Technical People who say "This is dumb"

Categories:

I get it

Before I go further, let’s discuss the key scope of what I want Synclias to do:

Provide a method where my home network automatically adjusts and routes some sites over a VPN with minimal steps for me

It most definitely does not:

  • Provide a guarantee that traffic won’t miss the VPN tunnel and get the site designed for your country
  • Provide any way of routing torrent etc clients, if you want that, dedicate an IP, and use it as a source for a dedicated firewall rule.

Misses and What Causes Them

Let’s term a site not getting routed over the VPN as a “Miss”, and there are a lot of scenarios that this could realistically cause misses:

  1. The big one - a site moves IP, and Synclias doesn’t catch it before a client get there
  2. Round Robin load balancing using IP addresses
  3. CDNs that allocate out to hosts that have numerical values (e.g cdn34343.cdn.local, cdn343536.cdn.local) don’t really work with discovery
  4. Short TTL’s make the IP capture process irrelevant after 5 minutes

Essentially, these boil down to two things:

  • Scenario 1- Discovery - this is a problem, and we’re only given the information in the DNS response/view that we get back. We may get a different view in the near future.

  • Scenario 2: Changes - Clients/Browsers will always follow spec (correctly) and migrate to the new IPs as per the usual TTL expiry etc, and Synclias won’t keep up until the next sync.

Whilst these are different scenarios, they do essentially come down to the same thing - the upstream DNS will be different in a shorter period than Synclias syncs

Follow the specs, but let’s apply the real world

Having said that, let’s look at some real world data here, my working theory from having done web hosting for years, is that sites don’t move IP that often, mainly because there are far easier alternatives to doing so. ( Mainly because TTLs/caching exist, which is a blessing to me and a curse to quick migrations.)

Let’s look at some data

Using - DNS History

Here’s some records:

  • discord.gg - has had the same 5 A records since 2022
  • i.imgur.com - has moved IP once in 2025, and before that moved once in 2024
  • The big “p….hub” site has had the same IP since 2022

I fully understand that migrations do happen, there will be misses, but for most sites, migrations of IP addresses are relatively rare these days, and I’m willing to take a few misses every year.

That said, this isn’t designed for someone to run a business over. No promises, best effort.

Why do I think IPs are pretty stable?

With things like:

  • Blue/green deployments
  • Anycast
  • Elastic IPs etc

It’s far more common these days for your external IP to stay the same, but use a device behind it to manage the traffic migrations rather than DNS, because:

  1. There’s far more granular control options than DNS provides
  2. DNS propagation exists
  3. TTLs generally don’t come into it (which is essentially 2, but slight different)

So, it’s far easier to migrate a site these days than by using DNS to do so, and the cost of a DNS screw up isn’t just that you need to roll it back, you need to wait for propagation etc, which means unreliability for your site for longer than necessary.

Let’s be honest, with Elastic IPs AWS charge per hour for an IP that doesn’t change, and people are happy to pay it.

As such, the only real time anyone changes IP address is when the easier options aren’t available.

IPv6

This is going to be an interesting one, companies have a lot more IPs available to choose from, so we might see more movement, originally I set this up as IPv4 only and thought IPv6 would be a nightmare, but frankly, it’s been fine, as long as people have a VPN that matches their single/dual stack.

Sticking to the specs

Back to DNS, my preference will always be what I do with Technitium if possible, kick out the DNS entry and refresh it, because I want the promise that a TTL gives, but we work with normal DNS as well because the Venn diagram of OPNsense/VPN/Technitium users that might find it helpful is probably a circle around me.

With regards to the assumption some have made that i’m trying to do something outside of the DNS specs, I’m not, I promise. No pinning, no hosts file entries etc, it’s better a site works with a miss than I do something stupid and start breaking people’s connectivity.

Obviously long TTL’s work better for Synclias, but a shorter TTL and a DNS change just means that the user will get routed through their normal connection, I’m not breaking sites in any way, I’m not extending TTLs, or fixing IPs at all.

So yeah, misses happen, but I’m happy to accept them a couple of times a year. The VPN client still works when you need it, or go click Sync.

A note on Kill-Switches

Sadly, as you can imagine, this isn’t really compatible with them network wide as I’m happy to accept the miss in terms of browsing, and since we follow instead of lead in terms of IP addressing, I can’t predict where a site’s going to move to.

I can see the use for a kill switch for certain use cases, anything you need to make sure that it has no chance to get over the normal internet.

But outside of that - my question is do you really need a kill switch for your main desktop? I think a lot of people see the cool term and want that, but for my use case, it’s just not necessary, if I was running most things that would need one, it’d be a dedicated host with it’s own kill switch.

Wrapping it up…

I appreciate if you decide it’s not for you, that’s fine, I appreciate that you took the time to read this, it’s a lot longer than I thought it would be.