Bump to 2.0.9

The split client previously bound to 0.0.0.0 / [::] to force
  IPv4/IPv6,
  but this only hinted at the address family — happy-eyeballs could
  still
  race and connect over the wrong protocol on dual-stack hosts.

  Introduce a FilteredResolver that strips wrong-family addresses from
  DNS
  results before the HTTP client sees them, matching the "split dialer"
  pattern from favonia/cloudflare-ddns. This guarantees the client can
  only
  establish connections over the desired protocol.

  Also switch Cloudflare trace URLs from literal resolver IPs
  (1.0.0.1 / [2606:4700:4700::1001]) to cloudflare.com with an
  api.cloudflare.com fallback — the DNS filter makes dual-stack
  hostnames
  safe, and literal IPs caused TLS SNI mismatches for some users.

  - reqwest 0.12 → 0.13 (adds dns_resolver API)
  - if-addrs 0.13 → 0.15
  - tokio: add "net" feature for tokio::net::lookup_host

.github/workflows/image.yml

@@ -9,6 +9,8 @@ on:
 
 jobs:
   build:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code

Cargo.lock

@@ -48,6 +48,28 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 
+[[package]]
+name = "aws-lc-rs"
+version = "1.16.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a054912289d18629dc78375ba2c3726a3afe3ff71b4edba9dedfca0e3446d1fc"
+dependencies = [
+ "aws-lc-sys",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-lc-sys"
+version = "0.39.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fa7e52a4c5c547c741610a2c6f123f3881e409b714cd27e6798ef020c514f0a"
+dependencies = [
+ "cc",
+ "cmake",
+ "dunce",
+ "fs_extra",
+]
+
 [[package]]
 name = "base64"
 version = "0.22.1"
@@ -79,9 +101,17 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7a0dd1ca384932ff3641c8718a02769f1698e7563dc6974ffd03346116310423"
 dependencies = [
  "find-msvc-tools",
+ "jobserver",
+ "libc",
  "shlex",
 ]
 
+[[package]]
+name = "cesu8"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c"
+
 [[package]]
 name = "cfg-if"
 version = "1.0.4"
@@ -109,7 +139,7 @@ dependencies = [
 
 [[package]]
 name = "cloudflare-ddns"
-version = "2.0.5"
+version = "2.0.9"
 dependencies = [
  "chrono",
  "idna",
@@ -124,6 +154,35 @@ dependencies = [
  "wiremock",
 ]
 
+[[package]]
+name = "cmake"
+version = "0.1.57"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75443c44cd6b379beb8c5b45d85d0773baf31cce901fe7bb252f4eff3008ef7d"
+dependencies = [
+ "cc",
+]
+
+[[package]]
+name = "combine"
+version = "4.6.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd"
+dependencies = [
+ "bytes",
+ "memchr",
+]
+
+[[package]]
+name = "core-foundation"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.7"
@@ -159,6 +218,12 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "dunce"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
+
 [[package]]
 name = "equivalent"
 version = "1.0.2"
@@ -208,6 +273,12 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "fs_extra"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
+
 [[package]]
 name = "futures"
 version = "0.3.32"
@@ -464,7 +535,6 @@ dependencies = [
  "tokio",
  "tokio-rustls",
  "tower-service",
- "webpki-roots",
 ]
 
 [[package]]
@@ -624,12 +694,12 @@ dependencies = [
 
 [[package]]
 name = "if-addrs"
-version = "0.13.4"
+version = "0.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69b2eeee38fef3aa9b4cc5f1beea8a2444fc00e7377cafae396de3f5c2065e24"
+checksum = "c0a05c691e1fae256cf7013d99dad472dc52d5543322761f83ec8d47eab40d2b"
 dependencies = [
  "libc",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -652,9 +722,9 @@ checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
 
 [[package]]
 name = "iri-string"
-version = "0.7.10"
+version = "0.7.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c91338f0783edbd6195decb37bae672fd3b165faffb89bf7b9e6942f8b1a731a"
+checksum = "d8e7418f59cc01c88316161279a7f665217ae316b388e58a0d10e29f54f1e5eb"
 dependencies = [
  "memchr",
  "serde",
@@ -662,9 +732,63 @@ dependencies = [
 
 [[package]]
 name = "itoa"
-version = "1.0.17"
+version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
+checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
+
+[[package]]
+name = "jni"
+version = "0.21.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a87aa2bb7d2af34197c04845522473242e1aa17c12f4935d5856491a7fb8c97"
+dependencies = [
+ "cesu8",
+ "cfg-if",
+ "combine",
+ "jni-sys 0.3.1",
+ "log",
+ "thiserror 1.0.69",
+ "walkdir",
+ "windows-sys 0.45.0",
+]
+
+[[package]]
+name = "jni-sys"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41a652e1f9b6e0275df1f15b32661cf0d4b78d4d87ddec5e0c3c20f097433258"
+dependencies = [
+ "jni-sys 0.4.1",
+]
+
+[[package]]
+name = "jni-sys"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c6377a88cb3910bee9b0fa88d4f42e1d2da8e79915598f65fb0c7ee14c878af2"
+dependencies = [
+ "jni-sys-macros",
+]
+
+[[package]]
+name = "jni-sys-macros"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38c0b942f458fe50cdac086d2f946512305e5631e720728f2a61aabcd47a6264"
+dependencies = [
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "jobserver"
+version = "0.1.34"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9afb3de4395d6b3e67a780b6de64b51c978ecf11cb9a462c66be7d4ca9039d33"
+dependencies = [
+ "getrandom 0.3.4",
+ "libc",
+]
 
 [[package]]
 name = "js-sys"
@@ -760,6 +884,12 @@ version = "1.21.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
 
+[[package]]
+name = "openssl-probe"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
+
 [[package]]
 name = "percent-encoding"
 version = "2.3.2"
@@ -829,7 +959,7 @@ dependencies = [
  "rustc-hash",
  "rustls",
  "socket2",
- "thiserror",
+ "thiserror 2.0.18",
  "tokio",
  "tracing",
  "web-time",
@@ -841,6 +971,7 @@ version = "0.11.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
 dependencies = [
+ "aws-lc-rs",
  "bytes",
  "getrandom 0.3.4",
  "lru-slab",
@@ -850,7 +981,7 @@ dependencies = [
  "rustls",
  "rustls-pki-types",
  "slab",
- "thiserror",
+ "thiserror 2.0.18",
  "tinyvec",
  "tracing",
  "web-time",
@@ -951,9 +1082,9 @@ checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
 
 [[package]]
 name = "reqwest"
-version = "0.12.28"
+version = "0.13.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147"
+checksum = "ab3f43e3283ab1488b624b44b0e988d0acea0b3214e694730a055cb6b2efa801"
 dependencies = [
  "base64",
  "bytes",
@@ -971,6 +1102,7 @@ dependencies = [
  "quinn",
  "rustls",
  "rustls-pki-types",
+ "rustls-platform-verifier",
  "serde",
  "serde_json",
  "serde_urlencoded",
@@ -984,7 +1116,6 @@ dependencies = [
  "wasm-bindgen",
  "wasm-bindgen-futures",
  "web-sys",
- "webpki-roots",
 ]
 
 [[package]]
@@ -1026,14 +1157,26 @@ version = "0.23.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
 dependencies = [
+ "aws-lc-rs",
  "once_cell",
- "ring",
  "rustls-pki-types",
  "rustls-webpki",
  "subtle",
  "zeroize",
 ]
 
+[[package]]
+name = "rustls-native-certs"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63"
+dependencies = [
+ "openssl-probe",
+ "rustls-pki-types",
+ "schannel",
+ "security-framework",
+]
+
 [[package]]
 name = "rustls-pki-types"
 version = "1.14.0"
@@ -1045,11 +1188,39 @@ dependencies = [
 ]
 
 [[package]]
-name = "rustls-webpki"
+name = "rustls-platform-verifier"
-version = "0.103.9"
+version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
+checksum = "1d99feebc72bae7ab76ba994bb5e121b8d83d910ca40b36e0921f53becc41784"
 dependencies = [
+ "core-foundation",
+ "core-foundation-sys",
+ "jni",
+ "log",
+ "once_cell",
+ "rustls",
+ "rustls-native-certs",
+ "rustls-platform-verifier-android",
+ "rustls-webpki",
+ "security-framework",
+ "security-framework-sys",
+ "webpki-root-certs",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "rustls-platform-verifier-android"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f"
+
+[[package]]
+name = "rustls-webpki"
+version = "0.103.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
+dependencies = [
+ "aws-lc-rs",
  "ring",
  "rustls-pki-types",
  "untrusted",
@@ -1067,6 +1238,47 @@ version = "1.0.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"
 
