Domain Transfer, Dyn.com to Hurricane Electric
Since 2011-06-13, CouchNet has been using Dynamic Network Services Inc.
(dyn.com) as our DNS provider, with excellent service. However, Oracle
swallowed dyn.com in about 2017 and they are now transferring Dyn Standard DNS
customers (that's us) to their own service, plus the rest of the Dyn customers.
Jimc is getting kicked off the dyn.com service, thinks Oracle is a pack of
weasels, and would prefer to switch to a new provider other than Oracle.
Requirements for the new provider:
The IPv4 address for jfcarter.net is non-static (aleatory), and there
must be some kind of API to update it dynamically. I'm currently using
ddclient with dyn.com.
The domain is currently set up with an "A" record (also AAAA, MX, etc.)
for the second level name, jfcarter.net. I would prefer not to have to
change that in the middle of switching providers.
My zone has about 20 records, a modest number.
Number of queries (to dyn.com) during 2019-07-xx: 6.3e4 which is 8%
of their limit for my tier of 7.5e5/month.
I don't have strict requirements for a short TTL. Dyn.com used 600sec as
the default and I left it there; at Mathnet we used 24 hours.
Short downtime is acceptable in the transition to the new provider.
Which Provider Should I Switch To?
A search on Google for "dynamic dns provider comparison" delivers these
comparison articles. They seem to concentrate on free services.
Dynamic DNS: is it still useful, or is it now irrelevant?
(2018-03-27 by Kevin Bowyer.)
Yes it's still relevant for a surveillance or home monitoring camera network.
He mentions dyn.com and No-IP as dynamic DNS providers.
What's the right solution for dynamic DNS these days?
(2017-12-08, OP Jehos "the Hutt".)
- OminousPonderer uses Namecheap; he switched from dyn.com when they
changed to non-free.
- Xelas is using noip.org, free tier. They send you mail once a month
asking if you're alive and you have to follow a link in the mail.
- trend900 is using duckdns.org . To update, you do a https connection from
the host being updated to their server with a query-string authenticator.
- OP ended up using FreeMyIP.com .
- CatBus, reading this thread, also went with FreeMyIP.com and likes it.
- overstitch mentions a free plan with Cloudflare and also Hurricane
Best DDNS Providers?
(2017-06-11, OP Lec8316.)
- dbeato uses NoIP or DynDNS, preferring NoIP.
- Several others mention NoIP and DynDNS.
- Breffni Potter suggests looking at zerotier.com which is some kind
of alternative to a static public IP. VPNs from each of your devices
to their server, you get virtual network interfaces and can configure
a virtual switch any way you want. I didn't read far enough to see if
you can buy a static public IP for your switch.
- 2 people mention afraid.org .
10 Best Free DNS Hosting Providers
(2018-10-10, by Brian Jackson.)
He starts with an explanation of what DNS is and why a competent provider
is important. Then the recommendations "in no particular order". He
concludes by saying that by quantitative metrics, the free services are
excellent and at a similar level as the paid providers.
- Hurricane Electric —
100% free DNS hosting.
- Cloudflare —
They're a DDoS service, and DNS is a component of that. Free tier.
- Rackspace —
They're a big co-location service, and DNS is part of that.
- FreeDNS —
Appears to be afraid.org. Inception 2004, good reputation, moderately
- ClouDNS —
Not a lot of info on ClouDNS.
- GeoScaling —
Includes redirecting users by various criteria including geographic.
- Namecheap —
Their forte is domain name registration but are mentioned as a dynamic
DNS service also.
- 1984 —
Web hosting company with a free DNS service. Comment poster says customer
service is awful.
- BuddyNS —
Mainly for secondary DNS.
- Dynu —
Inception 1997. "Forever free" plan with modest capabilities.
Transferring to Hurricane Electric
I'm already using Hurricane Electric for IPv6 tunneling, with excellent
service. (But I switched for reasons that were no fault of Hurricane
Electric.) Obviously, if Hurricane Electric can support my domain, I should
use them. So what can I get them to do for me? They have their own DNS
servers, with dynamic updates, and they have a
front end to Register.com
for domain registration.
Hurricane Electric's domain registration service is called
HurricaneNames.net. You need to create a separate account on it.
They will want a loginID, password, and answer for a security question,
e.g. your favorite pet. They also want contact information: full name, e-mail,
physical address, phone number. This information will be posted publicly in
the WHOIS database as the contact person for your newly registered domain.
Here's the rather complicated procedure to transfer the domain, as seen
by me. Navigation details are specific for Hurricane Electric and Dyn.com,
but the general workflow probably will be similar for other registrars.
- Account and Preparation on the New Registrar
- You will need an account on dns.he.net,
Hurricane Electric's DNS service. This identity is recognized on all
Hurricane Electric services except HurricaneNames.net, which is a front
end to Register.com.
- Contact Customer Support on your new registrar (Hurricane Electric), tell
them you are importing a domain, and ask them for a transfer credential.
