Summary
Cloudflare IP rejection (REJECT_CLOUDFLARE_IPS) now defaults to true, protecting all users from incorrect DNS updates out of the box. When Cloudflare's published IP
ranges can't be fetched, updates are skipped entirely rather than risking writing a Cloudflare anycast address to your DNS records.
What's changed
Breaking: REJECT_CLOUDFLARE_IPS defaults to true
Previously, you had to opt in to Cloudflare IP rejection by setting REJECT_CLOUDFLARE_IPS=true. Starting with this release, it is enabled by default in both environment
variable mode and legacy config.json mode.
If you need the old behavior, set REJECT_CLOUDFLARE_IPS=false explicitly.
Safety: skip updates when Cloudflare ranges can't be fetched
When REJECT_CLOUDFLARE_IPS is enabled and the Cloudflare IP range lists cannot be downloaded, the updater now clears all detected IPs and skips the update cycle
instead of proceeding without filtering. This prevents a scenario where a fetch failure could allow a Cloudflare anycast address to be written to your DNS records.
Performance: concurrent Cloudflare range fetching
IPv4 and IPv6 Cloudflare ranges are now fetched concurrently using tokio::join!, reducing the time spent on range retrieval each update cycle.
Tests
Added comprehensive unit tests validating parsing and boundary checks against all current Cloudflare IPv4 and IPv6 ranges.
Docker
docker pull timothyjmiller/cloudflare-ddns:2.0.6
Multi-arch: linux/amd64, linux/arm64