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
+[[package]]
+name = "schannel"
+version = "0.1.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91c1b7e4904c873ef0710c1f407dde2e6287de2bebc1bbbf7d430bb7cbffd939"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "security-framework"
+version = "3.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d"
+dependencies = [
+ "bitflags",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2691df843ecc5d231c0b14ece2acc3efb62c0a398c7e1d875f3983ce020e3"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
 [[package]]
 name = "semver"
 version = "1.0.27"
@@ -1222,13 +1434,33 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "thiserror"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
+dependencies = [
+ "thiserror-impl 1.0.69",
+]
+
 [[package]]
 name = "thiserror"
 version = "2.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
 dependencies = [
- "thiserror-impl",
+ "thiserror-impl 2.0.18",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
 ]
 
 [[package]]
@@ -1423,6 +1655,16 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 
+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
 [[package]]
 name = "want"
 version = "0.3.1"
@@ -1570,14 +1812,23 @@ dependencies = [
 ]
 
 [[package]]
-name = "webpki-roots"
+name = "webpki-root-certs"
 version = "1.0.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22cfaf3c063993ff62e73cb4311efde4db1efb31ab78a3e5c457939ad5cc0bed"
+checksum = "804f18a4ac2676ffb4e8b5b5fa9ae38af06df08162314f96a68d2a363e21a8ca"
 dependencies = [
  "rustls-pki-types",
 ]
 
+[[package]]
+name = "winapi-util"
+version = "0.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "windows-core"
 version = "0.62.2"
@@ -1639,18 +1890,18 @@ dependencies = [
 
 [[package]]
 name = "windows-sys"
-version = "0.52.0"
+version = "0.45.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
+checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0"
 dependencies = [
- "windows-targets 0.52.6",
+ "windows-targets 0.42.2",
 ]
 
 [[package]]
 name = "windows-sys"
-version = "0.59.0"
+version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
+checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
 dependencies = [
  "windows-targets 0.52.6",
 ]
@@ -1673,6 +1924,21 @@ dependencies = [
  "windows-link",
 ]
 
+[[package]]
+name = "windows-targets"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071"
+dependencies = [
+ "windows_aarch64_gnullvm 0.42.2",
+ "windows_aarch64_msvc 0.42.2",
+ "windows_i686_gnu 0.42.2",
+ "windows_i686_msvc 0.42.2",
+ "windows_x86_64_gnu 0.42.2",
+ "windows_x86_64_gnullvm 0.42.2",
+ "windows_x86_64_msvc 0.42.2",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.52.6"
@@ -1706,6 +1972,12 @@ dependencies = [
  "windows_x86_64_msvc 0.53.1",
 ]
 
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
+
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.52.6"
@@ -1718,6 +1990,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53"
 
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.6"
@@ -1730,6 +2008,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006"
 
+[[package]]
+name = "windows_i686_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.6"
@@ -1754,6 +2038,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c"
 
+[[package]]
+name = "windows_i686_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.6"
@@ -1766,6 +2056,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2"
 
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.6"
@@ -1778,6 +2074,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499"
 
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.6"
@@ -1790,6 +2092,12 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1"
 
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.6"
@@ -1944,18 +2252,18 @@ dependencies = [
 
 [[package]]
 name = "zerocopy"
-version = "0.8.42"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2578b716f8a7a858b7f02d5bd870c14bf4ddbbcf3a4c05414ba6503640505e3"
+checksum = "efbb2a062be311f2ba113ce66f697a4dc589f85e78a4aea276200804cea0ed87"
 dependencies = [
  "zerocopy-derive",
 ]
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.42"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f"
+checksum = "0e8bc7269b54418e7aeeef514aa68f8690b8c0489a06b0136e5f57c4c5ccab89"
 dependencies = [
  "proc-macro2",
  "quote",

Cargo.toml

@@ -1,20 +1,20 @@
 [package]
 name = "cloudflare-ddns"
-version = "2.0.5"
+version = "2.0.9"
 edition = "2021"
 description = "Access your home network remotely via a custom domain name without a static IP"
 license = "GPL-3.0"
 
 [dependencies]
-reqwest = { version = "0.12", features = ["json", "rustls-tls"], default-features = false }
+reqwest = { version = "0.13", features = ["json", "form", "rustls"], default-features = false }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-tokio = { version = "1", features = ["rt-multi-thread", "macros", "time", "signal"] }
+tokio = { version = "1", features = ["rt-multi-thread", "macros", "time", "signal", "net"] }
 regex = "1"
 chrono = { version = "0.4", features = ["clock"] }
 url = "2"
 idna = "1"
-if-addrs = "0.13"
+if-addrs = "0.15"
 
 [profile.release]
 opt-level = "s"

README.md

@@ -28,7 +28,7 @@ Configure everything with environment variables. Supports notifications, heartbe
 - 🎨 **Pretty output with emoji** — Configurable emoji and verbosity levels
 - 🔒 **Zero-log IP detection** — Uses Cloudflare's [cdn-cgi/trace](https://www.cloudflare.com/cdn-cgi/trace) by default
 - 🏠 **CGNAT-aware local detection** — Filters out shared address space (100.64.0.0/10) and private ranges
-- 🚫 **Cloudflare IP rejection** — Optionally reject Cloudflare anycast IPs to prevent incorrect DNS updates
+- 🚫 **Cloudflare IP rejection** — Automatically rejects Cloudflare anycast IPs to prevent incorrect DNS updates
 - 🤏 **Tiny static binary** — ~1.9 MB Docker image built from scratch, zero runtime dependencies
 
 ## 🚀 Quick Start
@@ -92,11 +92,13 @@ Available providers:
 
 | Variable | Default | Description |
 |----------|---------|-------------|
-| `REJECT_CLOUDFLARE_IPS` | `false` | Reject detected IPs that fall within Cloudflare's IP ranges |
+| `REJECT_CLOUDFLARE_IPS` | `true` | Reject detected IPs that fall within Cloudflare's IP ranges |
 
 Some IP detection providers occasionally return a Cloudflare anycast IP instead of your real public IP. When this happens, your DNS record gets updated to point at Cloudflare infrastructure rather than your actual address.
 
-Setting `REJECT_CLOUDFLARE_IPS=true` prevents this. Each update cycle fetches [Cloudflare's published IP ranges](https://www.cloudflare.com/ips/) and skips any detected IP that falls within them. A warning is logged for every rejected IP.
+By default, each update cycle fetches [Cloudflare's published IP ranges](https://www.cloudflare.com/ips/) and skips any detected IP that falls within them. A warning is logged for every rejected IP. If the ranges cannot be fetched, the update is skipped entirely to prevent writing a Cloudflare IP.
+
+To disable this protection, set `REJECT_CLOUDFLARE_IPS=false`.
 
 ## ⏱️ Scheduling
 
@@ -221,7 +223,7 @@ Heartbeats are sent after each update cycle. On failure, a fail signal is sent.
 | `MANAGED_WAF_LIST_ITEMS_COMMENT_REGEX` | — | 🎯 Managed WAF items regex |
 | `DETECTION_TIMEOUT` | `5s` | ⏳ IP detection timeout |
 | `UPDATE_TIMEOUT` | `30s` | ⏳ API request timeout |
-| `REJECT_CLOUDFLARE_IPS` | `false` | 🚫 Reject Cloudflare anycast IPs |
+| `REJECT_CLOUDFLARE_IPS` | `true` | 🚫 Reject Cloudflare anycast IPs |
 | `EMOJI` | `true` | 🎨 Enable emoji output |
 | `QUIET` | `false` | 🤫 Suppress info output |
 | `HEALTHCHECKS` | — | 💓 Healthchecks.io URL |
@@ -373,17 +375,17 @@ Some ISP provided modems only allow port forwarding over IPv4 or IPv6. Disable t
 
 ### 🚫 Cloudflare IP Rejection (Legacy Mode)
 
-The `REJECT_CLOUDFLARE_IPS` environment variable is supported in legacy config mode. Set it alongside your `config.json`:
+Cloudflare IP rejection is enabled by default in legacy mode too. To disable it, set `REJECT_CLOUDFLARE_IPS=false` alongside your `config.json`:
 
 ```bash
-REJECT_CLOUDFLARE_IPS=true cloudflare-ddns
+REJECT_CLOUDFLARE_IPS=false cloudflare-ddns
 ```
 
 Or in Docker Compose:
 
 ```yml
 environment:
-  - REJECT_CLOUDFLARE_IPS=true
+  - REJECT_CLOUDFLARE_IPS=false
 volumes:
   - ./config.json:/config.json
 ```

