Add DNS query function

Add pragmas to SQLite DBs and add retry logic to BaseModel
Fix bug when responding with nochange or success
2026-02-01 17:03:33 +01:00 · 2026-02-01 17:01:35 +01:00 · 2026-02-01 05:09:09 +01:00 · 2026-02-01 04:57:22 +01:00 · 2026-02-01 04:25:21 +01:00 · 2026-02-01 01:36:52 +01:00
9 changed files with 537 additions and 274 deletions
--- a/README.md
+++ b/README.md
@@ -73,6 +73,7 @@ Example:
 ```toml
 [daemon]
 # host = "localhost"  # default: "localhost" (use reverse proxy for public access)
 #                     # Use "0.0.0.0" for IPv4-only, "::" for IPv6-only (dual-stack depends on OS)
 # port = 8443  # default: 8443
 # log_level = "INFO"  # default: "INFO"
 # log_target = "stdout"  # default: "stdout", or "syslog", "file"
@@ -87,10 +88,13 @@ ssl_cert_file = "/etc/ddns-service/cert.pem"  # required if ssl = true
 ssl_key_file = "/etc/ddns-service/key.pem"  # required if ssl = true
 # proxy_header = ""  # default: "" (disabled), e.g. "X-Forwarded-For"
 # trusted_proxies = []  # default: [], e.g. ["127.0.0.1", "10.0.0.0/8"]
 # thread_pool_size = 10  # default: 10
 # request_timeout = 10  # default: 10 (seconds)
 [database]
 # backend = "sqlite"  # default: "sqlite", or "mariadb"
 path = "/var/lib/ddns-service/ddns.db"  # required for sqlite
 # pool_size = 5  # default: 5 (MariaDB connection pool size)
 [dns_service]
 # dns_server = "127.0.0.1"  # default: "127.0.0.1" (must be IP address)
@@ -276,6 +280,16 @@ ddns-service --daemon
 ddns-service --daemon --debug
 ```
 ### Signals
 - **SIGHUP**: Reload configuration (all settings except database, host, port; SSL certs are reloaded)
 - **SIGTERM/SIGINT**: Graceful shutdown (waits up to 5 seconds for active requests)
 ```bash
 # Reload config
 kill -HUP $(pidof ddns-service)
 ```
 ## HTTP API
 ### Request
--- a/files/config.example.toml
+++ b/files/config.example.toml
@@ -1,5 +1,6 @@
 [daemon]
 # host = "localhost"  # default, use reverse proxy for public access!
 #                     # Use "0.0.0.0" for IPv4-only, "::" for IPv6-only (dual-stack depends on OS)
 # port = 8443  # default
 # log_level = "INFO"  # default
 # log_target = "stdout"  # default, "stdout", "syslog" or "file"
@@ -14,6 +15,8 @@ ssl_cert_file = "/etc/ddns-service/cert.pem"  # required if ssl = true
 ssl_key_file = "/etc/ddns-service/key.pem"  # required if ssl = true
 # proxy_header = ""  # default (disabled), header name e.g. "X-Forwarded-For"
 # trusted_proxies = []  # default, list of trusted proxy IPs/CIDRs
 # thread_pool_size = 10  # default, max concurrent request handlers
 # request_timeout = 10  # default, socket timeout in seconds
 [database]
 # backend = "sqlite"  # default, "sqlite", or "mariadb"
@@ -23,6 +26,7 @@ path = "/var/lib/ddns-service/ddns.db"  # required for sqlite
 # user = "ddns"  # required for mariadb
 # password = "secret"  # required for mariadb
 # database = "ddns"  # required for mariadb
 # pool_size = 5  # default, MariaDB connection pool size
 [dns_service]
 # dns_server = "127.0.0.1"  # default, must be IP address
--- a/files/ddns-service-openrc.initd
+++ b/files/ddns-service-openrc.initd
@@ -20,3 +20,9 @@ depend() {
 start_pre() {
 	checkpath --directory --owner ${USER}:${GROUP} --mode 0750 /var/lib/ddns-service
 }
 reload() {
 	ebegin "Reloading ${RC_SVCNAME}"
 	start-stop-daemon --signal HUP --pidfile "${pidfile}"
 	eend $?
 }
--- a/src/ddns_service/init.py
+++ b/src/ddns_service/init.py
@@ -10,26 +10,20 @@ import datetime
 __version__ = "1.0.0"
 __author__ = "Thomas Oettli <spacefreak@noop.ch>"
 # DynDNS-compatible response statuses
 STATUS_GOOD = "good"
 STATUS_NOCHG = "nochg"
 STATUS_BADAUTH = "badauth"
 STATUS_NOHOST = "nohost"
 STATUS_DNSERR = "dnserr"
 STATUS_ABUSE = "abuse"
 STATUS_BADIP = "badip"
 __all__ = [
    "app",
    "cleanup",
    "cli",
    "config",
    "datetime_aware_utc",
    "datetime_naive_utc",
    "datetime_str",
    "dns",
    "email",
    "logging",
    "main",
    "models",
    "now_utc"
    "ratelimit",
    "server",
    "STATUS_GOOD",
@@ -41,13 +35,75 @@ __all__ = [
    "STATUS_BADIP",
 ]
 # DynDNS-compatible response statuses
 STATUS_GOOD = "good"
 STATUS_NOCHG = "nochg"
 STATUS_BADAUTH = "badauth"
 STATUS_NOHOST = "nohost"
 STATUS_DNSERR = "dnserr"
 STATUS_ABUSE = "abuse"
 STATUS_BADIP = "badip"
 DATETIME_FORMAT = "%Y-%m-%d %H:%M:%S %Z"
 # Datetime convention:
-# All datetime objects in this codebase are naive UTC to match database storage.
