←back to thread

A New Future for Icanhazip

(major.io)
980 points nkcmr | 2 comments | 06 Jun 21 19:21 UTC | HN request time: 0.467s | source
Show context
andrewmcwatters ◴[06 Jun 21 22:11 UTC] No.27416836[source]
Reminds me of `echo $(dig @ns1.google.com o-o.myaddr.l.google.com TXT +short | tr -d \")`. I have no idea where this DNS query came from, because searching all of Google turns up nothing but https://github.com/GoogleCloudPlatform/cloud-self-test-kit/b..., which is never referenced by anyone. I had to track it down myself for a bootstrap.sh, but I don't like using undocumented sources for critical infrastructure.

My use case was needing to set the result of `hostname -f` in /etc/hosts in an automated fashion if a VPS provider didn't already add a line for the public Internet address in that file. You need to do this so that sendmail doesn't fail on `apt install` when it attempts to read your FQDN. So I couldn't use the NGINX example posted elsewhere here.

It seems like https://checkip.amazonaws.com/ is much more "reliable" in that it is publicly documented at https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/s....

To anyone who needs to read this: please don't use "services" like icanhazip for your provisioning. Even my examples above are bad.

It does strike me as weird that there is seemingly no POSIX-compliant way to get your public Internet address, from my readings.

Edit: Oh goodness... even Amazon's documentation recommends using Google's undocumented DNS query.[1]

[1]: https://aws.amazon.com/premiumsupport/knowledge-center/route...

replies(6): >>27417302 #>>27417564 #>>27418095 #>>27418333 #>>27418679 #>>27420016 #
quesera ◴[06 Jun 21 23:23 UTC] No.27417302[source]
> It does strike me as weird that there is seemingly no POSIX-compliant way to get your public Internet address, from my readings.

It is not possible to know your public IP address, except by fetching the information from a known entity on the public network.

And in some scenarios, your public IP will change frequently. There is no guarantee that it will be consistent across multiple requests.

replies(2): >>27417876 #>>27418014 #
1. rkeene2 ◴[07 Jun 21 01:22 UTC] No.27418014[source]
This is why running this (completely trivial) service yourself is helpful -- you can get the external IP from the perspective you desire.
replies(1): >>27427404 #
2. quesera ◴[07 Jun 21 21:40 UTC] No.27427404[source]
Indeed. I like to include two convenience endpoints in my webserver configs (except in cases where I'd need to justify them to compliance/audit, etc):

  * /ip   responds with the src ip of the request
  * /req  responds with the full headers and body of the request
The latter is useful for debugging HTTP clients.