SECURITY.md

@@ -0,0 +1,78 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 2.0.x   | :white_check_mark: |
+| < 2.0   | :x:                |
+
+Only the latest release in the `2.0.x` series receives security updates. The legacy Python codebase and all `1.x` releases are **end-of-life** and will not be patched. Users on older versions should upgrade to the latest release immediately.
+
+## Reporting a Vulnerability
+
+**Please do not open a public GitHub issue for security vulnerabilities.**
+
+Instead, report vulnerabilities privately using one of the following methods:
+
+1. **GitHub Private Vulnerability Reporting** — Use the [Security Advisories](https://github.com/timothymiller/cloudflare-ddns/security/advisories/new) page to submit a private report directly on GitHub.
+2. **Email** — Contact the maintainer directly at the email address listed on the [GitHub profile](https://github.com/timothymiller).
+
+### What to Include
+
+- A clear description of the vulnerability and its potential impact
+- Steps to reproduce or a proof-of-concept
+- Affected version(s)
+- Any suggested fix or mitigation, if applicable
+
+### What to Expect
+
+- **Acknowledgment** within 72 hours of your report
+- **Status updates** at least every 7 days while the issue is being investigated
+- A coordinated disclosure timeline — we aim to release a fix within 30 days of a confirmed vulnerability, and will credit reporters (unless anonymity is preferred) in the release notes
+
+If a report is declined (e.g., out of scope or not reproducible), you will receive an explanation.
+
+## Security Considerations
+
+This project handles **Cloudflare API tokens** that grant DNS editing privileges. Users should be aware of the following:
+
+### API Token Handling
+
+- **Never commit your API token** to version control or include it in Docker images.
+- Use `CLOUDFLARE_API_TOKEN_FILE` or Docker secrets to inject tokens at runtime rather than passing them as plain environment variables where possible.
+- Create a **scoped API token** with only "Edit DNS" permission on the specific zones you need — avoid using Global API Keys.
+
+### Container Security
+
+- The Docker image runs as a **static binary from scratch** with zero runtime dependencies, which minimizes the attack surface.
+- Use `security_opt: no-new-privileges:true` in Docker Compose deployments.
+- Pin image tags to a specific version (e.g., `timothyjmiller/cloudflare-ddns:v2.0.9`) rather than using `latest` in production.
+
+### Network Security
+
+- The default IP detection provider (`cloudflare.trace`) communicates directly with Cloudflare's infrastructure over HTTPS and does not log your IP.
+- All Cloudflare API calls are made over HTTPS/TLS.
+- `--network host` mode is required for IPv6 detection — be aware this gives the container access to the host's full network stack.
+
+### Supply Chain
+
+- The project is built with `cargo` and all dependencies are declared in `Cargo.lock` for reproducible builds.
+- Docker images are built via GitHub Actions and published to Docker Hub. Multi-arch builds cover `linux/amd64`, `linux/arm64`, and `linux/ppc64le`.
+
+## Scope
+
+The following are considered **in scope** for security reports:
+
+- Authentication or authorization flaws (e.g., token leakage, insufficient credential protection)
+- Injection vulnerabilities in configuration parsing
+- Vulnerabilities in DNS record handling that could lead to record hijacking or poisoning
+- Dependency vulnerabilities with a demonstrable exploit path
+- Container escape or privilege escalation
+
+The following are **out of scope**:
+
+- Denial of service against the user's own instance
+- Vulnerabilities in Cloudflare's API or infrastructure (report those to [Cloudflare](https://hackerone.com/cloudflare))
+- Social engineering attacks
+- Issues requiring physical access to the host machine

src/cf_ip_filter.rs

@@ -1,7 +1,7 @@
 use crate::pp::{self, PP};
 use reqwest::Client;
 use std::net::IpAddr;
-use std::time::Duration;
+use std::time::{Duration, Instant};
 
 const CF_IPV4_URL: &str = "https://www.cloudflare.com/ips-v4";
 const CF_IPV6_URL: &str = "https://www.cloudflare.com/ips-v6";
@@ -59,8 +59,13 @@ impl CloudflareIpFilter {
     pub async fn fetch(client: &Client, timeout: Duration, ppfmt: &PP) -> Option<Self> {
         let mut ranges = Vec::new();
 
-        for url in [CF_IPV4_URL, CF_IPV6_URL] {
+        let (v4_result, v6_result) = tokio::join!(
-            match client.get(url).timeout(timeout).send().await {
+            client.get(CF_IPV4_URL).timeout(timeout).send(),
+            client.get(CF_IPV6_URL).timeout(timeout).send(),
+        );
+
+        for (url, result) in [(CF_IPV4_URL, v4_result), (CF_IPV6_URL, v6_result)] {
+            match result {
                 Ok(resp) if resp.status().is_success() => match resp.text().await {
                     Ok(body) => {
                         for line in body.lines() {
@@ -152,6 +157,62 @@ impl CloudflareIpFilter {
     }
 }
 
+/// Refresh interval for Cloudflare IP ranges (24 hours).
+const CF_RANGE_REFRESH: Duration = Duration::from_secs(24 * 60 * 60);
+
+/// Cached wrapper around [`CloudflareIpFilter`].
+///
+/// Fetches once, then re-uses the cached ranges for [`CF_RANGE_REFRESH`].
+/// If a refresh fails, the previously cached ranges are kept.
+pub struct CachedCloudflareFilter {
+    filter: Option<CloudflareIpFilter>,
+    fetched_at: Option<Instant>,
+}
+
+impl CachedCloudflareFilter {
+    pub fn new() -> Self {
+        Self {
+            filter: None,
+            fetched_at: None,
+        }
+    }
+
+    /// Return a reference to the current filter, refreshing if stale or absent.
+    pub async fn get(
+        &mut self,
+        client: &Client,
+        timeout: Duration,
+        ppfmt: &PP,
+    ) -> Option<&CloudflareIpFilter> {
+        let stale = match self.fetched_at {
+            Some(t) => t.elapsed() >= CF_RANGE_REFRESH,
+            None => true,
+        };
+
+        if stale {
+            match CloudflareIpFilter::fetch(client, timeout, ppfmt).await {
+                Some(new_filter) => {
+                    self.filter = Some(new_filter);
+                    self.fetched_at = Some(Instant::now());
+                }
+                None => {
+                    if self.filter.is_some() {
+                        ppfmt.warningf(
+                            pp::EMOJI_WARNING,
+                            "Failed to refresh Cloudflare IP ranges; using cached version",
+                        );
+                        // Keep using cached filter, but don't update fetched_at
+                        // so we retry next cycle.
+                    }
+                    // If no cached filter exists, return None (caller handles fail-safe).
+                }
+            }
+        }
+
+        self.filter.as_ref()
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -234,4 +295,127 @@ mod tests {
         let ip: IpAddr = IpAddr::V6(Ipv6Addr::new(0x2606, 0x4700, 0, 0, 0, 0, 0, 1));
         assert!(!filter.contains(&ip));
     }
+
+    /// All real Cloudflare ranges as of 2026-03. Verifies every range parses
+    /// and that the first and last IP in each range is matched while the
+    /// address just past the end is not.
+    const ALL_CF_RANGES: &str = "\
+173.245.48.0/20
+103.21.244.0/22
+103.22.200.0/22
+103.31.4.0/22
+141.101.64.0/18
+108.162.192.0/18
+190.93.240.0/20
+188.114.96.0/20
+197.234.240.0/22
+198.41.128.0/17
+162.158.0.0/15
+104.16.0.0/13
+104.24.0.0/14
+172.64.0.0/13
+131.0.72.0/22
+2400:cb00::/32
+2606:4700::/32
+2803:f800::/32
+2405:b500::/32
+2405:8100::/32
+2a06:98c0::/29
+2c0f:f248::/32
+";
+
+    #[test]
+    fn test_all_real_ranges_parse() {
+        let filter = CloudflareIpFilter::from_lines(ALL_CF_RANGES).unwrap();
+        assert_eq!(filter.ranges.len(), 22);
+    }
+
+    /// For a /N IPv4 range starting at `base`, return (first, last, just_outside).
+    fn v4_range_bounds(a: u8, b: u8, c: u8, d: u8, prefix: u8) -> (Ipv4Addr, Ipv4Addr, Ipv4Addr) {
+        let base = u32::from(Ipv4Addr::new(a, b, c, d));
+        let size = 1u32 << (32 - prefix);
+        let first = Ipv4Addr::from(base);
+        let last = Ipv4Addr::from(base + size - 1);
+        let outside = Ipv4Addr::from(base + size);
+        (first, last, outside)
+    }
+
+    #[test]
+    fn test_all_real_ipv4_ranges_match() {
+        // Test each range individually so adjacent ranges (e.g. 104.16.0.0/13
+        // and 104.24.0.0/14) don't cause false failures on boundary checks.
+        let ranges: &[(u8, u8, u8, u8, u8)] = &[
+            (173, 245, 48, 0, 20),
+            (103, 21, 244, 0, 22),
+            (103, 22, 200, 0, 22),
+            (103, 31, 4, 0, 22),
+            (141, 101, 64, 0, 18),
+            (108, 162, 192, 0, 18),
+            (190, 93, 240, 0, 20),
+            (188, 114, 96, 0, 20),
+            (197, 234, 240, 0, 22),
+            (198, 41, 128, 0, 17),
+            (162, 158, 0, 0, 15),
+            (104, 16, 0, 0, 13),
+            (104, 24, 0, 0, 14),
+            (172, 64, 0, 0, 13),
+            (131, 0, 72, 0, 22),
+        ];
+
+        for &(a, b, c, d, prefix) in ranges {
+            let cidr = format!("{a}.{b}.{c}.{d}/{prefix}");
+            let filter = CloudflareIpFilter::from_lines(&cidr).unwrap();
+            let (first, last, outside) = v4_range_bounds(a, b, c, d, prefix);
+            assert!(
+                filter.contains(&IpAddr::V4(first)),
+                "First IP {first} should be in {cidr}"
+            );
+            assert!(
+                filter.contains(&IpAddr::V4(last)),
+                "Last IP {last} should be in {cidr}"
+            );
+            assert!(
+                !filter.contains(&IpAddr::V4(outside)),
+                "IP {outside} should NOT be in {cidr}"
+            );
+        }
+    }
+
+    #[test]
+    fn test_all_real_ipv6_ranges_match() {
+        let filter = CloudflareIpFilter::from_lines(ALL_CF_RANGES).unwrap();
+
+        // (base high 16-bit segment, prefix len)
+        let ranges: &[(u16, u16, u8)] = &[
+            (0x2400, 0xcb00, 32),
+            (0x2606, 0x4700, 32),
+            (0x2803, 0xf800, 32),
+            (0x2405, 0xb500, 32),
+            (0x2405, 0x8100, 32),
+            (0x2a06, 0x98c0, 29),
+            (0x2c0f, 0xf248, 32),
+        ];
+
+        for &(seg0, seg1, prefix) in ranges {
+            let base = u128::from(Ipv6Addr::new(seg0, seg1, 0, 0, 0, 0, 0, 0));
+            let size = 1u128 << (128 - prefix);
+
+            let first = Ipv6Addr::from(base);
+            let last = Ipv6Addr::from(base + size - 1);
+            let outside = Ipv6Addr::from(base + size);
+
+            assert!(
+                filter.contains(&IpAddr::V6(first)),
+                "First IP {first} should be in {seg0:x}:{seg1:x}::/{prefix}"
+            );
+            assert!(
+                filter.contains(&IpAddr::V6(last)),
+                "Last IP {last} should be in {seg0:x}:{seg1:x}::/{prefix}"
+            );
+            assert!(
+                !filter.contains(&IpAddr::V6(outside)),
+                "IP {outside} should NOT be in {seg0:x}:{seg1:x}::/{prefix}"
+            );
+        }
+    }
 }

