[Nextbox] Guided Dynamic DNS: Can't enable HTTPS

[EDIT: jumpy directly to the very last post for the current problem. I just kept the earlier posts for reference]

Hello all,

trying to set up Dynamic DNS.

I acquired a Domain at .dedyn.io. I received a token and input it into the appropriate field in Nextbox. Then:

Successfully resolved: myname.dedyn.io [IPv4] to: xx.xx.xxx.xxx
Failed resolving: myname.dedyn.io [IPv6] need: xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:xxxx found: null

Fair enough, no IPv6 then, IPv4 should suffice. Next, I click on Enable HTTPS:

Failed reachability for: myname.dedyn.io

I looked at port forwarding.
In my FritzBox 6490 I

  1. went to “Internet → Freigaben → Port Freigaben”
  2. selected “Gerät für Freigaben hinzufügen”
  3. selected “nextbox” as the machine in question
  4. did not select “Selbstständige Portfreigaben für dieses Gerät erlauben.” nor “Dieses Gerät komplett für den Internetzugriff über IPv4 freigeben (Exposed Host).” (but also tried selecting both)
  5. but rather added a few “Freigaben”, namely HTTP-Server via TCP Port 80 and HTTPS-Server via TCP Port 443 (for both, IPv4 and IPv6).

But myname.dedyn.io remains unreachable. Any idea where I did go wrong? :slight_smile:

Best
Tencel

Ah I just read

DNS-Rebind on the other side will just ensure that IPv6 is working to connect to your NextBox, this is required sometimes depending on your internet-service-provider. Namely, if you get a true dual-stack (IPv4 + IPv6) connection from your ISP, then you should not even need IPv6. But if you’re on a DS-Lite connection, you might need IPv6 to access your NextBox. (see DNS Rebind Protection — Nitrokey Documentation )

from Daringer’s first post here

It doesn’t become quite as clear in the respective docs, might be worth adding Daringer’s comment with the following bottomline: Sometimes, IPv4 is NOT enough for some folks, you may need to set up IPv6! :slight_smile:

After I enabled IPv6 via DNS rebind whitelisting by whitelisting myname.dedyn.io, I can continue.

Huh. In the next step though, after clicking Enable HTTPS, I get this popup:

Failed to acquire myname.dedyn.io with mymail@address.sth

Just to be clear: I do get:

Successfully resolved [for both, IPv4 and IPv6]

and

Successfully tested reachability for: myname.dedyn.io

I cannot reach myname.dedyn.io from outside of my WLAN though.
Any idea why? May I have setup my desec acc wrongly?


myname.dedyn.io == the domain I acquired at dedyn.io.
mymail@address.sth == the email address I used at desec.io to register myname.dedyn.io.

Hey @Tencel,

this very much looks like a firewall issue.
From your post at the top I have the impression you might have opened port forwarding for IPv4 only, can you please ensure that you open it for IPv6, or maybe even close it for IPv4 and just open IPv6.

I suppose you have a DS-Lite Connection, they behave really weird for incoming IPv4 connection requests.

The fact that reachability is working would also cover my impression as the reachability is tested by the NextBox, so the NextBox acquires the IPv6 for the domain and tries to connect to this domain, if this IPv6 points to your NextBox the traffic never has to go through your router (in contrast to IPv4, where the traffic will actually be forwarded from the router to your NextBox) …

Even if it’s called identical for ipv6 and ipv4, the former is actually just a firewall setting and the latter is actual “forwarding” …

p.s.: added your documentation topics here: NextBox: Missing documentation · Issue #38 · Nitrokey/nitrokey-documentation · GitHub so the docs will receive your proposed updates

best

Thanks @daringer for your reply.

Apologies for being unclear: I did open port forwarding for both, IPv4 and IPv6 initially. I edited my first post accordingly to have a clearer historical reference. (I also made it clearer that I made a DNS-Rebind Exception for myname.dedyn.io)

Following your advice, I closed port forwarding for IPv4. However, this did not change anything (even resolving the IPv4 still works, which should not be the case now?).