+# All datetime objects in this codebase are timezone-aware.
-# - utc_now(): returns naive UTC datetime
+# - now_utc(): returns timezone-aware UTC datetime
-# - datetime_str(): converts naive UTC to display string (adds tzinfo for formatting)
+# - datetime_str(): converts naive UTC (adds tzinfo for formatting)
 #   or timezone-aware datetime to display string
 # - Database stores/returns naive datetimes (always UTC by convention)
 # - Database models automatically convert between naive/timezone-aware datetimes
 def now_utc():
    """
    Get current date and time in UTC.
    Returns:
        Timezone-aware datetime object in UTC.
    """
    return datetime.datetime.now(datetime.UTC)
 def datetime_naive_utc(dt):
    """
    Convert datetime to naive UTC datetime.
    Args:
        dt: Datetime object (naive UTC or timezone-aware or None).
    Returns:
        Naive datetime object in UTC or None if dt is not a datetime.
    """
    if not isinstance(dt, datetime.datetime):
        return None
    if not dt.tzinfo:
        return dt
    return dt.astimezone(datetime.UTC).replace(tzinfo=None)
 def datetime_aware_utc(dt):
    """
    Convert datetime to UTC datetime.
    Args:
        dt: Datetime object (naive UTC or timezone-aware or None).
    Returns:
        Timzone-aware datetime object in UTC or None if dt is not a datetime.
    """
    if not isinstance(dt, datetime.datetime):
        return None
    if not dt.tzinfo:
        return dt.replace(tzinfo=datetime.UTC)
    if dt.tzinfo == datetime.UTC:
        return dt
    return dt.astimezone(datetime.UTC)
 def datetime_str(dt, utc=False):
@@ -72,13 +128,3 @@ def datetime_str(dt, utc=False):
        return aware_dt.strftime(DATETIME_FORMAT)
    else:
        return aware_dt.astimezone().strftime(DATETIME_FORMAT)
 def utc_now():
    """
    Get current time as naive UTC datetime.
    Returns naive datetime to match database storage behavior.
    All naive datetimes in this codebase are assumed to be UTC.
    """
    return datetime.datetime.now(datetime.UTC).replace(tzinfo=None)
--- a/src/ddns_service/cleanup.py
+++ b/src/ddns_service/cleanup.py
@@ -3,22 +3,23 @@
 import logging
 import threading
-from . import utc_now
+from . import now_utc
 from .models import Hostname, User
 from datetime import timedelta
-def cleanup_expired(app):
+def cleanup_expired(app, start_time=None):
    """
    Clean up expired hostnames and return count of cleaned entries.
    Args:
        app: Application instance with dns_service and email_service.
        start_time: Timezone aware datetime object containg the start time of the cleanup thread.
    Returns:
        Number of expired hostnames processed.
    """
-    now = utc_now()
+    now = now_utc()
    expired_count = 0
    for hostname in Hostname.select().join(User).where(
@@ -30,12 +31,14 @@ def cleanup_expired(app):
        ipv6_expired = False
        if hostname.last_ipv4:
-            expiry_time = hostname.last_ipv4_update + timedelta(seconds=hostname.expiry_ttl)
+            last_update = max(hostname.last_ipv4_update, start_time)
            expiry_time = last_update + timedelta(seconds=hostname.expiry_ttl)
            if now > expiry_time:
                ipv4_expired = True
        if hostname.last_ipv6:
-            expiry_time = hostname.last_ipv6_update + timedelta(seconds=hostname.expiry_ttl)
+            last_update = max(hostname.last_ipv6_update, start_time)
            expiry_time = last_update + timedelta(seconds=hostname.expiry_ttl)
            if now > expiry_time:
                ipv6_expired = True
@@ -48,38 +51,43 @@ def cleanup_expired(app):
        if app.dns_service:
            if ipv4_expired:
                logging.info(
-                    f"Host expired: hostname={hostname.hostname} zone={hostname.zone} "
+                    f"Cleanup: Host expired: hostname={hostname.hostname} zone={hostname.zone} "
-                    f"ip={hostname.last_ipv4}"
+                    f"ipv4={hostname.last_ipv4}"
                )
                try:
                    app.dns_service.delete_record(hostname.hostname, hostname.zone, "A")
                    ipv4_deleted = True
                except Exception as e:
                    logging.error(f"DNS error: {e}")
                    logging.error(
-                        f"DNS delete failed: hostname={hostname.hostname} "
+                        f"Cleanup failed: hostname={hostname.hostname} "
-                        f"zone={hostname.zone} type=A error={e}"
+                        f"zone={hostname.zone} type=A"
                    )
            if ipv6_expired:
                logging.info(
-                    f"Host expired: hostname={hostname.hostname} zone={hostname.zone} "
+                    f"Cleanup: Host expired: hostname={hostname.hostname} zone={hostname.zone} "
-                    f"ip={hostname.last_ipv6}"
+                    f"ipv6={hostname.last_ipv6}"
                )
                try:
                    app.dns_service.delete_record(hostname.hostname, hostname.zone, "AAAA")
                    ipv6_deleted = True
                except Exception as e:
                    logging.error(f"DNS error: {e}")
                    logging.error(
-                        f"DNS delete failed: hostname={hostname.hostname} "
+                        f"Cleanup failed: hostname={hostname.hostname} "
-                        f"zone={hostname.zone} type=AAAA error={e}"
+                        f"zone={hostname.zone} type=AAAA"
                    )
        if not (ipv4_deleted or ipv6_deleted):
            continue
        if app.email_service:
            app.email_service.send_expiry_notification(
                hostname.user.email,
                hostname,
-                ipv4_expired,
+                ipv4_deleted,
-                ipv6_expired
+                ipv6_deleted
            )
        # Clear IP addresses only if DNS delete succeeded
@@ -88,7 +96,6 @@ def cleanup_expired(app):
        if ipv6_deleted:
            hostname.last_ipv6 = None
        if ipv4_deleted or ipv6_deleted:
        hostname.save()
        expired_count += 1
@@ -113,10 +120,11 @@ class ExpiredRecordsCleanupThread(threading.Thread):
    def run(self):
        """Run the cleanup loop."""