src/cloudflare.rs

@@ -467,7 +467,7 @@ impl CloudflareHandle {
                         self.update_record(zone_id, &record.id, &payload, ppfmt).await;
                     }
                 } else {
-                    ppfmt.infof(pp::EMOJI_SKIP, &format!("Record {fqdn} is up to date ({ip_str})"));
+                    // Caller handles "up to date" logging based on SetResult::Noop
                 }
             } else {
                 // Find an existing managed record to update, or create new
@@ -668,10 +668,7 @@ impl CloudflareHandle {
             .collect();
 
         if to_add.is_empty() && ids_to_delete.is_empty() {
-            ppfmt.infof(
+            // Caller handles "up to date" logging based on SetResult::Noop
-                pp::EMOJI_SKIP,
-                &format!("WAF list {} is up to date", waf_list.describe()),
-            );
             return SetResult::Noop;
         }
 

src/config.rs

@@ -458,7 +458,7 @@ fn legacy_to_app_config(legacy: LegacyConfig, dry_run: bool, repeat: bool) -> Re
         managed_waf_comment_regex: None,
         detection_timeout: Duration::from_secs(5),
         update_timeout: Duration::from_secs(30),
-        reject_cloudflare_ips: getenv_bool("REJECT_CLOUDFLARE_IPS", false),
+        reject_cloudflare_ips: getenv_bool("REJECT_CLOUDFLARE_IPS", true),
         dry_run,
         emoji: false,
         quiet: false,
@@ -529,7 +529,7 @@ pub fn load_env_config(ppfmt: &PP) -> Result<AppConfig, String> {
 
     let emoji = getenv_bool("EMOJI", true);
     let quiet = getenv_bool("QUIET", false);
-    let reject_cloudflare_ips = getenv_bool("REJECT_CLOUDFLARE_IPS", false);
+    let reject_cloudflare_ips = getenv_bool("REJECT_CLOUDFLARE_IPS", true);
 
     // Validate: must have at least one update target
     if domains.is_empty() && waf_lists.is_empty() {
@@ -681,8 +681,8 @@ pub fn print_config_summary(config: &AppConfig, ppfmt: &PP) {
         inner.infof("", "Delete on stop: enabled");
     }
 
-    if config.reject_cloudflare_ips {
+    if !config.reject_cloudflare_ips {
-        inner.infof("", "Reject Cloudflare IPs: enabled");
+        inner.warningf("", "Cloudflare IP rejection: DISABLED (REJECT_CLOUDFLARE_IPS=false)");
     }
 
     if let Some(ref comment) = config.record_comment {

src/main.rs

@@ -11,8 +11,10 @@ use crate::cloudflare::{Auth, CloudflareHandle};
 use crate::config::{AppConfig, CronSchedule};
 use crate::notifier::{CompositeNotifier, Heartbeat, Message};
 use crate::pp::PP;
+use std::collections::HashSet;
 use std::sync::atomic::{AtomicBool, Ordering};
 use std::sync::Arc;
+use reqwest::Client;
 use tokio::signal;
 use tokio::time::{sleep, Duration};
 
@@ -116,12 +118,18 @@ async fn main() {
     // Start heartbeat
     heartbeat.start().await;
 
+    let mut cf_cache = cf_ip_filter::CachedCloudflareFilter::new();
+    let detection_client = Client::builder()
+        .timeout(app_config.detection_timeout)
+        .build()
+        .unwrap_or_default();
+
     if app_config.legacy_mode {
         // --- Legacy mode (original cloudflare-ddns behavior) ---
-        run_legacy_mode(&app_config, &handle, &notifier, &heartbeat, &ppfmt, running).await;
+        run_legacy_mode(&app_config, &handle, &notifier, &heartbeat, &ppfmt, running, &mut cf_cache, &detection_client).await;
     } else {
         // --- Env var mode (cf-ddns behavior) ---
-        run_env_mode(&app_config, &handle, &notifier, &heartbeat, &ppfmt, running).await;
+        run_env_mode(&app_config, &handle, &notifier, &heartbeat, &ppfmt, running, &mut cf_cache, &detection_client).await;
     }
 
     // On shutdown: delete records if configured
@@ -143,12 +151,16 @@ async fn run_legacy_mode(
     heartbeat: &Heartbeat,
     ppfmt: &PP,
     running: Arc<AtomicBool>,
+    cf_cache: &mut cf_ip_filter::CachedCloudflareFilter,
+    detection_client: &Client,
 ) {
     let legacy = match &config.legacy_config {
         Some(l) => l,
         None => return,
     };
 
+    let mut noop_reported = HashSet::new();
+
     if config.repeat {
         match (legacy.a, legacy.aaaa) {
             (true, true) => println!(
@@ -165,7 +177,7 @@ async fn run_legacy_mode(
         }
 
         while running.load(Ordering::SeqCst) {
-            updater::update_once(config, handle, notifier, heartbeat, ppfmt).await;
+            updater::update_once(config, handle, notifier, heartbeat, cf_cache, ppfmt, &mut noop_reported, detection_client).await;
 
             for _ in 0..legacy.ttl {
                 if !running.load(Ordering::SeqCst) {
@@ -175,7 +187,7 @@ async fn run_legacy_mode(
             }
         }
     } else {
-        updater::update_once(config, handle, notifier, heartbeat, ppfmt).await;
+        updater::update_once(config, handle, notifier, heartbeat, cf_cache, ppfmt, &mut noop_reported, detection_client).await;
     }
 }
 
@@ -186,11 +198,15 @@ async fn run_env_mode(
     heartbeat: &Heartbeat,
     ppfmt: &PP,
     running: Arc<AtomicBool>,
+    cf_cache: &mut cf_ip_filter::CachedCloudflareFilter,
+    detection_client: &Client,
 ) {
+    let mut noop_reported = HashSet::new();
+
     match &config.update_cron {
         CronSchedule::Once => {
             if config.update_on_start {
-                updater::update_once(config, handle, notifier, heartbeat, ppfmt).await;
+                updater::update_once(config, handle, notifier, heartbeat, cf_cache, ppfmt, &mut noop_reported, detection_client).await;
             }
         }
         schedule => {
@@ -206,7 +222,7 @@ async fn run_env_mode(
 
             // Update on start if configured
             if config.update_on_start {
-                updater::update_once(config, handle, notifier, heartbeat, ppfmt).await;
+                updater::update_once(config, handle, notifier, heartbeat, cf_cache, ppfmt, &mut noop_reported, detection_client).await;
             }
 