This is a TXT record with a particular key (domain name) which they look
for, and a securely hashed value (in quotes). It proves to the new
registrar that the person importing the domain is its owner, i.e. the
person who can manage the domain on the old registrar. I actually did this
step later after seeing the relevant error message.
- Prepare and Unlock on the Old Registrar
- Log in to your current (soon to be former) registrar (Dyn.com).
- Make sure they have your current e-mail address; they will be sending
you mail that you need to respond to.
- Navigate to Managing Your Domain.
- Download a copy of your zone file if possible, or make a backup copy of
your zone's content by hand.
- Insert the TXT record that the new registrar gave you.
- Unlock the domain, i.e. allow it to be transferred. The checkbox is on
the same page in the header area.
- At least on Dyn.com, the EPP code will then be shown. This is a
credential by which the new registrar proves to the old registrar that the
domain owner (someone who can log in to the old registrar's pages)
intentionally authorized the transfer. It is 11 random printable bytes,
about 64 bits of entropy. Copy it down.
- Transfer the Domain to the New Registrar
- Turn back to the new registrar's site.
- Find Credit Card Settings and add or check your payment method.
- Back on the main page, pick Transfer.
- Give the domain name, comma, EPP code. Domain
transfer settings were left at the defaults:
- Declined RCOM Shield ID Protect for $8/yr
- Transfer verification: auto (vs. FAX)
- Yes registrar lock
- Yes auto renew
- Declined access password.
- Hit "Transfer Domains".
- Confirm the EPP code
- The Price: $28.91 for 1 year; agree to the terms of service.
- Copy down your order confirmation number.
- To check the order, see "My Reports" under "Transfers In".
- It took about 2 hours to
proceed from "Transfer Initiated" to "Awaiting Confirmation" and
about 4 more hours to "Domain is off dyn.com" (e-mail) and
"Transferred and Paid Successfully".
- Expediting the Transfer
- Weasels! Dyn.com sent me e-mail saying if you want to cancel the
transfer, follow this link, but if we don't hear from you by
2019-08-30 (in 6 days), the transfer will proceed.
- Oh, good, on the domain name registration page (dyn.com) buttons have
appeared to deny the transfer, or to approve it immediately. Click.
- "Domain jfcarter.net will be deleted from Dyn in the next 24 hours."
- Populating and Activating Your Domain
- Once your order has advanced to "Transferred and Paid Successfully",
navigate to dns.he.net, Hurricane
Electric's DNS service. Log in using your Hurricane Electric loginID
- Upload your zone file if possible, except I didn't figure out how to
do that, so I entered all my records by hand. The SOA and NS records are
prefilled; leave them alone.
- Return to HurricaneNames.net. Manage your domain.
- Scroll down to DNS Servers. There is an editable list of NS records
whose values are your assigned nameservers on the old DNS service
Edit them to point to your nameservers on the new DNS service
(ns[1-5].he.net). Save your changes and confirm.
- In less than 5 minutes, the new NS values appeared in the WHOIS database
and had been pushed to the TLD apex nameservers for .net, my TLD.
I checked on a.gtld-servers.net and several others. It is very believable
that other registrars might take longer to update WHOIS and the apex NSs.
On UNIX/Linux, the commands to check WHOIS and the TLD server are:
whois -H jfcarter.net
dig @a.gtld-servers.net. jfcarter.net. NS
- The domain transfer process is now complete. However, there is a TTL of
2 days on the glue records (NSs on the apex servers) and you will need to
wait for the TTL to expire on recursive DNS forwarders before your net and
your various peers will start using the new DNS service. If you have to
change zone records in this interval, do it on both DNS services.
Hurricane Electric DNS Service
The free DNS service is at
It looks like there's more than enough technical capability for my net.
There's a quantitative limit of 50 zones on the free service. In my case
this includes the reverse zone for my Tunnelbroker.net tunnel.
What about bulk upload and download (backups)? (Same for Dyn.)
On dyn.com for the domain jfcarter.net (2019-08-24), queries during
2019-07-xx: 6.3e4 which is 8% of the limit for my tier of 7.5e5/month. TTL is
600 sec for all records.
Forum posts say it is possible to make dns.he.net do a AXFR to suck a zone
from a specified nameserver. But I couldn't find a working procedure. An
alternative is to download a copy of your zone file — also as a backup
copy. I know how to do that on Dyn.com but I haven't found the procedure on
dns.he.net yet, and then I would have to upload the file which I also don't
know how to do. I populated my zone by hand. Here are some details from the
How to fill out the "A" record form for jfcarter.net:
- Name: jfcarter.net. FQDN with the ending dot; without the dot the
zone name is appended e.g. jacinth -> jacinth.jfcarter.net.
- IPv4: 184.108.40.206 dotted quad decimal
- TTL: 86400 (is the default). Pick from the dropdown list.
- Enable for DDNS: check the box. Growl, it overrides explicit entries
with TTL=300, data=127.0.0.1. Fix those.
A similar AAAA record but no DDNS, they got it right the first time.
On the form, the RRs are sorted by type (lexically but SOA and NS
first) and within that, lexically by FQDN.