        logging.info(f"Expired records cleanup thread started: interval={self.interval}s")
        start_time = now_utc()
        while not self.stop_event.wait(self.interval):
            try:
-                count = cleanup_expired(self.app)
+                count = cleanup_expired(self.app, start_time)
                if count > 0:
                    logging.info(f"Expired records cleanup completed: count={count}")
            except Exception as e:
--- a/src/ddns_service/cli.py
+++ b/src/ddns_service/cli.py
@@ -1,18 +1,19 @@
 """CLI commands for user and hostname management."""
 import getpass
 import logging
 from . import datetime_str
 from .cleanup import cleanup_expired
 from .dns import encode_dnsname
 from .models import (
    DatabaseError,
    DoesNotExist,
    EncodingError,
    get_hostname,
    get_user,
    Hostname,
    User,
 )
 from .dns import encode_dnsname, EncodingError
 def cmd_user_list(args, app):
@@ -166,24 +167,8 @@ def cmd_hostname_list(args, app):
 def cmd_hostname_add(args, app):
    """Add a hostname."""
    username = args.username
    config = app.config
    # Validate and encode hostname/zone
    try:
        hostname_str = encode_dnsname(args.hostname)
        zone = encode_dnsname(args.zone)
    except EncodingError as e:
        print(f"Error: {e}")
        return 1
    # Get TTLs from args or config defaults
    dns_ttl = args.dns_ttl
    if dns_ttl is None:
        dns_ttl = config["defaults"]["dns_ttl"]
    expiry_ttl = args.expiry_ttl
    if expiry_ttl is None:
        expiry_ttl = config["defaults"]["expiry_ttl"]
        # Get user
        try:
            user = get_user(username)
@@ -192,40 +177,59 @@ def cmd_hostname_add(args, app):
            return 1
        # Check if hostname+zone exists
-    if Hostname.select().where(
+        try:
-        (Hostname.hostname == hostname_str) & (Hostname.zone == zone)
+            hostname = get_hostname(args.hostname, args.zone)
-    ).exists():
+            print(f"Error: Hostname '{hostname.hostname}' in zone '{hostname.zone}' exists.")
        print(f"Error: Hostname '{hostname_str}' in zone '{zone}' exists.")
            return 1
        except EncodingError as e:
            print(f"Error: {e}")
            return 1
        except DoesNotExist:
            pass
        # Get TTLs from args or config defaults
        config = app.config
        dns_ttl = args.dns_ttl
        if dns_ttl is None:
            dns_ttl = config["defaults"]["dns_ttl"]
        expiry_ttl = args.expiry_ttl
        if expiry_ttl is None:
            expiry_ttl = config["defaults"]["expiry_ttl"]
        # Create hostname
-    Hostname.create(
+        hostname = Hostname.create(
            user=user,
-        hostname=hostname_str,
+            hostname=args.hostname,
-        zone=zone,
+            zone=args.zone,
            dns_ttl=dns_ttl,
            expiry_ttl=expiry_ttl
        )
-    print(f"Hostname '{hostname_str}' added for user '{username}'.")
+        print(
            f"Hostname '{hostname.hostname}' in zone '{hostname.zone}' added "
            f"for user '{username}'."
        )
    except DatabaseError as e:
        print(f"Database error: {e}")
        return 1
    return 0
 def cmd_hostname_delete(args, app):
    """Delete a hostname."""