             // Main loop
@@ -233,7 +249,7 @@ async fn run_env_mode(
                     return;
                 }
 
-                updater::update_once(config, handle, notifier, heartbeat, ppfmt).await;
+                updater::update_once(config, handle, notifier, heartbeat, cf_cache, ppfmt, &mut noop_reported, detection_client).await;
             }
         }
     }
@@ -382,6 +398,7 @@ mod tests {
             config: &[LegacyCloudflareEntry],
             ttl: i64,
             purge_unknown_records: bool,
+            noop_reported: &mut std::collections::HashSet<String>,
         ) {
             for entry in config {
                 #[derive(serde::Deserialize)]
@@ -483,8 +500,10 @@ mod tests {
                         }
                     }
 
+                    let noop_key = format!("{fqdn}:{record_type}");
                     if let Some(ref id) = identifier {
                         if modified {
+                            noop_reported.remove(&noop_key);
                             if self.dry_run {
                                 println!("[DRY RUN] Would update record {fqdn} -> {ip}");
                             } else {
@@ -500,10 +519,16 @@ mod tests {
                                     )
                                     .await;
                             }
-                        } else if self.dry_run {
+                        } else if noop_reported.insert(noop_key) {
-                            println!("[DRY RUN] Record {fqdn} is up to date ({ip})");
+                            if self.dry_run {
+                                println!("[DRY RUN] Record {fqdn} is up to date");
+                            } else {
+                                println!("Record {fqdn} is up to date");
                             }
-                    } else if self.dry_run {
+                        }
+                    } else {
+                        noop_reported.remove(&noop_key);
+                        if self.dry_run {
                             println!("[DRY RUN] Would add new record {fqdn} -> {ip}");
                         } else {
                             println!("Adding new record {fqdn} -> {ip}");
@@ -518,6 +543,7 @@ mod tests {
                                 )
                                 .await;
                         }
+                    }
 
                     if purge_unknown_records {
                         for dup_id in &duplicate_ids {
@@ -636,7 +662,7 @@ mod tests {
 
         let ddns = TestDdnsClient::new(&mock_server.uri());
         let config = test_config(zone_id);
-        ddns.commit_record("198.51.100.7", "A", &config.cloudflare, 300, false)
+        ddns.commit_record("198.51.100.7", "A", &config.cloudflare, 300, false, &mut std::collections::HashSet::new())
             .await;
     }
 
@@ -685,7 +711,7 @@ mod tests {
 
         let ddns = TestDdnsClient::new(&mock_server.uri());
         let config = test_config(zone_id);
-        ddns.commit_record("198.51.100.7", "A", &config.cloudflare, 300, false)
+        ddns.commit_record("198.51.100.7", "A", &config.cloudflare, 300, false, &mut std::collections::HashSet::new())
             .await;
     }
 
@@ -728,7 +754,7 @@ mod tests {
 
         let ddns = TestDdnsClient::new(&mock_server.uri());
         let config = test_config(zone_id);
-        ddns.commit_record("198.51.100.7", "A", &config.cloudflare, 300, false)
+        ddns.commit_record("198.51.100.7", "A", &config.cloudflare, 300, false, &mut std::collections::HashSet::new())
             .await;
     }
 
@@ -762,7 +788,7 @@ mod tests {
 
         let ddns = TestDdnsClient::new(&mock_server.uri()).dry_run();
         let config = test_config(zone_id);
-        ddns.commit_record("198.51.100.7", "A", &config.cloudflare, 300, false)
+        ddns.commit_record("198.51.100.7", "A", &config.cloudflare, 300, false, &mut std::collections::HashSet::new())
             .await;
     }
 
@@ -819,7 +845,7 @@ mod tests {
             ip4_provider: None,
             ip6_provider: None,
         };
-        ddns.commit_record("198.51.100.7", "A", &config.cloudflare, 300, true)
+        ddns.commit_record("198.51.100.7", "A", &config.cloudflare, 300, true, &mut std::collections::HashSet::new())
             .await;
     }
 
@@ -921,7 +947,7 @@ mod tests {
             ip6_provider: None,
         };
 
-        ddns.commit_record("203.0.113.99", "A", &config.cloudflare, 300, false)
+        ddns.commit_record("203.0.113.99", "A", &config.cloudflare, 300, false, &mut std::collections::HashSet::new())
             .await;
     }
 }

src/notifier.rs

@@ -406,7 +406,7 @@ fn parse_shoutrrr_url(url_str: &str) -> Result<ShoutrrrService, String> {
                 service_type: ShoutrrrServiceType::Pushover,
                 webhook_url: format!(
                     "https://api.pushover.net/1/messages.json?token={}&user={}",
-                    parts[1], parts[0]
+                    parts[0], parts[1]
                 ),
             });
         }
@@ -868,7 +868,7 @@ mod tests {
 
     #[test]
     fn test_parse_pushover() {
-        let result = parse_shoutrrr_url("pushover://userkey@apitoken").unwrap();
+        let result = parse_shoutrrr_url("pushover://apitoken@userkey").unwrap();
         assert_eq!(
             result.webhook_url,
             "https://api.pushover.net/1/messages.json?token=apitoken&user=userkey"
@@ -1307,7 +1307,8 @@ mod tests {
     #[test]
     fn test_pushover_url_query_parsing() {
         // Verify that the pushover webhook URL format contains the right params
-        let service = parse_shoutrrr_url("pushover://myuser@mytoken").unwrap();
+        // shoutrrr format: pushover://token@user
+        let service = parse_shoutrrr_url("pushover://mytoken@myuser").unwrap();
         let parsed = url::Url::parse(&service.webhook_url).unwrap();
         let params: std::collections::HashMap<_, _> = parsed.query_pairs().collect();
         assert_eq!(params.get("token").unwrap().as_ref(), "mytoken");

src/provider.rs

@@ -1,6 +1,7 @@
 use crate::pp::{self, PP};
+use reqwest::dns::{Addrs, Name, Resolve, Resolving};
 use reqwest::Client;
-use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, UdpSocket};
+use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr, UdpSocket};
 use std::time::Duration;
 
 /// IP type: IPv4 or IPv6
@@ -145,14 +146,14 @@ impl ProviderType {
 
 // --- Cloudflare Trace ---
 
-/// Primary trace URLs use literal IPs to guarantee the correct address family.
+/// Primary trace URL uses cloudflare.com (the CDN endpoint, not the DNS
-/// api.cloudflare.com is dual-stack, so on dual-stack hosts (e.g. Docker
+/// resolver).  The `build_split_client` forces the correct address family by
-/// --net=host with IPv6) the connection may go via IPv6 even when detecting
+/// filtering DNS results, so a dual-stack hostname is safe.
-/// IPv4, causing the trace endpoint to return the wrong address family.
+/// Using literal DNS-resolver IPs (1.0.0.1 / [2606:4700:4700::1001]) caused
-const CF_TRACE_V4_PRIMARY: &str = "https://1.0.0.1/cdn-cgi/trace";
+/// TLS SNI mismatches and returned Cloudflare proxy IPs for some users.
-const CF_TRACE_V6_PRIMARY: &str = "https://[2606:4700:4700::1001]/cdn-cgi/trace";
+const CF_TRACE_PRIMARY: &str = "https://cloudflare.com/cdn-cgi/trace";
-/// Fallback uses a hostname, which works when literal IPs are intercepted
+/// Fallback uses api.cloudflare.com, which works when cloudflare.com is
-/// (e.g. Cloudflare WARP/Zero Trust).
+/// intercepted (e.g. Cloudflare WARP/Zero Trust).
 const CF_TRACE_FALLBACK: &str = "https://api.cloudflare.com/cdn-cgi/trace";
 
 pub fn parse_trace_ip(body: &str) -> Option<String> {
@@ -180,16 +181,45 @@ async fn fetch_trace_ip(
     ip_str.parse::<IpAddr>().ok()
 }
 
