Dynamic DNS helps turning dynamic IP adresses into static DNS Names and thus making systems permanently available. This page gives an insight into how to set things up with Hetzner DNS console and Opnsense.
Even though Opnsense has a DynDNS client included, it does currently not support the Hetzner DNS API keys.
Hetzner
Step one is to create the actual record we went to regularly update. The easiest way is to do this via the DNS console.
Warning
The Hetzner DNS API does not support any ACLs at his point (January 2024), thus having access to the access token exposes ALL DNS settings you have in your Hetzner DNS console!
Hetzner DNS API
The Hetzner DNS API is documented here. The API tokens can be created in the DNS Console.
The first code snippet gives you a list of all your zones in Hetzner’s DNS Console. The only necessary setting is the API Token. We use this to get the Zone ID.
Code Snippet
The second snippet is used to fetch the Record ID.
Code Snippet
The third snippet is just for verification, that we have the correct ID. Now, this request is a little mean, as the Record ID has to be passed as part of the URL!
Code Snippet
Set Record
In the final snippet we need all parameters together: API Token, Zone ID, Record ID, the target DNS Name and the target IP.
Code Snippet
Opnsense
Opnsense exposes various functions, not all, some sligthly strange, via the API. Access is possible with individual API keys, which can be created on the users page. It also supports ACLs, which are more or less good.
Warning
The ACL for /diagnostics/interface/getinterfaceconfig seems to be slightly broken. It only seems to be accessible when the API key has ALL permissions.
Fetching the Interface IP
The following snippet requires the API key and secret and returns the IP address of ppppoe0. The interface name will have to be adjusted. Also ipv4 can be replaced with ipv6 if necessary. Don’t forget to import the server’s certificate beforehand, for testing purposes verify=False can be addedd to the request.
Code Snippet
The Full Script
The full script will fetch the IP from the local Opnsense instance and then pass it on to Hetzner.