    # Validate and encode hostname and zone
    try:
-        hostname_str = encode_dnsname(args.hostname)
+        try:
            hostname = get_hostname(args.hostname, args.zone)
        except DoesNotExist:
            hostname = encode_dnsname(args.hostname)
            zone = encode_dnsname(args.zone)
            print(f"Error: Hostname '{hostname}' in zone '{zone}' not found.")
            return 1
        except EncodingError as e:
            print(f"Error: {e}")
            return 1
    try:
        hostname = get_hostname(hostname_str, zone)
    except DoesNotExist:
        print(f"Error: Hostname '{hostname_str}' in zone '{zone}' not found.")
        return 1
        # Delete DNS records if active
        if hostname.last_ipv4 or hostname.last_ipv6:
            # Initialize DNS service if not already
@@ -233,45 +237,50 @@ def cmd_hostname_delete(args, app):
                try:
                    app.init_dns()
                except Exception as e:
-                logging.warning(f"DNS init failed: {e}")
+                    print(f"DNS init failed: {e}")
                    return 1
        if app.dns_service:
            if hostname.last_ipv4:
                try:
                    app.dns_service.delete_record(
                        hostname.hostname, hostname.zone, "A"
                    )
                except Exception as e:
-                    logging.warning(f"DNS delete failed: type=A error={e}")
+                    print(f"DNS delete failed: type=A error={e}")
                    return 1
            if hostname.last_ipv6:
                try:
                    app.dns_service.delete_record(
                        hostname.hostname, hostname.zone, "AAAA"
                    )
                except Exception as e:
-                    logging.warning(f"DNS delete failed: type=AAAA error={e}")
+                    print(f"DNS delete failed: type=AAAA error={e}")
                    return 1
        hostname.delete_instance()
-    print(f"Hostname '{hostname_str}' in zone '{zone}' deleted.")
+        print(f"Hostname '{hostname.hostname}' in zone '{hostname.zone}' deleted.")
    except DatabaseError as e:
        print(f"Database error: {e}")
        return 1
    return 0
 def cmd_hostname_modify(args, app):
    """Modify hostname settings."""
    # Validate and encode hostname and zone
    try:
-        hostname_str = encode_dnsname(args.hostname)
+        try:
            hostname = get_hostname(args.hostname, args.zone)
        except DoesNotExist:
            hostname = encode_dnsname(args.hostname)
            zone = encode_dnsname(args.zone)
            print(f"Error: Hostname '{hostname}' in zone '{zone}' not found.")
            return 1
        except EncodingError as e:
            print(f"Error: {e}")
            return 1
    try:
        hostname = get_hostname(hostname_str, zone)
    except DoesNotExist:
        print(f"Error: Hostname '{hostname_str}' in zone '{zone}' not found.")
        return 1
        # Get new TTLs
        dns_ttl = args.dns_ttl if args.dns_ttl is not None else hostname.dns_ttl
        expiry_ttl = args.expiry_ttl if args.expiry_ttl is not None else hostname.expiry_ttl
@@ -280,9 +289,13 @@ def cmd_hostname_modify(args, app):
        hostname.expiry_ttl = expiry_ttl
        hostname.save()
        print(
-        f"Hostname '{hostname_str}' updated: "
+            f"Hostname '{hostname.hostname}' in zone '{hostname.zone}' updated: "
            f"dns_ttl={dns_ttl}, expiry_ttl={expiry_ttl}"
        )
    except DatabaseError as e:
        print(f"Database error: {e}")
        return 1
    return 0
@@ -293,11 +306,20 @@ def cmd_cleanup(args, app):
        try:
            app.init_dns()
        except Exception as e:
-            logging.warning(f"DNS init failed: {e}")
+            print(f"DNS init failed: {e}")
            return 1
    if app.email_service is None:
        app.init_email()
    try:
        count = cleanup_expired(app)
        print(f"Cleanup complete: {count} expired hostname(s) processed.")
    except DatabaseError as e:
        print(f"Database error: {e}")
        return 1
    except Exception as e:
        print(f"Error: {e}")
        return 1
    return 0
--- a/src/ddns_service/dns.py
+++ b/src/ddns_service/dns.py
@@ -10,6 +10,7 @@ import dns.name
 import dns.query
 import dns.rcode
 import dns.rdatatype
 import dns.resolver
 import dns.tsigkeyring
 import dns.update
@@ -353,6 +354,38 @@ class DNSService:
            return hostname[:-len(zone_suffix)]
        return hostname
    def query_record(self, hostname, zone, record_type):
        """
        Check if DNS record exists.
        Args:
            hostname: Hostname (without zone suffix).
            zone: DNS zone name.
            record_type: Record type string (A or AAAA).
        Returns:
            IP address string if record exists, None otherwise.
        """
        fqdn = f"{self._get_relative_name(hostname, zone)}.{zone}"
        if not fqdn.endswith("."):
            fqdn += "."
        try:
            resolver = dns.resolver.Resolver()
            resolver.nameservers = [self.server]
            resolver.port = self.port
            resolver.lifetime = self.timeout
            answers = resolver.resolve(fqdn, record_type)
            return str(answers[0]) if answers else None
        except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer,
                dns.resolver.NoNameservers):
            return None
        except Exception as e:
            logging.warning(
                f"DNS query failed: hostname={hostname} zone={zone} "
                f"type={record_type}: {e}"
            )
            return None
    def update_record(self, hostname, zone, ip, ttl):
        """
        Update a DNS record for the given hostname.