+/// A DNS resolver that filters lookup results to a single address family.
+/// This is the Rust equivalent of favonia/cloudflare-ddns's "split dialer"
+/// pattern: by removing addresses of the wrong family *before* the HTTP
+/// client sees them, we guarantee it can only establish connections over the
+/// desired protocol — no happy-eyeballs race, no fallback to the wrong family.
+struct FilteredResolver {
+    ip_type: IpType,
+}
+
+impl Resolve for FilteredResolver {
+    fn resolve(&self, name: Name) -> Resolving {
+        let ip_type = self.ip_type;
+        Box::pin(async move {
+            let addrs: Vec<SocketAddr> = tokio::net::lookup_host((name.as_str(), 0))
+                .await
+                .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { Box::new(e) })?
+                .filter(|addr| match ip_type {
+                    IpType::V4 => addr.is_ipv4(),
+                    IpType::V6 => addr.is_ipv6(),
+                })
+                .collect();
+            if addrs.is_empty() {
+                return Err(Box::new(std::io::Error::new(
+                    std::io::ErrorKind::AddrNotAvailable,
+                    format!("no {} addresses found", ip_type.describe()),
+                )) as Box<dyn std::error::Error + Send + Sync>);
+            }
+            Ok(Box::new(addrs.into_iter()) as Addrs)
+        })
+    }
+}
+
 /// Build an HTTP client that only connects via the given IP family.
-/// Binding to 0.0.0.0 forces IPv4-only; binding to [::] forces IPv6-only.
+/// Uses a DNS-level filter to strip addresses of the wrong family from
-/// This ensures the trace endpoint sees the correct address family.
+/// resolution results, ensuring the client never attempts a connection
+/// over the wrong protocol.
 pub fn build_split_client(ip_type: IpType, timeout: Duration) -> Client {
-    let local_addr: IpAddr = match ip_type {
-        IpType::V4 => Ipv4Addr::UNSPECIFIED.into(),
-        IpType::V6 => Ipv6Addr::UNSPECIFIED.into(),
-    };
     Client::builder()
-        .local_address(local_addr)
+        .dns_resolver(FilteredResolver { ip_type })
         .timeout(timeout)
         .build()
         .unwrap_or_default()
@@ -218,13 +248,8 @@ async fn detect_cloudflare_trace(
         return Vec::new();
     }
 
-    let primary = match ip_type {
+    // Try primary (cloudflare.com — the CDN trace endpoint)
-        IpType::V4 => CF_TRACE_V4_PRIMARY,
+    if let Some(ip) = fetch_trace_ip(&client, CF_TRACE_PRIMARY, timeout, None).await {
-        IpType::V6 => CF_TRACE_V6_PRIMARY,
-    };
-
-    // Try primary (literal IP — guarantees correct address family)
-    if let Some(ip) = fetch_trace_ip(&client, primary, timeout, Some("one.one.one.one")).await {
         if validate_detected_ip(&ip, ip_type, ppfmt) {
             return vec![ip];
         }
@@ -926,21 +951,46 @@ mod tests {
 
     #[test]
     fn test_trace_urls() {
-        // Primary URLs use literal IPs to guarantee correct address family.
+        // Primary uses cloudflare.com CDN endpoint (not DNS resolver IPs).
-        assert!(CF_TRACE_V4_PRIMARY.contains("1.0.0.1"));
+        assert_eq!(CF_TRACE_PRIMARY, "https://cloudflare.com/cdn-cgi/trace");
-        assert!(CF_TRACE_V6_PRIMARY.contains("2606:4700:4700::1001"));
+        // Fallback uses api.cloudflare.com for when cloudflare.com is intercepted (WARP/Zero Trust).
-        // Fallback uses a hostname for when literal IPs are intercepted (WARP/Zero Trust).
         assert_eq!(CF_TRACE_FALLBACK, "https://api.cloudflare.com/cdn-cgi/trace");
-        assert!(CF_TRACE_FALLBACK.contains("api.cloudflare.com"));
     }
 
-    // ---- build_split_client ----
+    // ---- FilteredResolver + build_split_client ----
+
+    #[tokio::test]
+    async fn test_filtered_resolver_v4() {
+        let resolver = FilteredResolver { ip_type: IpType::V4 };
+        let name: Name = "cloudflare.com".parse().unwrap();
+        let addrs: Vec<SocketAddr> = resolver
+            .resolve(name)
+            .await
+            .expect("DNS lookup failed")
+            .collect();
+        assert!(!addrs.is_empty(), "should resolve at least one address");
+        for addr in &addrs {
+            assert!(addr.is_ipv4(), "all addresses should be IPv4, got {addr}");
+        }
+    }
+
+    #[tokio::test]
+    async fn test_filtered_resolver_v6() {
+        let resolver = FilteredResolver { ip_type: IpType::V6 };
+        let name: Name = "cloudflare.com".parse().unwrap();
+        // IPv6 may not be available in all test environments, so we just
+        // verify the resolver doesn't panic and returns only v6 if any.
+        if let Ok(addrs) = resolver.resolve(name).await {
+            for addr in addrs {
+                assert!(addr.is_ipv6(), "all addresses should be IPv6, got {addr}");
+            }
+        }
+    }
 
     #[test]
     fn test_build_split_client_v4() {
         let client = build_split_client(IpType::V4, Duration::from_secs(5));
-        // Client should build successfully — we can't inspect local_address,
+        // Client should build successfully with filtered resolver.
-        // but we verify it doesn't panic.
         drop(client);
     }
 

src/updater.rs

@@ -1,4 +1,4 @@
-use crate::cf_ip_filter::CloudflareIpFilter;
+use crate::cf_ip_filter::CachedCloudflareFilter;
 use crate::cloudflare::{CloudflareHandle, SetResult};
 use crate::config::{AppConfig, LegacyCloudflareEntry, LegacySubdomainEntry};
 use crate::domain::make_fqdn;
@@ -6,7 +6,7 @@ use crate::notifier::{CompositeNotifier, Heartbeat, Message};
 use crate::pp::{self, PP};
 use crate::provider::IpType;
 use reqwest::Client;
-use std::collections::HashMap;
+use std::collections::{HashMap, HashSet};
 use std::net::IpAddr;
 use std::time::Duration;
 
@@ -16,19 +16,17 @@ pub async fn update_once(
     handle: &CloudflareHandle,
     notifier: &CompositeNotifier,
     heartbeat: &Heartbeat,
+    cf_cache: &mut CachedCloudflareFilter,
     ppfmt: &PP,
+    noop_reported: &mut HashSet<String>,
+    detection_client: &Client,
 ) -> bool {
-    let detection_client = Client::builder()
-        .timeout(config.detection_timeout)
-        .build()
-        .unwrap_or_default();
-
     let mut all_ok = true;
     let mut messages = Vec::new();
     let mut notify = false; // NEW: track meaningful events
 
     if config.legacy_mode {
-        all_ok = update_legacy(config, ppfmt).await;
+        all_ok = update_legacy(config, cf_cache, ppfmt, noop_reported, detection_client).await;
     } else {
         // Detect IPs for each provider
         let mut detected_ips: HashMap<IpType, Vec<IpAddr>> = HashMap::new();
@@ -69,7 +67,7 @@ pub async fn update_once(
         // Filter out Cloudflare IPs if enabled
         if config.reject_cloudflare_ips {
             if let Some(cf_filter) =
-                CloudflareIpFilter::fetch(&detection_client, config.detection_timeout, ppfmt).await
+                cf_cache.get(&detection_client, config.detection_timeout, ppfmt).await
             {
                 for (ip_type, ips) in detected_ips.iter_mut() {
                     let before_count = ips.len();
@@ -101,11 +99,12 @@ pub async fn update_once(
                         )));
                     }
                 }
-            } else {
+            } else if !detected_ips.is_empty() {
                 ppfmt.warningf(
                     pp::EMOJI_WARNING,
-                    "Could not fetch Cloudflare IP ranges; skipping filter",
+                    "Could not fetch Cloudflare IP ranges; skipping update to avoid writing Cloudflare IPs",
                 );
+                detected_ips.clear();
             }
         }
 
@@ -151,9 +150,11 @@ pub async fn update_once(
                     )
                     .await;
 
+                let noop_key = format!("{domain_str}:{record_type}");
                 match result {
                     SetResult::Updated => {
-                        notify = true;            // NEW
+                        noop_reported.remove(&noop_key);
+                        notify = true;
                         let ip_strs: Vec<String> = ips.iter().map(|ip| ip.to_string()).collect();
                         messages.push(Message::new_ok(&format!(
                             "Updated {domain_str} -> {}",
@@ -161,13 +162,18 @@ pub async fn update_once(
                         )));
                     }
                     SetResult::Failed => {
-                        notify = true;            // NEW
+                        noop_reported.remove(&noop_key);
+                        notify = true;
                         all_ok = false;
                         messages.push(Message::new_fail(&format!(
                             "Failed to update {domain_str}"
                         )));
                     }
-                    SetResult::Noop => {}
+                    SetResult::Noop => {
+                        if noop_reported.insert(noop_key) {
+                            ppfmt.infof(pp::EMOJI_SKIP, &format!("Record {domain_str} is up to date"));
+                        }
+                    }
                 }
             }
         }
@@ -192,32 +198,37 @@ pub async fn update_once(
                 )
                 .await;
 
+            let noop_key = format!("waf:{}", waf_list.describe());
             match result {
                 SetResult::Updated => {
-                    notify = true;            // NEW                    
+                    noop_reported.remove(&noop_key);
+                    notify = true;
                     messages.push(Message::new_ok(&format!(
                         "Updated WAF list {}",
                         waf_list.describe()
                     )));
                 }
                 SetResult::Failed => {
-                    notify = true;            // NEW
+                    noop_reported.remove(&noop_key);
+                    notify = true;
                     all_ok = false;
                     messages.push(Message::new_fail(&format!(
                         "Failed to update WAF list {}",
                         waf_list.describe()
                     )));
                 }
-                SetResult::Noop => {}
+                SetResult::Noop => {
+                    if noop_reported.insert(noop_key) {
+                        ppfmt.infof(pp::EMOJI_SKIP, &format!("WAF list {} is up to date", waf_list.describe()));
+                    }
+                }
             }
         }
     }
 
