Dynamic DNS with Cloudflare

Access your local home automations on the go by assigning a static domain name to your dynamic home IP address.

Until recently, I had been using Google Domains to manage all of my registered domains names — which also supported DDNS or Dynamic DNS. In 2023, Google announced that Squarespace would take over operation of Google Domains — and most notably, features like DDNS would not be supported by Squarespace….. Enter Cloudflare as a solution!

While there are several well-established free and paid Dynamic DNS services — some of which require technical knowledge or complicated setup — Cloudflare supports dynamic dns natively and easily (and for free) using either a dedicated API or standards-based integration to open tools like ddclient or in-a-dyn.

Objective

In this article, you will learn how to setup dynamic DNS on any device in your home network using ddclient and Cloudflare.

Configure Cloudflare

We’ll assume that you’ve already registered a domain name that is hosted using Cloudflare. Othwerwise, see Part 1 of this series for instructions on how to transfer your domain name from Google Domains or Squarepsace to Cloudflare.

We’ll start by creating a Synthetic Record for the domain name that we’ll assign our device and then configure the record to accept input when the public IP Address of our device changes.

Create a Synthetic Record

Sign in to the Cloudflare dashboard and click on the domain that you’d like to edit in the Home pane. In the left menu, select DNS then Records. Scroll down to DNS Management and click the blue Add Record button.

Create a new record with the following attributes:
Type: A
Name: dyn-test
IPv4 address: 1.2.3.4
Proxy status: OFF
TTL: 5 min

Then click Save

Create an API Token

In order to be able to update DNS records remotely, we’ll need a way to authenticate the DDNS update requests. Let’s start by creating an API token that we’ll use to authorize our DDNS client.

At the top right of the Cloudflare dashboard, click the Profile icon dropdown, then My Profile. In the left navigation menu, click API Tokens.

To create a new API Token that will allow DDNS updates, click the blue Create Token button. Scroll down and select Create Custom Token.

Create a custom token with the following values:
Token name: dyn-test — token
Permissions (+add more):
— Zone — DNS — Edit
— Zone — Zone — Read
Zone Resources: Include — Specific Zone — <<select your zone>>

Click Continue to Summary then Create Token. Copy the newly created token and paste it into a temporary text file until we need it later.

Install and Configure ddclient

Start by selecting an always-on device on your network where you will install ddclient to process updates to your Dynamic DNS record. In my case, I will be using a Raspberry Pi that also serves as my VPN gateway which allows me to access my home network remotely.

Install ddclient

In this example, we will install ddclient on a Raspberry Pi running Raspberry Pi OS (previously called Raspbian). You can run ddclient on a number of different devices and operating systems, but for this example we’ll provide instructions for Raspberry Pi OS.

Issue the following command to update your package repos and install ddclient (if it’s not already installed).

sudo apt update && sudo apt install ddclient

Configure ddclient

Configuring ddclient is super simple and only requires copy/paste of a few lines. Let’s start with the default cloudflare configuration and apply our edits. Using your favorite text editor, we’ll edit /etc/ddclient.conf

cloudflare protocol

##
## CloudFlare (www.cloudflare.com)
##

ssl=yes
use=web

protocol=cloudflare
zone=rewindbekind.org
ttl=1
login='your.cloudflare.email@provider.com'
# New token for specific domain
password='put-your-token-here'
dyn-test.rewindbekind.org

Line 3 (protocol) remains unchanged from the same configuration and specifices that we’ll use the ddclient cloudflare protocol.

Line 4 (zone) should be replaced by the name of the DNS zone where we configured our synthetic record above.

Line 5(ttl) should be a low number

Line 6 (login) should be set to the email address that you used to create your Cloudflare account

Line 7 (password) should be the content of the API Token that we created and copied earlier

Line 8 should include the full domain name of the synthetic record that we created above.

Pro Tip: Don’t forget the single quotes around the login and password.

The resulting ddclient.conf file looks like this for me (never share your login or password values)

protocol=cloudflare
zone=rewindbekind.org
ttl=1
login='your.cloudflare.email@provider.com'
password='put-your-token-here'
dyn-test.rewindbekind.org

Restart ddclient

Save the file and restart ddclient. To restart ddclient on Raspberry Pi OS, issue the following command:

sudo service ddclient restart

Confirm that everything is working

To confirm that everything is working correctly, we’ll perform the following steps:

1 — Check ddclient logs
2 — Perform DNS query
3 — Verify Cloudflare Dashboard

ddclient logs

From the command prompt of the system where ddclient is installed, cat the system log file that captures ddclient logs by issuing the following command:

cat /var/log/syslog 

The output will produce all lines with the text “ddclient”. A successful startup and ddns update will look like the following:

Mar  621:29:47 raspberrypi systemd[1]: Starting Update dynamic domain name service entries...
Mar  621:29:47 raspberrypi systemd[1]: Started Update dynamic domain name service entries.

Mar  7 09:16:26 raspberrypi ddclient[9312]: INFO:     forcing updating dyn-test.rewindbekind.org because no cached entry exists.
Mar  7 09:16:26 raspberrypi ddclient[9312]: INFO:     setting IP address to 72.69.101.233 for dyn-test.rewindbekind.org
Mar  7 09:16:26 raspberrypi ddclient[9312]: UPDATE:   updating dyn-test.rewindbekind.org

DNS query

In the same console, we can verify if our DDNS record updated successfully. Submit the following command:

dig @8.8.8.8 dyn-test.rewindbekind.org

— replace the domain dyn-test.rewindbekind.org with your domain name from the ddclient.conf

The output should return an A record:

; <<>> DiG 9.16.48-Raspbian <<>> @8.8.8.8 dyn-test.rewindbekind.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18626
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dyn-test.rewindbekind.org. IN A

;; ANSWER SECTION:
dyn-test.rewindbekind.org. 60 IN A 72.69.101.233

;; Query time: 19 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 08 21:37:03 EST 2024
;; MSG SIZE  rcvd: 70

Note the A record in the ANSWER SECTION. The A record points to a new IP address which means ddlicent has been able to successfully update a DNS record hosted on Cloudflare.

Cloudflare Dashboard

In the Cloudflare dashboard, refresh or navigate to the DNS → Records page. Identify the A record for your DDNS domain name. Has the record changed and does it show the IP address from the last step? If so, you have a working Dynamic DNS system using Cloudflare DDNS. Congratulations!