--- a/src/ddns_service/models.py
+++ b/src/ddns_service/models.py
@@ -2,24 +2,28 @@
 import logging
 import os
 import time
-from . import utc_now
+from . import datetime_naive_utc, datetime_aware_utc, now_utc
 from .dns import encode_dnsname, EncodingError
 from peewee import (
    AutoField,
    CharField,
    DatabaseProxy,
    Model,
    DateTimeField,
    DoesNotExist,
    fn,
    ForeignKeyField,
    IntegerField,
    Model,
    SqliteDatabase,
    PeeweeException as DatabaseError,
 )
 from playhouse.pool import PooledMySQLDatabase
-# Re-export DoesNotExist and EncodingError for convenience
+
 # Re-export PeeweeException as DatabseException, DoesNotExist and
 # EncodingError for convenience
 __all__ = [
    'db',
    'DATABASE_VERSION',
@@ -33,6 +37,7 @@ __all__ = [
    'get_hostname_for_user',
    'DoesNotExist',
    'EncodingError',
    'DatabaseError',
 ]
 # Database proxy (initialized later with actual backend)
@@ -61,12 +66,34 @@ MIGRATION_COLUMN_MAPS = {
 }
 class DateTimeFieldUTC(DateTimeField):
    def db_value(self, value):
        if value:
            value = datetime_naive_utc(value)
        return super().db_value(value)
    def python_value(self, value):
        value = super().python_value(value)
        if value:
            return datetime_aware_utc(value)
 class BaseModel(Model):
-    """Base model with database binding."""
+    """Base model with database binding and save retry."""
    class Meta:
        database = db
    def save(self, *args, max_retries=3, retry_delay=0.1, **kwargs):
        """Save with retry on DatabaseError (exponential backoff)."""
        for attempt in range(max_retries):
            try:
                return super().save(*args, **kwargs)
            except DatabaseError:
                if attempt == max_retries - 1:
                    raise
                time.sleep(retry_delay * (2 ** attempt))
 class User(BaseModel):
    """User model for authentication."""
@@ -75,7 +102,7 @@ class User(BaseModel):
    username = CharField(max_length=64, unique=True)
    password_hash = CharField(max_length=128)
    email = CharField(max_length=255)
-    created_at = DateTimeField(default=utc_now)
+    created_at = DateTimeFieldUTC(default=now_utc)
    class Meta:
        table_name = "users"
@@ -91,9 +118,9 @@ class Hostname(BaseModel):
    dns_ttl = IntegerField()
    expiry_ttl = IntegerField()
    last_ipv4 = CharField(max_length=15, null=True)
-    last_ipv4_update = DateTimeField(null=True)
+    last_ipv4_update = DateTimeFieldUTC(null=True)
    last_ipv6 = CharField(max_length=45, null=True)
-    last_ipv6_update = DateTimeField(null=True)
+    last_ipv6_update = DateTimeFieldUTC(null=True)
    class Meta:
        table_name = "hostnames"
@@ -101,14 +128,6 @@ class Hostname(BaseModel):
            (('hostname', 'zone'), True),
        )
    def save(self, *args, **kwargs):
        """Validate and encode hostname/zone before saving."""
        if self.hostname:
            self.hostname = encode_dnsname(self.hostname)
        if self.zone:
            self.zone = encode_dnsname(self.zone)
        return super().save(*args, **kwargs)
 class Version(BaseModel):
    """Database schema version for migrations."""
@@ -144,7 +163,10 @@ def init_database(config: dict):
        db_dir = os.path.dirname(db_path)
        if db_dir:
            os.makedirs(db_dir, exist_ok=True)
-        actual_db = SqliteDatabase(db_path)
+        actual_db = SqliteDatabase(db_path, pragmas={
            'journal_mode': 'wal',
            'busy_timeout': 5000,
        })
        db.initialize(actual_db)
        logging.debug(f"Database backend: SQLite path={db_path}")
@@ -273,7 +295,7 @@ def create_tables():
    logging.debug("Database tables created")
-def get_user(username: str):
+def get_user(username: str) -> User:
    """
    Get user by username.
@@ -294,7 +316,7 @@ def get_user(username: str):
    return User.get(User.username == username)
-def get_hostname(hostname, zone):
+def get_hostname(hostname: str, zone: str) -> Hostname:
    """
    Get hostname by name and zone.
@@ -307,6 +329,7 @@ def get_hostname(hostname, zone):
    Raises:
        DoesNotExist: If hostname not found.
        EncodingError: If hostname or zone is invalid.
    Example:
        >>> host = get_hostname("myhost", "example.com")
@@ -314,7 +337,8 @@ def get_hostname(hostname, zone):
        '192.168.1.1'
    """
    return Hostname.get(
-        (Hostname.hostname == hostname) & (Hostname.zone == zone)
+        (Hostname.hostname == encode_dnsname(hostname)) &
        (Hostname.zone == encode_dnsname(zone))
    )
@@ -331,10 +355,14 @@ def get_hostname_for_user(hostname: str, user: User):
    Raises:
        DoesNotExist: If hostname not found or not owned by user.
        EncodingError: If hostname is invalid.
