0

I’ve got a Mac at work, behind a firewall, with an IP address and hostname assigned via DHCP.

If I have the hostname and/or IP address, I can use ssh or a vnc client to access the machine if I activate my workplace vpn. This works fine; no additional ports need to be opened.

However, because of DHCP leases, those are liable to change at least occasionally. Is there any way to track them?

The computer is connected to various cloud services but none of them seem to know the correct IP address. (And it’s not clear that they would have the correct address for getting through the firewall via vpn).

  • iCloud doesn’t report an IP address anywhere obvious. Similar for Dropbox.
  • I thought that the Edovia Screens Connect client might help, but it doesn’t seem to have the information.
  • Backblaze reports an IP address associated with the computer but it does not seem to be the right one (perhaps because of the firewall?).

I have also considered a ddns provider, but I’m not sure I want the required client software running on my device. macOS supports secure remote ddns via “RFC 3007” but I’m not sure if any (free?) ddns providers offer this.

My current idea, not yet implemented is:

  • create a script which writes the output of host $(hostname) to a file. (Nb. this is the correct address for remote connections via the vpn.)
  • Put that file at a location that is shared via iCloud Drive
  • Run the script periodically via launchd.

This should work, but it will still require monitoring that text file by hand.

Any better ideas?

Improve this question
5
  • I'm not sure if there's a case that the hostname will be assigned by DHCP server, but I know that often it's instead the other way round (the client tells the server its hostname). So are you sure that the hostname could change due to the lease and/or you can use hostname to connect when you are on VPN? Commented Dec 10, 2022 at 9:22
  • @TomYan, well, DHCP assigns the IP address which then gets matched to a hostname. Commented Dec 10, 2022 at 9:47
  • matched by what? the mac? so it configure a different hostname for itself based on which ip is assigned to it? Commented Dec 10, 2022 at 9:52
  • @TomYan: It can be assigned via DHCP, most other systems ignore it but macOS in particular honors that option by default (plenty of threads about "why did my macOS shell prompt change to this weird thing" in the past). Commented Dec 10, 2022 at 9:52
  • 1
    I think we are talking about two different things. I was talking about the name assigned by dns via the ip address, which is conceptually separate from the local ‘machine name’ Commented Dec 10, 2022 at 10:04

3 Answers 3

Reset to default
1

I'll begin by saying I'm not a macOS expert but this is not really platform-dependent so I'll answer.

Most DDNS providers provide an API that allows changing the DNS pointer with a single HTTP request. You could write a very simple shell script that either uses the hostname command (assuming that it's actually assigned by the DHCP server and is accurate - which is not guaranteed) or by getting the IP address using the ifconfig command (parsing the output using grep, cut, sed, awk etc.), then using wget or curl to directly modify the DDNS record (if necessary), without having to go through any cloud drives.

Use a task scheduler (in the case of macOS I think that's launchd) to launch that script every few minutes. Your script can log the last IP address it found and only send an update request if it changed, that way you can avoid update request spam.

Improve this answer
1

However, because of DHCP leases, those are liable to change at least occasionally.

DHCP clients renew their leases. With a properly functioning DHCP server, the lease may only change if the device is disconnected for long enough that it allows the old lease to expire (or if the operator deletes the lease manually). So if your office network issues e.g. 7-day or even 1-day leases and your computer is powered on 24/7, it should be able to keep renewing the same lease for years without change.

I have also considered a ddns provider, but I’m not sure I want the required client software running on my device.

In most cases, the "required client software" can be replaced with something fairly generic – ddclient supports several popular protocols, but most dynamic-DNS services use a basic HTTP-based API that could be implemented in 2-3 lines of Python or Bash.

Note however that you do not need to use a "dynamic DNS" provider specifically – you could use any DNS hosting service that provides any form of API. For example, if you own a domain and host its DNS data at Digital Ocean, then the DO API can be used to make the computer update its own DNS entries. (Just set the TTL to something short...)

macOS supports secure remote ddns via “RFC 3007” but I’m not sure if any (free?) ddns providers offer this.

That seems to be an aggregation of the "UPDATE" DNS operation described in RFC 2136 together with TSIG and/or SIG(0) authentication – there used to be providers which supported this, but more commonly the feature was named using RFC 2136 and/or TSIG keywords. DynDNS used to offer it before it stopped offering free services.

If you own a domain, you can set up an RFC 2136 capable DNS server using BIND or Knot.

Improve this answer
1

The principle of your proposal is correct: your laptop is usually the only place where the information regarding the DHCP is available. So having it share this information makes sense.

The IP of your laptop has is probably a private one (see RFC1918, 3. Private Address Space), starting with 192.168.X.X or 172.16-31.X.X. Such IPs are not reachable outside your local network, vpn included. Internet is accessed through your firewall and uses translation or masquerading, changing the IP used to reach external services. This explains why such services will not provide you the correct information.

Some comments:

  • DHCP servers can be configured to provide always the same ip (permanent lease). In this case you have no problem to solve and rely on this specific IP;
  • firewalls can be configured to allow incoming traffic. In this case you will not even need a vpn. This makes security teams nervous and is rarely possible in a corporate environment. In this case you will connect to a public specific IP:port provided by the firewall administrator;
  • rather than sharing the file could be to use a dynamic DNS service like DynDNS. In that case you provide through an API call the IP address that will be correspond to a fixed name like dansslaptop.dyndns.com , however such services MAY not work in the case of private IPs, and some DNS providers MAY NOT properly forward such answers;
  • other ways to share could be to have your own web server where you can put the name and retrieve it, but you simply replace your dependency to a filesharing service to a web site provider.
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.