Automatically changing DNS record with Cloudflare for HA IP

Hướng dẫn tự động đổi record DNS khi dùng Cloudflare HA IP

Cloudflare is the best DNS service in the world, offering fast updates, support for various record types, and the ability to activate Proxy for DDoS protection. Using Cloudflare’s nameservers for DNS management is recommended. By using the API, you can automate changing DNS configurations to point to desired IPs and activate Proxy when needed. Implementing scripts like ping to monitor server frontend activity and utilizing Cloudflare API for DNS changes can help automate IP updates in case of attacks. This proactive approach ensures server protection and smooth operation. Additional customization and troubleshooting options are available through the provided scripts.

Without a doubt, Cloudflare is the best DNS service in the world that you should use. With API support, we can do even more to optimize it to fit our needs. I’ve been using Cloudflare’s nameservers since the early days to manage DNS, with fast update speeds, support for various record types, and, most importantly, the ability to activate the Proxy to protect the server from DDoS attacks effectively.

Usually, I don’t enable the Proxy unless there’s an attack. For important websites, I never expose the backend IP, running Nginx reverse proxy on a different server as a frontend connection. If the frontend server fails, the backend still functions normally, or if needed, scale up multiple frontend servers.

Since I recently faced a DDoS extortion without enough money to pay, I found this great solution, automatically changing Cloudflare’s DNS configuration to point to the desired IP address, and can also activate the Proxy if needed.

There are two steps I use, and I’ll share them if anyone needs to use or modify them.

1. "Ping" to check the frontend server

I continuously monitor the frontend server’s activity by pinging it. I use the monitoring tool monit.

See also  Guide on adding article titles, products to Contact Form 7

The command to install monit on CentOS:
Add a config for monitoring in the /etc/monit.d/ directory, for example:

check host 1.2.3.4 with address 1.2.3.4
if failed icmp type echo count 3 with timeout 3 seconds for 2 cycles then exec "/bin/bash -c /root/monit/proxy.sh"
else if succeeded for 2 cycles then exec "/bin/bash -c /root/monit/native.sh"

The above code means:

  • If ping fails for 2 consecutive cycles, each cycle with 3 pings and a timeout of 3 seconds, run the bash file /root/monit/proxy.sh.
  • If the ping is okay, run the bash file /root/monit/native.sh.

I use proxy.sh to change the IP and activate the Proxy; usually, you only need to activate the Proxy. native.sh changes the frontend IP back after the attack ends. Follow the next step for the file content.

2. Change Cloudflare DNS via API

The code below changes the Cloudflare DNS, save it in two corresponding files like the code above. For instance, with the proxy.sh file first.

#!/usr/bin/env bash

# Step 1: Fill in EMAIL, TOKEN, DOMAIN, and SUBDOMAIN. Your API token is here: https://dash.cloudflare.com/profile/api-tokens
# Make sure the token is the Global token or has these permissions: #zone:read, #dns_record:read, #dns_records:edit
# If you want to set the root domain instead of a subdomain, set SUBDOMAIN to "@"

# Step 2: Create an A record on Cloudflare with the subdomain you chose

# Step 3: Run "./ddns.sh -l" to get the zone_id and rec_id of the record you created.
# Fill in ZONE_ID and REC_ID below
# This step is optional but will save you 2 requests every time you run this script

# Step 4: Run "./ddns.sh". It should tell you that the record was updated or that it didn't need updating.

# Step 5: Run it every hour with cron. Use the '-s' flag to silence normal output
# 0 * * * * /path/to/ddns.sh -s

EMAIL=''
TOKEN=''
DOMAIN=''
SUBDOMAIN=''
ZONE_ID=''
REC_ID=''

set -euo pipefail

...

Configuration of the script:

  • Step 1: Fill in EMAIL, TOKEN, DOMAIN, and SUBDOMAIN. Get the API token and test before applying.
  • Step 2: Create an A record with the chosen subdomain on Cloudflare.
  • Step 3: Use chmod +x proxy.sh to set permissions and run the file with proxy.sh -l to get zone_id and rec_id, then fill them in the script.
  • Step 4: Run the script proxy.sh again, you’ll receive a successful IP change message or no update needed if previously updated.
See also  How to integrate MoMo payment gateway into website in detail

Modify the last command for DNS update in the file to include a TTL parameter as follows:

$CURL -X PUT "$API_URL/zones/$ZONE_ID/dns_records/$REC_ID" --data '{"type":"A","name":"'"$SUBDOMAIN"'","content":"'"$IP"'","ttl":"120","proxied":false}' 1>/dev/null

Change the TTL to 120 seconds for quick IP retrieval if there’s a change. Set proxied to true/false as needed.

By combining the above steps, you have an automated scenario for updating the IP for your Cloudflare domain if the server encounters issues. If you require further assistance or run into any problems during the process, feel free to comment for help. If you have any better ideas, please share them too.

Wishing you success!

Reference: Luân trần

5/5 - (1 vote)

Related posts