    Example:
        >>> user = get_user("alice")
        >>> host = get_hostname_for_user("myhost.example.com", user)
    """
    fqdn = fn.Concat(Hostname.hostname, '.', Hostname.zone)
-    return Hostname.get((fqdn == hostname) & (Hostname.user == user))
+    return Hostname.get(
        (fqdn == encode_dnsname(hostname)) &
        (Hostname.user == user)
    )
--- a/src/ddns_service/server.py
+++ b/src/ddns_service/server.py
@@ -9,15 +9,10 @@ import logging
 import signal
 import ssl
 import threading
 from concurrent.futures import ThreadPoolExecutor
 from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
 from urllib.parse import parse_qs, urlparse
 import argon2
 from . import (
    now_utc,
    datetime_str,
    utc_now,
    STATUS_GOOD,
    STATUS_NOCHG,
    STATUS_BADAUTH,
@@ -27,9 +22,19 @@ from . import (
    STATUS_BADIP,
 )
 from .cleanup import ExpiredRecordsCleanupThread, RateLimitCleanupThread
 from .dns import detect_ip_type
 from .logging import clear_txn_id, set_txn_id
-from .models import DoesNotExist, get_hostname_for_user, get_user
+from .models import (
-from .dns import detect_ip_type, encode_dnsname, EncodingError
+    DatabaseError,
    DoesNotExist,
    EncodingError,
    get_hostname_for_user,
    get_user
 )
 from argon2.exceptions import VerifyMismatchError
 from concurrent.futures import ThreadPoolExecutor
 from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
 from urllib.parse import parse_qs, urlparse
 def extract_param(params, aliases):
@@ -123,7 +128,9 @@ class DDNSServer(ThreadingHTTPServer):
                logging.info(f"Waiting for {self.active_requests} active request(s)")
                self.requests_done.wait(timeout=timeout)
                if self.active_requests > 0:
-                    logging.warning(f"Shutdown timeout, {self.active_requests} request(s) still active")
+                    logging.warning(
                        f"Shutdown timeout, {self.active_requests} request(s) still active"
                    )
    def server_close(self):
        """Shutdown thread pool and close server."""
@@ -131,6 +138,30 @@ class DDNSServer(ThreadingHTTPServer):
        super().server_close()
 class DDNSError(Exception):
    def __init__(self, message, status, **kwargs):
        super().__init__(self, message)
        self.message = message
        self.status = status
        self.kwargs = kwargs
    def __str__(self):
        if not self.kwargs:
            return self.message
        string = f"{self.message}:"
        for key, value in self.kwargs.items():
            string += f" {key}={value}"
        return string
 class DDNSClientError(DDNSError):
    def __init__(self, message, code, status, **kwargs):
        super().__init__(message, status, **kwargs)
        self.code = code
 class DDNSRequestHandler(BaseHTTPRequestHandler):
    """HTTP request handler for DDNS updates."""
@@ -210,39 +241,55 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        """Handle GET requests."""
        set_txn_id()
        try:
            self._handle_get_request()
        finally:
            clear_txn_id()
    def _handle_get_request(self):
        """Handle GET request logic."""
        try:
            client_ip = self.get_client_ip()
        except ProxyHeaderError as e:
            logging.error(f"Proxy header error: {e}")
-            self.send_response_body(400, "Bad Request")
+            self.respond(400, "Bad Request")
            return
-        # Bad rate limit check
+        try:
            self._handle_get_request(client_ip)
        except DDNSClientError as e:
            if self.app.bad_limiter:
-            blocked, retry_at = self.app.bad_limiter.is_blocked(client_ip)
+                self.app.bad_limiter.record(client_ip)
-            if blocked:
+            logging.warning(e)
-                logging.warning(
+            self.respond(e.code, e.status)
-                    f"Rate limited (bad): client={client_ip}, "
+        except DDNSError as e:
-                    f"retry_at={datetime_str(retry_at)}")
+            logging.error(e)
-                self.respond(429, STATUS_ABUSE)
+            self.respond(500, e.status)
-                return
+        except DatabaseError as e:
            logging.error(f"Database error: {e}")
            self.respond(500, "Internal Server Error")
        except Exception as e:
            logging.exception(f"Uncaught exception: {e}")
            self.respond(500, "Internal Server Error")
        finally:
            clear_txn_id()
    def _handle_get_request(self, client_ip):
        """Handle GET request logic."""
