Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

For anyone hosting their domain on Google Domains, there's a neat API endpoint they're offering for updating the DNS with a simple CURL. I've been using this for years now for a public Raspberry PI behind a home router that changes IPs every other day.

  curl -s -k --user "username:password" "https://domains.google.com/nic/update?hostname=yourdomain.com"
There's more parameters (and you can specify an IP, the above request only takes the caller's IP).

Here are the docs: https://support.google.com/domains/answer/6147083?hl=en#zipp...



I don't know if it's relevant but there was an article the other day about how Google is phasing out username:password logins for most Google related services and APIs, so if you have a script running quietly for years doing this task, it might be worth double checking if it will continue to be fine. (It might be, if this u/p is unique to the domain as the docs suggest - but I thought I'd mention it just in case!)


This is with an application specific username/password pair that GoogleDNS gives you. And will only update that specific record.


Would enabling 2-factor auth and using an app-specific passowrd in this case still work? worth a try I guess: https://support.google.com/accounts/answer/185833


I had no idea about this, really handy!

Quick question, is there a reason the -k (--insecure) flag is included? I imagine that https://domains.google.com would use a cert trusted by curl so it seems unnecessary and adds a risk that your traffic could be MitM.


I could see people doing this on old routers with outdated CA certs and etc. But agreed, it seems like a bad idea unless absolutely necessary.


Not only did I have no idea about this, but I was certain this didn't exist on purpose as there is a paid "Cloud DNS" in Google Cloud.

Does this mean Let's Encrypt dns-01 challenges could be automated?

[edit: Oh the API only allows changing an A record, for dynamic DNS, not updating anything else in the zone. That makes more sense.]


so I mentioned the same thing, though one thing to note (which I doubt duck dns helps with either). Is one can't use google's dynamic dns with AAAA records (i.e. ipv6). Personally, I think this is massive oversight on their part.


I have dynamic A and AAAA records with Google Domains. I'm not sure why it doesn't work for you.

Here's the relevant portion of my ddclient config:

  protocol=googledomains                                  
  login=XXXXXXX
  password=XXXXXXX                            
  host4.mydomain.com

  protocol=googledomains                                  
  use=web                                                 
  web=checkipv6.dyndns.org/                               
  ipv6=yes                                                
  login=XXXXXXXC                                  
  password=XXXXXXX                             
  host6.mydomain.com


ok, so you're doing a manual update?

when I go into the web ui for my domain and go to create a dynamic dns name, it only gives me an option for only an A record.

My "guess" is that your solution is to create a normal AAAA record and ddclient can update that record with the info retrieved from checkipv6.dyndns.org? so not using google's UI to setup a AAAA dyn dns record? and my guess is that username/password scoping that you got for host4 worked the same for the "fake static" AAAA record?

or you could have the ability to create AAAA dyn dns records via the UI and for some reason I'm just blind.


When you create the dynamic DNS record in the UI, it will be of type A.

But after you update the record using ddclient or whatever, the UI will show the correct type:

https://i.imgur.com/7Vb2eqg.png


ah, ok. thanks for the info!


Likely because the person/team that built this got their annual bonus for making something new and moved on to other things before ipv6 became relevant in their eyes.


It seems unsafe to me to be passing your username and password over the open every second day. Especially one that links to Google - which for the majority of people is their life.

As a side note - will the recent announcement by Google about unsafe logins being denied affect you?


In the open? I believe u:pwd is HTTP Basic Auth, which is not "in the open" when over TLS.

https://en.wikipedia.org/wiki/Basic_access_authentication#Se...


~~It's still passing credentials for the entire account, rather than something explicity scoped to "just update these A records, and these A records only".~~

~~Also as the parent noted, Google have the last few years been very aggressive about "unsafe login" (using usr+pass outside of Google) and this might disappear.~~

Edit: Never mind, buried in the docs it appears the user:pass are scoped.


In this case, the username and password are NOT your Google credentials. When you set up a dynamic DNS subdomain in Google Domains, it autogenerates a username/password pair that is unique to that subdomain, and that's what you use.

https://support.google.com/domains/answer/6147083?hl=en&ref_...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: