case was needing to set the result of `hostname -f` in /etc/hosts in an automated fashion if a VPS provider didn't already add a line for the public Internet address in that file. You need to do this so that sendmail doesn't fail on `apt install` when it attempts to read your FQDN. So I couldn't use the NGINX example posted elsewhere here.

It seems like https://checkip.amazonaws.com/ is much more "reliable" in that it is publicly documented at https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/s....

To anyone who needs to read this: please don't use "services" like icanhazip for your provisioning. Even my examples above are bad.

It does strike me as weird that there is seemingly no POSIX-compliant way to get your public Internet address, from my readings.

Edit: Oh goodness... even Amazon's documentation recommends using Google's undocumented DNS query.[1]

[1]: https://aws.amazon.com/premiumsupport/knowledge-center/route...

replies(6): >>27417302 #>>27417564 #>>27418095 #>>27418333 #>>27418679 #>>27420016 #
quesera ◴[06 Jun 21 23:23 UTC] No.27417302[source]
> It does strike me as weird that there is seemingly no POSIX-compliant way to get your public Internet address, from my readings.

It is not possible to know your public IP address, except by fetching the information from a known entity on the public network.

And in some scenarios, your public IP will change frequently. There is no guarantee that it will be consistent across multiple requests.

replies(2): >>27417876 #>>27418014 #
andrewmcwatters ◴[07 Jun 21 01:00 UTC] No.27417876[source]
Yes it is? I'm not talking about a situation where you send a packet to a DHCP server with 0.0.0.0 in the headers, I'm talking about what happens after the fact.

Once you have been allocated an IP address, there should be a way to fetch said address. That's the whole mechanism behind forging UDP packets. If I didn't know what my source IP address was, it would be OK to send 0.0.0.0 out into the world all the time.

Practically speaking, today, it is, considering most, but not all, ISPs won't let you do this and they will rewrite UDP packets that attempt to forge their source.

Edit: OK, since I'm not being clear, let me be explicit: There should be a mechanism in DHCP which allows for the querying of your public Internet address when receiving a packet from a client in one of the Private-Use Networks as defined in RFC 6890. This query should be exposed as a feature of ifconfig or ip, lest a user be forced to manually write such a packet to receive the data.

replies(6): >>27417942 #>>27418317 #>>27418389 #>>27418717 #>>27418974 #>>27423089 #
1. cowsandmilk ◴[07 Jun 21 01:11 UTC] No.27417942[source]
> Once you have been allocated an IP address

Well, there’s assumption 1 that isn’t true, often, you aren’t allocated a public IP address…at least in IPv4 world