        # Parse URL
        parsed = urlparse(self.path)
        # Find matching endpoint
        endpoint = self.app.config["_endpoint_map"].get(parsed.path)
        if endpoint is None:
-            self.send_response_body(404, "Not Found")
+            self.respond(404, "Not Found")
            return
        # Bad rate limit check
        if self.app.bad_limiter:
            blocked, retry_at = self.app.bad_limiter.is_blocked(client_ip)
            if blocked:
                raise DDNSClientError(
                    "Rate limited (bad requests)",
                    429,
                    STATUS_ABUSE,
                    client=client_ip,
                    retry_at=datetime_str(retry_at)
                )
        # Parse query parameters
        params = parse_qs(parsed.query)
@@ -253,82 +300,33 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
            password = extract_param(params, endpoint["params"]["password"])
        if not username or not password:
-            logging.warning(f"Auth failed: client={client_ip} user=anonymous")
+            raise DDNSClientError(
-            self._handle_bad_request(client_ip, 401, STATUS_BADAUTH)
+                "Auth failed",
-            return
+                401,
-
+                STATUS_BADAUTH,
-        # Validate credentials
+                client_ip
-        try:
+            )
            user = get_user(username)
            self.app.password_hasher.verify(user.password_hash, password)
        except (DoesNotExist, argon2.exceptions.VerifyMismatchError):
            logging.warning(f"Auth failed: client={client_ip} user={username}")
            self._handle_bad_request(client_ip, 401, STATUS_BADAUTH)
            return
        # Get hostname parameter
        hostname_param = extract_param(params, endpoint["params"]["hostname"])
        if not hostname_param:
-            logging.warning(f"Missing hostname: client={client_ip} user={username}")
+            raise DDNSClientError(
-            self._handle_bad_request(client_ip, 400, STATUS_NOHOST)
+                "Missing hostname",
-            return
+                400,
                STATUS_NOHOST,
                client=client_ip,
                username=username
            )
-        # Validate and encode hostname
+        # Validate credentials
-        try:
+        user = self._authenticate(client_ip, username, password)
            hostname_param = encode_dnsname(hostname_param)
        except EncodingError:
            logging.warning(
                f"Invalid hostname: client={client_ip}, "
                f"hostname={hostname_param}")
            self._handle_bad_request(client_ip, 400, STATUS_NOHOST)
            return
        # Check hostname ownership
-        try:
+        hostname = self._check_permissions(client_ip, user, hostname_param)
            hostname = get_hostname_for_user(hostname_param, user)
        except DoesNotExist:
            logging.warning(
                f"Access denied: client={client_ip} user={username} "
                f"hostname={hostname_param}"
            )
            self._handle_bad_request(client_ip, 403, STATUS_NOHOST)
            return
        # Good rate limit check
        if self.app.good_limiter:
            blocked, retry_at = self.app.good_limiter.is_blocked(client_ip)
            if blocked:
                logging.warning(
                    f"Rate limited: client={client_ip}, "
                    f"retry_at={datetime_str(retry_at)}")
                self.respond(429, STATUS_ABUSE)
                return
        # Record good request
        if self.app.good_limiter:
            self.app.good_limiter.record(client_ip)
        # Determine IPs to update
        result = self._process_ip_update(hostname, params, endpoint, client_ip)
        if result:
            code, status, kwargs = result
            self.respond(code, status, **kwargs)
    def _handle_bad_request(self, client_ip, code, status):
        """Handle bad request and record in rate limiter."""
        if self.app.bad_limiter:
            self.app.bad_limiter.record(client_ip)
        self.respond(code, status)
    def _process_ip_update(self, hostname, params, endpoint, client_ip):
        """Process IP update for hostname."""
        myip = extract_param(params, endpoint["params"]["ipv4"])
        myip6 = extract_param(params, endpoint["params"]["ipv6"])
        ipv4 = None
        ipv6 = None
        # Process myip parameter
        ipv4 = None
        myip = extract_param(params, endpoint["params"]["ipv4"])
        if myip:
            try:
                rtype, myip = detect_ip_type(myip)
@@ -337,31 +335,126 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
                else:
                    ipv6 = myip
            except ValueError:
-                return (400, STATUS_BADIP, {})
+                raise DDNSClientError(
                    "Bad IP address",
                    400,
                    STATUS_BADIP,
                    client=client_ip,
                    username=username,
                    hostname=hostname.hostname,
                    zone=hostname.zone,
                    ip=myip
                )
        # Process myip6 parameter
        ipv6 = None
        myip6 = extract_param(params, endpoint["params"]["ipv6"])
        if myip6:
            try:
                rtype, myip6 = detect_ip_type(myip6)
                if rtype == "AAAA":
                    ipv6 = myip6
                else:
-                    return (400, STATUS_BADIP, {})
+                    raise ValueError
            except ValueError:
-                return (400, STATUS_BADIP, {})
+                raise DDNSClientError(
                    "Bad IP address",
                    400,
                    STATUS_BADIP,
                    client=client_ip,
                    username=username,
                    hostname=hostname.hostname,
                    zone=hostname.zone,
                    ipv6=myip6
                )
        # Auto-detect from client IP if no params
        if ipv4 is None and ipv6 is None:
            try:
            rtype, ip = detect_ip_type(client_ip)
            if rtype == "A":
                ipv4 = ip
            else:
                ipv6 = ip
            except ValueError:
                return (400, STATUS_BADIP, {})
-        now = utc_now()
+        # Process notify_change parameter
        notify_change = extract_param(params, endpoint["params"]["notify_change"])
        notify_change = notify_change.lower() in ["1", "y", "yes", "on", "true"] \
            if notify_change else False
        # Good rate limit check
        if self.app.good_limiter:
            blocked, retry_at = self.app.good_limiter.is_blocked(client_ip)
            if blocked:
                raise DDNSClientError(
                    "Rate limited (good requests)",
                    429,
                    STATUS_ABUSE,
                    client=client_ip,
                    username=username,
                    retry_at=datetime_str(retry_at)
                )
        # Record good request
        if self.app.good_limiter:
            self.app.good_limiter.record(client_ip)
        # Process update request
        self._process_ip_update(
            client_ip,
            user,
            hostname,
            ipv4,
            ipv6,
            notify_change
        )
    def _authenticate(self, client_ip, username, password):
        try:
            try:
                user = get_user(username)
            except DoesNotExist:
                # User does not exist, Hash fake password to prevent time-based attacks
                self.app.password_hasher.hash("FAKE-PASSWORD")
                raise DoesNotExist
            self.app.password_hasher.verify(user.password_hash, password)
        except (DoesNotExist, VerifyMismatchError):
            raise DDNSClientError(
                "Auth failed",
                401,
                STATUS_BADAUTH,
                client=client_ip,
                username=username
            )
        return user
    def _check_permissions(self, client_ip, user, hostname_param):
        # Check hostname ownership
        code = None
        try:
            hostname = get_hostname_for_user(hostname_param, user)
        except DoesNotExist:
            code = 403
        except EncodingError:
            code = 400
        if code:
            raise DDNSClientError(
                "Access denied",
                code,
                STATUS_NOHOST,
                client=client_ip,
                username=user.username,
                hostname=hostname_param
            )
        return hostname
    def _process_ip_update(self, client_ip, user, hostname, ipv4, ipv6, notify_change):
        """Process IP update for hostname."""
