Configuring Cloudflare in DNS-O-matic

Today I ran into an issue configuring DNS-O-Matic to update my Cloudflare DNS records (specifically, the record with the dynamic IP that points to my home IP address, and is automatically updated by the router in my home network). I entered all necessary settings in the DNS-O-Matic form, but when I sent an update to it the update to the Cloudflare service always errored out with message “err Invalid request headers (6003)”.

After a bit of trial and error, and going back and forth through documentation and tutorials, I finally figured out that the DNS-O-Matic field that says “API Token” does not expect what Cloudflare calls an API Token; it wants Cloudflare’s Global API Key.

This is actually clear in Cloudflare’s documentation on how to set up DNS-O-Matic, although I think it needs to be more explicitly stated that you’re not supposed to use the Cloudflare thing with the same name that the DNS-O-Matic form has. Maybe the documentation predates the implementation of API Tokens on Cloudlflare’s side and that’s why the terminology isn’t the clearest.

Once I put my Global API key there, the updates started working as expected. Then I pinged OpenDNS on Twitter to see if they have any plans of supporting API Tokens instead of the global API key, which would allow for more granular control of what they can do and would be a good security practice. That way if the DNS-O-Matic databases ever got compromised, the attackers wouldn’t get complete control over our Cloudflare accounts.

2 thoughts on “Configuring Cloudflare in DNS-O-matic

  1. Lucent

    Using the global API key to update a DNS entry is absurd. Is there some permission we can generate that’ll allow a specific token to work?

    Reply

Leave a Reply to alexvy86 Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s