ddclient response 'HTTP 426 Upgrade Required' (Debian stretch: ddclient 3.8.3-1.1, libio-socket-ssl-perl 2.044-1)

Comments

26 comments

  • Official comment
    Avatar
    Christopher Stewart

    Hello Badgertastic, and rotblitz.

    There was recent changes made to updates.opendns.com. In the off chance that you have have firewall rules set up that are whitelisting traffic to the domain based on it's IP, we recommend that you update these rules to allow the traffic based on the domain name instead. This is because we've changed the IP of the domain.

    For details, please refer to our article https://support.umbrella.com/hc/en-us/articles/360021913032

  • Avatar
    nic

    It would appear OpenDNS did make a change to their web servers which broke interoperability with ddclient

    You can workaround this issue by modifying the DDClient 3.9.0 perl script (usually installed at "/usr/bin/ddclient").

    Change this line from:

    $request .= "/$url HTTP/1.0\n";

    To:

    $request .= "/$url HTTP/1.1\n";

     

     

  • Avatar
    rotblitz

    Read the other thread again.  I'm suggesting that something is wrong with updates.opendns.com.  I have raised two support tickets, one for OpenDNS and one for Umbrella.  You must wait until this issue has been fixed.  For update needs see the options I listed in the other thread.  I'm just a user like you and really cannot do more.

  • Avatar
    nic

    There is a caveat when using ddclient in conjunction with other dynamic dns services (ie cloudflare api) when you hard code HTTP/1.1 for all requests. ddclient was unable to parse the HTTP/1.1 json response from api.cloudflare.com/client/v4

    If you are in this scenario, I submitted a crude patch which selectively sends HTTP/1.1 to updates.opendns.com

    https://sourceforge.net/p/ddclient/bugs/98/

     

    I would strongly urge OpenDNS and Cisco Umbrella to invest development cycles on a proper solution to it's paid subscribers. I can only speculate how long, if at all, the down stream open source project your business depends on will implement one of these proper workaround to your entire user base. As it turns out, they are seeking new project ownership.

    https://sourceforge.net/p/ddclient/mailman/message/36589979/

     

    Or simply just re-enable HTTP/1.0 for you appear to be the only dynamic dns service that is mandating the HTTP/1.1 version change. How many deployments are still broken as a result of not noticing the updates had silently broke.

  • Avatar
    badgertastic

    I received official reply on my ticket.  Ddclient need to update their end.

    I also noted the OpenDNS support article for ddclient has been removed. Previously: https://support.opendns.com/hc/en-us/articles/227987727

  • Avatar
    rotblitz (Edited )

    "Is there really no way to manually update your IP address"

    Sure, there is a really simple way.  You send your updates through DNS-O-Matic instead of directly to OpenDNS.

    See https://support.opendns.com/hc/en-us/community/posts/360042730712/comments/360004723011

    This will work as long as DNS-O-Matic doesn't require HTTP 1.1 too.

    After you configured OpenDNS as service at DNS-O-Matic, you can manually update OpenDNS at any time by visiting the usual update URL:

    https://updates.dnsomatic.com/nic/update?hostname=all.dnsomatic.com
    - or -
    https://updates.dnsomatic.com/nic/update?hostname=OpenDNSnetworkLabel

    And no, you do not need to delete your dashboard network to create a new one.  You can keep your existing one updated by updating manually at the dashboard (clicking the green arrows icon) or via browser URL, or automatically by sending your updates through DNS-O-Matic, e.g. by ddclient and the likes.

  • Avatar
    rotblitz (Edited )

    See https://support.opendns.com/hc/en-us/community/posts/360041094672 
    A support ticket has been raised already.

  • Avatar
    badgertastic

    Hi rotblitz. Thanks for the response. I’m trying to use (for the first time)  ddclient on Linux described here: https://support.opendns.com/hc/en-us/articles/227987727. Previously I was using OpenDNS Updater for Mac OS but I wanted to move the updater to my PiHole server. 

    The errors I posted are from the debug output, from the actual http GET request (IO::Socket Perl module)

    I already use domain name and not IP. User credentials are in the auth headers, vs being passed in the URL. 

    Are you suggesting the author of ddclient need to update it? Is it the same issue described in the ticket?

    Thnaks

  • Avatar
    badgertastic

    I saw you updated the other post with my symptom. Definitely looks like something has changed at updates service. Mac client doesn’t work now either. 

  • Avatar
    badgertastic (Edited )

    So all clients (Linux, MacOS and according to other post Windows) are failing.

    I used Postman to test the GET to http://updates.opendns.com/nic/update?system=dyndns&hostname=<DOMAIN>&myip=<IP>

    Replicating the headers used by ddclient, and it works. (200 OK, body: 'good <IP>').