-    // Send heartbeat ONLY if something meaningful happened
+    // Always ping heartbeat so monitors know the updater is alive
-    if notify {
     let heartbeat_msg = Message::merge(messages.clone());
     heartbeat.ping(&heartbeat_msg).await;
-    }
 
     // Send notifications ONLY when IP changed or failed
     if notify {
@@ -234,29 +245,27 @@ pub async fn update_once(
 /// IP-family-bound clients (0.0.0.0 for IPv4, [::] for IPv6). This prevents the old
 /// wrong-family warning on dual-stack hosts and honours `ip4_provider`/`ip6_provider`
 /// overrides from config.json.
-async fn update_legacy(config: &AppConfig, ppfmt: &PP) -> bool {
+async fn update_legacy(
+    config: &AppConfig,
+    cf_cache: &mut CachedCloudflareFilter,
+    ppfmt: &PP,
+    noop_reported: &mut HashSet<String>,
+    detection_client: &Client,
+) -> bool {
     let legacy = match &config.legacy_config {
         Some(l) => l,
         None => return false,
     };
 
-    let client = Client::builder()
+    let ddns = LegacyDdnsClient {
+        client: Client::builder()
             .timeout(config.update_timeout)
             .build()
-        .unwrap_or_default();
+            .unwrap_or_default(),
-
-    let ddns = LegacyDdnsClient {
-        client,
         cf_api_base: "https://api.cloudflare.com/client/v4".to_string(),
         dry_run: config.dry_run,
     };
 
-    // Detect IPs using the shared provider abstraction
-    let detection_client = Client::builder()
-        .timeout(config.detection_timeout)
-        .build()
-        .unwrap_or_default();
-
     let mut ips = HashMap::new();
 
     for (ip_type, provider) in &config.providers {
@@ -298,8 +307,9 @@ async fn update_legacy(config: &AppConfig, ppfmt: &PP) -> bool {
 
     // Filter out Cloudflare IPs if enabled
     if config.reject_cloudflare_ips {
+        let before_count = ips.len();
         if let Some(cf_filter) =
-            CloudflareIpFilter::fetch(&detection_client, config.detection_timeout, ppfmt).await
+            cf_cache.get(&detection_client, config.detection_timeout, ppfmt).await
         {
             ips.retain(|key, ip_info| {
                 if let Ok(addr) = ip_info.ip.parse::<std::net::IpAddr>() {
@@ -316,12 +326,19 @@ async fn update_legacy(config: &AppConfig, ppfmt: &PP) -> bool {
                 }
                 true
             });
-        } else {
+            if ips.is_empty() && before_count > 0 {
                 ppfmt.warningf(
                     pp::EMOJI_WARNING,
-                "Could not fetch Cloudflare IP ranges; skipping filter",
+                    "All detected addresses were Cloudflare IPs; skipping updates",
                 );
             }
+        } else if !ips.is_empty() {
+            ppfmt.warningf(
+                pp::EMOJI_WARNING,
+                "Could not fetch Cloudflare IP ranges; skipping update to avoid writing Cloudflare IPs",
+            );
+            ips.clear();
+        }
     }
 
     ddns.update_ips(
@@ -329,6 +346,7 @@ async fn update_legacy(config: &AppConfig, ppfmt: &PP) -> bool {
         &legacy.cloudflare,
         legacy.ttl,
         legacy.purge_unknown_records,
+        noop_reported,
     )
     .await;
 
@@ -480,9 +498,10 @@ impl LegacyDdnsClient {
         config: &[LegacyCloudflareEntry],
         ttl: i64,
         purge_unknown_records: bool,
+        noop_reported: &mut HashSet<String>,
     ) {
         for ip in ips.values() {
-            self.commit_record(ip, config, ttl, purge_unknown_records)
+            self.commit_record(ip, config, ttl, purge_unknown_records, noop_reported)
                 .await;
         }
     }
@@ -493,6 +512,7 @@ impl LegacyDdnsClient {
         config: &[LegacyCloudflareEntry],
         ttl: i64,
         purge_unknown_records: bool,
+        noop_reported: &mut HashSet<String>,
     ) {
         for entry in config {
             let zone_resp: Option<LegacyCfResponse<LegacyZoneResult>> = self
@@ -568,8 +588,10 @@ impl LegacyDdnsClient {
                     }
                 }
 
+                let noop_key = format!("{fqdn}:{}", ip.record_type);
                 if let Some(ref id) = identifier {
                     if modified {
+                        noop_reported.remove(&noop_key);
                         if self.dry_run {
                             println!("[DRY RUN] Would update record {fqdn} -> {}", ip.ip);
                         } else {
@@ -580,10 +602,16 @@ impl LegacyDdnsClient {
                                 .cf_api(&update_endpoint, "PUT", entry, Some(&record))
                                 .await;
                         }
-                    } else if self.dry_run {
+                    } else if noop_reported.insert(noop_key) {
-                        println!("[DRY RUN] Record {fqdn} is up to date ({})", ip.ip);
+                        if self.dry_run {
+                            println!("[DRY RUN] Record {fqdn} is up to date");
+                        } else {
+                            println!("Record {fqdn} is up to date");
                         }
-                } else if self.dry_run {
+                    }
+                } else {
+                    noop_reported.remove(&noop_key);
+                    if self.dry_run {
                         println!("[DRY RUN] Would add new record {fqdn} -> {}", ip.ip);
                     } else {
                         println!("Adding new record {fqdn} -> {}", ip.ip);
@@ -592,6 +620,7 @@ impl LegacyDdnsClient {
                             .cf_api(&create_endpoint, "POST", entry, Some(&record))
                             .await;
                     }
+                }
 
                 if purge_unknown_records {
                     for dup_id in &duplicate_ids {
@@ -793,11 +822,13 @@ mod tests {
         let heartbeat = empty_heartbeat();
         let ppfmt = pp();
 
-        let ok = update_once(&config, &cf, &notifier, &heartbeat, &ppfmt).await;
+        let mut cf_cache = CachedCloudflareFilter::new();
+        let ok = update_once(&config, &cf, &notifier, &heartbeat, &mut cf_cache, &ppfmt, &mut HashSet::new(), &Client::new()).await;
         assert!(ok);
     }
 
-    /// update_once returns true (all_ok) when IP is already correct (Noop).
+    /// update_once returns true (all_ok) when IP is already correct (Noop),
+    /// and populates noop_reported so subsequent calls suppress the message.
     #[tokio::test]
     async fn test_update_once_noop_when_record_up_to_date() {
         let server = MockServer::start().await;
@@ -841,8 +872,91 @@ mod tests {
         let heartbeat = empty_heartbeat();
         let ppfmt = pp();
 