–
Could it be that I set up the domain wrongly? When setting it up and confirming my email address with deSEC, there were some options on how wants to use the domain on the “welcome you have your domain now”-page of deSEC with the ability to check stuff, which I basically ignored, since I received the token and went on to make a password for my deSEC account. No idea whether that might be it, just stating it.

–
(Also, in the Fritzbox at “Internet-Freigaben”, next to “Portfreigaben”, there is “DynDNS” which is described as " Über DynDNS können Anwendungen und Dienste, für die in der FRITZ!Box-Firewall Portfreigaben eingerichtet wurden, unter einem festen Domainnamen aus dem Internet erreicht werden, obwohl sich die öffentliche IP-Adresse der FRITZ!Box mit jeder Interneteinwahl ändert." - there, one can input DynDNS provider, domain name, account… Sounds like sth. I am trying to achieve? I know this is not mentioned at all in your guides, so it’s very likely not needed, just throwing stuff at you because I don’t know).

I am still pretty sure your NextBox is simply not reachable using IPv6, your could also try this tool:
IPv6 test - web site reachability and put in your dedyn-domain.

My test setup is as yours now:

  • IPv6 “port-forwarding” set up
  • no IPv4 forwarding
  • guided-dns setup
  • fritzbox

Main difference is that I test on a dual-stack connection, means both ipv4 + ipv6 but this should not make any difference, as I closed ipv4 traffic for the nextbox. And obviously that it works for me :confused:

The fritz.box DynDNS setting essentially does the same as the guided-dns function inside your NextBox. So no need to use it and I would bet the current outcome is the same (the traffic is not forwarded to your nextbox). If you would like to use it, dedyn has docs about what to put into this view and then you could set up a static domain inside your nextbox matching this domain and the overall outcome would be the same, despite the fritzbox now being the entity updating your dynamic IP at dedyn.io (instead of the nextbox).

So from here we have to crosscheck some fritz.box settings for IPv6:

  1. Please make sure these settings are set (Internet → Type of Connection):

  2. The following are hidden in: “Home Network” → “Network” → Button: “IPv6 Configuration” inside the Section: “IP Addresses”:

Best-case it works after changing one or more of these… Please report any setting you changed, as this might be a bad default and an issue which would really need to be taken into the documentation.

edit: and you might want to reconnect ethernet (or even restarting the nextbox) after these settings (maybe). I’ve honestly no idea how reactive/proactive the fritz.box behaves after changing these settings.

cheers

Good news, it is working now!

The settings were different for me, in the following way:

  1. The following are hidden in: “Home Network” → “Network” → Button: “IPv6 Configuration” inside the Section: “IP Addresses”:

Here, in your second picture, Only assign DNS Server was enabled in my FritzBox instead of Assign DNS server, prefix and IPv6 address. I changed and that, plugged out my NexBox from both, Ethernet and power, reconnected, and then it worked.

NOTE: I don’t have the first setting at all. “Internet - Settings” only shows me “AVM-Dienste”, nothing else (see here). I guess this is due to me choosing an IPS with an annoying philosophy… Anyway, this just means that I can’t feedback regarding those settings; they might still be important for others to check.

–
At the end of all this; THANKS a lot for your kind and fast support @daringer! I really think that, apart from cool products, you guys also give IT-related average people valuable first technical insights!

More than happy to hear that, thanks.

Apart from that perfect finding for the documentation, will be added, noted here:

1 Like

Hey there!
Maybe you can work your magic for me, too? I initially had exactly the same problems as described here. I’m also on a DS-Lite connection, I don’t have the “Type of Connection” settings, just as Tencel described. My nextbox was initially unreachable, but it can be reached after following the guide here. I also added it to the DNS Rebind Protection whitelist.

However, enabling HTTPS still doesn’t work. Connection to the nextbox is only possible over HTTP. Anything else I can do to change this?

Ok ok, then let’s verify all details:

best

I did all this, yes, and it didn’t work at first. I just tried it again after verifying the list, and now it works like a charm. Apparently, all that was needed was a little patience. Everything’s green now. Thanks for the support, and to everyone who has the same problem: Just wait a bit longer than I did :slight_smile:

1 Like

fyi, the whole story is now documented here: IPv6-related Settings — Nitrokey Documentation thanks for the input,
cheers