        now = now_utc()
        ipv4_changed = False
        ipv6_changed = False
@@ -380,11 +473,15 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
                    ipv4_changed = True
                except Exception as e:
                    hostname.save()
-                    logging.error(
+                    logging.error(f"DNS error: {e}")
-                        f"DNS update failed: client={client_ip} hostname={hostname.hostname} "
+                    raise DDNSError(
-                        f"zone={hostname.zone} ipv4={ipv4} error={e}"
+                        "Update failed",
                        STATUS_DNSERR,
                        client=client_ip,
                        hostname=hostname.hostname,
                        zone=hostname.zone,
                        ipv4=ipv4
                    )
                    return (500, STATUS_DNSERR, {})
        if ipv6:
            hostname.last_ipv6_update = now
@@ -401,19 +498,19 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
                    ipv6_changed = True
                except Exception as e:
                    hostname.save()
-                    logging.error(
+                    logging.error(f"DNS error: {e}")
-                        f"DNS update failed: client={client_ip} hostname={hostname.hostname} "
+                    raise DDNSError(
-                        f"zone={hostname.zone} ipv6={ipv6} error={e}"
+                        "Update failed",
                        STATUS_DNSERR,
                        client=client_ip,
                        hostname=hostname.hostname,
                        zone=hostname.zone,
                        ipv6=ipv6
                    )
                    return (500, STATUS_DNSERR, {})
        # Update database
        hostname.save()
        notify_change_val = extract_param(params, endpoint["params"]["notify_change"])
        notify_change = notify_change_val.lower() not in ["0", "n", "no", "off"] \
            if notify_change_val else False
        changed_addrs = ""
        if ipv4_changed:
            changed_addrs += f" ipv4={ipv4}"
@@ -425,10 +522,13 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
                f"No change: client={client_ip} hostname={hostname.hostname} "
                f"zone={hostname.zone}{changed_addrs} notify_change={str(notify_change).lower()}"
            )
-            return (
+            self.respond(
-                200, STATUS_NOCHG,
+                200,
-                {"ipv4": hostname.last_ipv4, "ipv6": hostname.last_ipv6}
+                STATUS_NOCHG,
                ipv4=hostname.last_ipv4,
                ipv6=hostname.last_ipv6
            )
            return
        logging.info(
            f"Updated: client={client_ip} hostname={hostname.hostname} "
@@ -446,9 +546,11 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
            except Exception as e:
                logging.error(f"Sending change notification error: {e}")
-        return (
+        self.respond(
-            200, STATUS_GOOD,
+            200,
-            {"ipv4": hostname.last_ipv4, "ipv6": hostname.last_ipv6}
+            STATUS_GOOD,
            ipv4=hostname.last_ipv4,
            ipv6=hostname.last_ipv6
        )
Author	SHA1	Message	Date
Thomas Oettli	2d61ad11b3	Add DNS query function	2026-02-01 17:03:33 +01:00
Thomas Oettli	e37a9e84a6	Add pragmas to SQLite DBs and add retry logic to BaseModel	2026-02-01 17:01:35 +01:00
Thomas Oettli	21b5a4c553	Fix bug when responding with nochange or success	2026-02-01 05:09:09 +01:00
Thomas Oettli	5d2b9c3ffb	Cleanup: use max of last update and start time to determine expiry time	2026-02-01 04:57:22 +01:00
Thomas Oettli	cd5979556c	Refactor and further improve error handling / logging	2026-02-01 04:25:21 +01:00
Thomas Oettli	60ebf4b387	Improve cleanup logic	2026-02-01 01:36:52 +01:00
Thomas Oettli	105a9d4253	Handle naive datetime in database with custom database field	2026-02-01 01:27:48 +01:00
Thomas Oettli	870a1b9f00	Improve error handling and logging	2026-02-01 00:31:16 +01:00
Thomas Oettli	89e63858a0	Add reload function to OpenRC init script	2026-01-24 04:03:51 +01:00
Thomas Oettli	e365fa7d77	Change README.md and config.example.toml	2026-01-24 04:03:26 +01:00
Thomas Oettli	b97eb0404c	Improve timezone handling, db models convert naive/timezone-aware	2026-01-24 02:27:57 +01:00
Thomas Oettli	07e37e525c	Use db model hostname validation in cli and improve exception handling	2026-01-24 00:46:48 +01:00