-        let ok = update_once(&config, &cf, &notifier, &heartbeat, &ppfmt).await;
+        let mut cf_cache = CachedCloudflareFilter::new();
+        let mut noop_reported = HashSet::new();
+
+        // First call: noop_reported is empty, so "up to date" is reported and key is inserted
+        let ok = update_once(&config, &cf, &notifier, &heartbeat, &mut cf_cache, &ppfmt, &mut noop_reported, &Client::new()).await;
         assert!(ok);
+        assert!(noop_reported.contains("home.example.com:A"), "noop_reported should contain the domain key after first noop");
+
+        // Second call: noop_reported already has the key, so the message is suppressed
+        let ok = update_once(&config, &cf, &notifier, &heartbeat, &mut cf_cache, &ppfmt, &mut noop_reported, &Client::new()).await;
+        assert!(ok);
+        assert_eq!(noop_reported.len(), 1, "noop_reported should still have exactly one entry");
+    }
+
+    /// noop_reported is cleared when a record is updated, so "up to date" prints again
+    /// on the next noop cycle.
+    #[tokio::test]
+    async fn test_update_once_noop_reported_cleared_on_change() {
+        let server = MockServer::start().await;
+        let zone_id = "zone-abc";
+        let domain = "home.example.com";
+        let old_ip = "198.51.100.42";
+        let new_ip = "198.51.100.99";
+
+        // Zone lookup
+        Mock::given(method("GET"))
+            .and(path("/zones"))
+            .and(query_param("name", domain))
+            .respond_with(
+                ResponseTemplate::new(200).set_body_json(zones_response(zone_id, "example.com")),
+            )
+            .mount(&server)
+            .await;
+
+        // List existing records - record has old IP, will be updated
+        Mock::given(method("GET"))
+            .and(path_regex(format!("/zones/{zone_id}/dns_records")))
+            .respond_with(
+                ResponseTemplate::new(200)
+                    .set_body_json(dns_records_one("rec-1", domain, old_ip)),
+            )
+            .mount(&server)
+            .await;
+
+        // Create record (new IP doesn't match existing, so it creates + deletes stale)
+        Mock::given(method("POST"))
+            .and(path(format!("/zones/{zone_id}/dns_records")))
+            .respond_with(
+                ResponseTemplate::new(200)
+                    .set_body_json(dns_record_created("rec-2", domain, new_ip)),
+            )
+            .mount(&server)
+            .await;
+
+        // Delete stale record
+        Mock::given(method("DELETE"))
+            .and(path(format!("/zones/{zone_id}/dns_records/rec-1")))
+            .respond_with(ResponseTemplate::new(200).set_body_json(serde_json::json!({"result": {}})))
+            .mount(&server)
+            .await;
+
+        let mut providers = HashMap::new();
+        providers.insert(
+            IpType::V4,
+            ProviderType::Literal {
+                ips: vec![new_ip.parse::<IpAddr>().unwrap()],
+            },
+        );
+        let mut domains = HashMap::new();
+        domains.insert(IpType::V4, vec![domain.to_string()]);
+
+        let config = make_config(providers, domains, vec![], false);
+        let cf = handle(&server.uri());
+        let notifier = empty_notifier();
+        let heartbeat = empty_heartbeat();
+        let ppfmt = pp();
+
+        // Pre-populate noop_reported as if a previous cycle reported it
+        let mut noop_reported = HashSet::new();
+        noop_reported.insert("home.example.com:A".to_string());
+
+        let mut cf_cache = CachedCloudflareFilter::new();
+        let ok = update_once(&config, &cf, &notifier, &heartbeat, &mut cf_cache, &ppfmt, &mut noop_reported, &Client::new()).await;
+        assert!(ok);
+        assert!(!noop_reported.contains("home.example.com:A"), "noop_reported should be cleared after an update");
     }
 
     /// update_once returns true even when IP detection yields empty (no providers configured),
@@ -885,7 +999,8 @@ mod tests {
         let ppfmt = pp();
 
         // all_ok = true because no zone-level errors occurred (empty ips just noop or warn)
-        let ok = update_once(&config, &cf, &notifier, &heartbeat, &ppfmt).await;
+        let mut cf_cache = CachedCloudflareFilter::new();
+        let ok = update_once(&config, &cf, &notifier, &heartbeat, &mut cf_cache, &ppfmt, &mut HashSet::new(), &Client::new()).await;
         // Providers with None are not inserted in loop, so no IP detection warning is emitted,
         // no detected_ips entry is created, and set_ips is called with empty slice -> Noop.
         assert!(ok);
@@ -934,7 +1049,8 @@ mod tests {
         let heartbeat = empty_heartbeat();
         let ppfmt = pp();
 
-        let ok = update_once(&config, &cf, &notifier, &heartbeat, &ppfmt).await;
+        let mut cf_cache = CachedCloudflareFilter::new();
+        let ok = update_once(&config, &cf, &notifier, &heartbeat, &mut cf_cache, &ppfmt, &mut HashSet::new(), &Client::new()).await;
         assert!(!ok, "Expected false when zone is not found");
     }
 
@@ -983,7 +1099,8 @@ mod tests {
         let ppfmt = pp();
 
         // dry_run returns Updated from set_ips (it signals intent), all_ok should be true
-        let ok = update_once(&config, &cf, &notifier, &heartbeat, &ppfmt).await;
+        let mut cf_cache = CachedCloudflareFilter::new();
+        let ok = update_once(&config, &cf, &notifier, &heartbeat, &mut cf_cache, &ppfmt, &mut HashSet::new(), &Client::new()).await;
         assert!(ok);
     }
 
@@ -1048,7 +1165,8 @@ mod tests {
         let heartbeat = empty_heartbeat();
         let ppfmt = pp();
 
-        let ok = update_once(&config, &cf, &notifier, &heartbeat, &ppfmt).await;
+        let mut cf_cache = CachedCloudflareFilter::new();
+        let ok = update_once(&config, &cf, &notifier, &heartbeat, &mut cf_cache, &ppfmt, &mut HashSet::new(), &Client::new()).await;
         assert!(ok);
     }
 
@@ -1101,7 +1219,8 @@ mod tests {
         let heartbeat = empty_heartbeat();
         let ppfmt = pp();
 
-        let ok = update_once(&config, &cf, &notifier, &heartbeat, &ppfmt).await;
+        let mut cf_cache = CachedCloudflareFilter::new();
+        let ok = update_once(&config, &cf, &notifier, &heartbeat, &mut cf_cache, &ppfmt, &mut HashSet::new(), &Client::new()).await;
         assert!(ok);
     }
 
@@ -1140,7 +1259,8 @@ mod tests {
         let heartbeat = empty_heartbeat();
         let ppfmt = pp();
 
-        let ok = update_once(&config, &cf, &notifier, &heartbeat, &ppfmt).await;
+        let mut cf_cache = CachedCloudflareFilter::new();
+        let ok = update_once(&config, &cf, &notifier, &heartbeat, &mut cf_cache, &ppfmt, &mut HashSet::new(), &Client::new()).await;
         assert!(!ok, "Expected false when WAF list is not found");
     }
 
@@ -1224,7 +1344,8 @@ mod tests {
         let heartbeat = empty_heartbeat();
         let ppfmt = pp();
 
-        let ok = update_once(&config, &cf, &notifier, &heartbeat, &ppfmt).await;
+        let mut cf_cache = CachedCloudflareFilter::new();
+        let ok = update_once(&config, &cf, &notifier, &heartbeat, &mut cf_cache, &ppfmt, &mut HashSet::new(), &Client::new()).await;
         assert!(ok);
     }
 
@@ -1240,7 +1361,8 @@ mod tests {
         let heartbeat = empty_heartbeat();
         let ppfmt = pp();
 
-        let ok = update_once(&config, &cf, &notifier, &heartbeat, &ppfmt).await;
+        let mut cf_cache = CachedCloudflareFilter::new();
+        let ok = update_once(&config, &cf, &notifier, &heartbeat, &mut cf_cache, &ppfmt, &mut HashSet::new(), &Client::new()).await;
         assert!(ok);
     }
 
@@ -1624,7 +1746,8 @@ mod tests {
         let ppfmt = pp();
 
         // set_ips with empty ips and no existing records = Noop; all_ok = true
-        let ok = update_once(&config, &cf, &notifier, &heartbeat, &ppfmt).await;
+        let mut cf_cache = CachedCloudflareFilter::new();
+        let ok = update_once(&config, &cf, &notifier, &heartbeat, &mut cf_cache, &ppfmt, &mut HashSet::new(), &Client::new()).await;
         assert!(ok);
     }
     // -------------------------------------------------------
@@ -1829,7 +1952,7 @@ mod tests {
             subdomains: vec![LegacySubdomainEntry::Simple("@".to_string())],
             proxied: false,
         }];
-        ddns.commit_record(&ip, &config, 300, false).await;
+        ddns.commit_record(&ip, &config, 300, false, &mut HashSet::new()).await;
     }
 
     #[tokio::test]
@@ -1885,7 +2008,7 @@ mod tests {
             subdomains: vec![LegacySubdomainEntry::Simple("@".to_string())],
             proxied: false,
         }];
-        ddns.commit_record(&ip, &config, 300, false).await;
+        ddns.commit_record(&ip, &config, 300, false, &mut HashSet::new()).await;
     }
 
     #[tokio::test]
@@ -1928,7 +2051,7 @@ mod tests {
             proxied: false,
         }];
         // Should not POST
-        ddns.commit_record(&ip, &config, 300, false).await;
+        ddns.commit_record(&ip, &config, 300, false, &mut HashSet::new()).await;
     }
 
     #[tokio::test]
@@ -1981,7 +2104,7 @@ mod tests {
             }],
             proxied: false,
         }];
-        ddns.commit_record(&ip, &config, 300, false).await;
+        ddns.commit_record(&ip, &config, 300, false, &mut HashSet::new()).await;
     }
 
     #[tokio::test]
@@ -2033,7 +2156,7 @@ mod tests {
             subdomains: vec![LegacySubdomainEntry::Simple("@".to_string())],
             proxied: false,
         }];
-        ddns.commit_record(&ip, &config, 300, true).await;
+        ddns.commit_record(&ip, &config, 300, true, &mut HashSet::new()).await;
     }
 
     #[tokio::test]
@@ -2083,7 +2206,7 @@ mod tests {
             subdomains: vec![LegacySubdomainEntry::Simple("@".to_string())],
             proxied: false,
         }];
-        ddns.update_ips(&ips, &config, 300, false).await;
+        ddns.update_ips(&ips, &config, 300, false, &mut HashSet::new()).await;
     }
 
     #[tokio::test]