    So seems to me that protocol version issue as originally reported: HTTP/1.1 426 Upgrade Required

    The 426 doesn't say what is supported.

    EDIT: Postman to https actually fails. Using HTTP/1.1 returns:

    upstream connect error or disconnect/reset before headers.

    Same result I was seeing from ddclient with 1.1.

  • Avatar
    badgertastic

    Christopher Stewart - I dont think this is the issue. I'm using domain name updates.opendns.com and I have no firewall restricting outbound http/ssl to it.

  • Avatar
    rotblitz

    I got a reply to my ticket.  The developers are on the issue.

  • Avatar
    badgertastic

    HTTP/1.1 and SSL now working. 

    HTTP/1.0 and SSL not working. I guess Linux ddclient needs update if OpenDNS are not going to back out the update that causes the 426.

  • Avatar
    badgertastic

    Yes. Correct. For the record, there were 2 issues when I wrote original post.

    1. ‘Upgrade Required’ is resolved by editing the script to use HTTP/1.1 

    2. ‘Service Unavailable” resolved by OpenDNS per rotblitz ticket  (Same issue as ‘upstream connect error...’)

    I guess we should inform ddclient author to fix issue 1 for everyone else. Maybe a bug report on his GitHub. I did raise ticket with OpenDNS but had no response. 

  • Avatar
    joz1975

    Thanks for your posts. Do you guys happen to have know where the file I have to edit is located on a Raspberry Pi? Thanks.

  • Avatar
    festifi

    On linux based systems (like Rasp Pi), ddclient will typically be found at /usr/bin/ddclient or /usr/sbin/ddclient

  • Avatar
    joz1975

    Thanks this worked great. The location on a Rasp Pi is /usr/sbin/ddclient.

  • Avatar
    peter_ashford

    Thank you for this workaround, sorted it out for me after hours of trying to work it out!

  • Avatar
    jimj

    Using CentOS 7.6 with ddclient 3.8.3 I changed HTTP/1.0 to HTTP/1.1 and now I'm getting the "upstream connect error or disconnect/reset before header" error that others have reported as resolved.  I'm not sure if ddclient 3.9.0 would help as I can't get that working.

  • Avatar
    gordon1234

    I made the change suggested by nic above, and it resolved the issue. Script was in /usr/sbin. Ubuntu 19.04. ddclient v184 3.8.3

    Many thanks. Much appreciated

  • Avatar
    jimj

    With CentOS 7.6 I get the "upstream connect error or disconnect/reset before headers" error with all of these methods:

    Are there any other Linux based automatic update methods I can try? I have a ticket open, but no reply yet.

    FYI the OpenDNS ddclient support page is available in the Internet Archive here:
    https://web.archive.org/web/20190214124325/https://support.opendns.com/hc/en-us/articles/227987727

  • Avatar
    nic (Edited )

    Cisco Umbrella OpenDNS support team spoke loud and and clear on this issue. They do not care how many ddclient deployments they silently broke. Realistically, unless you are monitoring your logs, you probably have not realized their server side changes cased your client to stop updating

    "Unfortunately we can't always maintain interoperability between our servers and all third party DDNS clients."

    No, but you can fix it after you realized the mistake. Pulling the ddclient KB article further buries the root cause.

    Our subscriptions renewals have already be reallocated with different vendor.

  • Avatar
    jimj

    All the ways I try to update OpenDNS (ddclient, web browser, curl) fail with the same error.  OpenDNS support tells me:

    Due to a recent update updates.opendns.com requires HTTP 1.1 in order for a network identity update to be successful. ddclient uses HTTP 1.0 only so any attempt at using this tool fail.
    DDClient is a third party application and as such we can not change or troubleshoot the product.
    Using curl (7.33.0 or higher) you should be able to successfully update an IP address

    Unfortunately my version of curl on CentOS 7.6 is older and it's not the easiest thing to update.  I then asked support if there's a way I can just manually update my IP in OpenDNS instead.  His reply surprised me:

    Unfortunately, after the initial setup you would not be able to manually change the IP address.
    Removing a network, and then adding a new network with the updated IP will work.

    Is there really no way to manually update your IP address short of deleting it and starting over from scratch?  That seems bizarre to me, but I can't find an option to edit it.

  • Avatar
    jimj

    Thanks rotblitz, that exactly the info I needed!  DNS-O-Matic looks like a really good solution.

  • Avatar
    Chris Baker

    We have re-enabled support for HTTP 1.0 on updates.opendns.com so ddclient (or any ddns client that requires HTTP 1.0) will work again.

  • Avatar
    festifi

    I made this change (i.e. $request from HTTP/1.0 to HTTP/1.1) on my system (though I edited /usr/sbin/ddclient ) and ddclient is working again.

     

    Thanks

     

    nic

Please sign in to leave a comment.