SRV record, click "Additional" and pick SRV from the drop-down list.
"Nanny" disallowed _xmppconnect.jfcarter.net SRV, it checks for protocol.
Omit this record, the key is deprecated.
Presently, jacinth.jfcarter.net is a CNAME for jfcarter.net, which is
bogus because its IPv6 addr is on Surya. I'm going to create a separate
"A" record with dynamic updating, and a separate AAAA with the correct
There are 2 MXs: jfcarter.net -> Mailroute, and smtp.jfcarter.net ->
jfcarter.net. Spammers send mail to Mailroute because of the first MX,
and Mailroute sends via the second one.
All SRV records to services on Jacinth will point to
Confirmed, ns1.he.net is serving these records.
Hurricane Electric supports some
modern RR types that I have not
used before. Which of these should I add?
- ALIAS — Like a CNAME for a domain apex, but only for 'A' and AAAA
records, whose values are taken (by the server, not the client) from the
referent domain. Other records like SOA, NS, MX are still sought under the
domain apex, whereas with a CNAME they would be sought under the referent,
which is totally bogus and is the reason CNAMEs are illegal as domain
apexes. Later I may switch to this modern style, but not in the middle of a
- CAA — Certificate Authority Authorization. Added this.
Key: jfcarter.net. Value: 0 issue "diamond.cft.ca.us". This means
that only Diamond is allowed to issue a host certificate for any
domain name within the zone on which the CAA is set, and reputable
other CAs will refuse to do so. But disreputable CAs are not deterred.
- AFSDB — Andrew File System server locations. Irrelevant.
- HINFO — Host info: CPU and OS type, RFC 883. Squishy privacy and
security issues, and few sites either publish or look at HINFO, Don't wake
- RP — Email address of the contact person for the domain. Tempting,
but it's clearly a spam magnet, and I think it's rarely published or
- LOC — Geographical location of domain. Added this.
Key: jfcarter.net. Value: 34 1 N 118 26 W 42m 30m
- NAPTR — To rewrite domain names, RFC 3403 + 2915. Example and major
use case: map a phone number to a SIP URL. Irrelevant for my net.
- SSHFP — SSH key fingerprint of a host, RFC 4255. This would be
really cool if properly set up, and saves nasty maintenance of
~user/.ssh/known_hosts which is always missing new hosts, but setting it
up will be a big job, so I'm going to defer this.
- SPF — Sender Policy Framework (RFC 4408, deprecated in RFC 7208).
Setting Up Dynamic DNS
Next step is to set up DDNS for jfcarter.net and jscinth.jfcarter.net .
On my net the wild side IP address of Jacinth is not fixed (is aleatory), and
when my ISP changes it, I need to update the
A record for this host and
its alias, which is what dynamic DNS is for. In my case the IPv6 address is
fixed, but dynamic DNS could be used for IPv6 also.
A search on Google produces:
Getting Started with Dynamic DNS
The domain (FQDN) to get DDNS must have a unique address, i.e. only
one "A" record and one AAAA. Otherwise the updater will pick one in a way
never to your advantage.
Edit your record and mark the DDNS checkbox. This will change the TTL
to 300 sec and the value to localhost (127.0.0.1 or ::1); fix at least the
On the zone listing, click on the arrow circle icon and fill in a
(strong) password that you create, or hit
generate and it will give
you 16 bytes of random base64. For tha "A" and AAAA record for one FQDN,
you may (probably must) use the same password,
Tell your dynamic update client to use the same protocol that dyndns
uses (so they say).
They show how the API works, with four variants. Basically you're
going to make a HTTPS query to the server which includes the new IP
address. In these examples, $FQDN = the domain (hostname) to be updated,
which goes in the username slot; $PW = password;
$IP = IPv4 address as dotted decimal quad or IPv6 address as hex, no [ ];
AF = address family, 4 or 6.
Curl is shown to make the query but
any querier like ddclient can be used. Only update the address when you
know that it has changed; frequent identity transformations are considered
to be abusive.
GET method, basic auth; the querier's IP address is the new value.
curl -$AF "https://$FQDN:$PW@dyn.dns.he.net/nic/update?hostname=$FQDN"
GET method, basic auth with an explicit IP address.
GET method, password in the query string (vs. the host segment).
POST method, which avoids the need to URL-encode things
curl "https://dyn.dns.he.net/nic/update" -d "hostname=$FQDN" -d "myip=$IP" -d "password=$PW"
Here's the stanza in /etc/ddclient.conf for updating
jacinth.jfcarter.net . Note the FQDN is duplicated as the
parameter. This means that you need a separate stanza for multiple FQDNs;
you can't use a comma-separated list of FQDNs all to be updated to the
Command line to run ddclient: On CouchNet this is found near the
end of /usr/diklo/sbin/dhclient-hooks . There is a crock where it uses a
cached value incorrectly; to head this off, remove the cache file.
rm -f /var/cache/ddclient/ddclient.cache
ddclient -daemon=0 -use=ip -ip=220.127.116.11 --force
Do "ddclient -help |& less" for extensive docs. No actual man page.