2

Use the same <profile_id>.dns.nextdns.io as an NTP endpoint for IP(v4)-Linking

Today, NextDNS enables Linked-IP updates through two primary methods:

  1. DDNS 
  2. HTTP URL watchdog 

Yet, both approaches face challenges due to CGNAT (Carrier-Grade Network Address Translation) and insufficient router support. 

I propose a more effective third solution: 

✅ Utilize the same DNS-over-TLS/QUIC hostname (e.g., <profile_id>.dns.nextdns.io) as an NTP (Network Time Protocol) endpoint. 

By having routers send NTP queries to this hostname, NextDNS can seamlessly update the Linked IP. This method requires no additional scripting, leverages features already found in most routers, and guarantees reliable IP synchronization even in CGNAT scenarios. Embracing this solution can enhance your connectivity without complicating setup!

3 replies

null
    • ktrekiel
    • yesterday
    • Reported - view
    • NextDNs
    • 19 hrs ago
    • Reported - view

    The NTP protocol, unlike HTTP, does not provide a way to know which hostname the client used to perform the request.

    • ktrekiel
    • 14 hrs ago
    • Reported - view

    Auch... you are right. But let's try to work it around:

    Standard NTP still has no field in the UDP packet for the client to send the original hostname it resolved. However, when the hostname itself encodes the tenant  (e.g., <profile_id>.ntp.nextdns.io), you can often infer the intended tenant reliably using the DNS query correlation method:
    A router configured to use NTP server: <profile_id>.ntp.nextdns.io will (at some point) issue a forward DNS lookup for exactly that name, directly to the IPv4 address you assigned to <profile_id>
    heaving:
    The queried hostname (which contains the tenant part).
    The source IP (GC-NAT, etc) of the DNS query.
    The timestamp.
    When an NTP packet arrives from the same source IP shortly afterward (or within a reasonable window, accounting for caching), you can correlate it to the specific tenant.

    I am aware it is a bit indirect, but compared with the high technology involved in DNS resolution built into your platform, dos not seem scary.

    Note, I deliberately suggest change/separation to NTP subdomain, to avoid confusion with other secure DNS tennant name resolutions.

    <profile_id>.ntp.nextdns.io

Login to reply

Content aside

  • 2 Votes
  • 14 hrs agoLast active
  • 3Replies
  • 38Views
  • 2 Following