Free DDNS with Cloudflare and a cronjob

Very cool! For anyone interested in a bash script instead of installing a Python runtime, I made this tool some time ago for the same purpose: <a href="https:&#x2F;&#x2F;github.com&#x2F;ddries&#x2F;d2c.sh">https:&#x2F;&#x2F;github.com&#x2F;ddries&#x2F;d2c.sh</a>

I built the exact same thing 5 years ago and I&#x27;m using it daily since then. I never have any problems with it. You don&#x27;t need a config file for it, just a couple of CLI options and you are good to go. You can install it with pip, docker or downloading a binary:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;kissgyorgy&#x2F;cloudflare-dyndns">https:&#x2F;&#x2F;github.com&#x2F;kissgyorgy&#x2F;cloudflare-dyndns</a>

Instead of using DDNS, I have been using Cloudflare tunnels to expose my home services to the internet. The setup is much simpler and it seems like it&#x27;s more secure too<p>You specify a port and point it to a subdomain and it just immediately works, no maintenance necessary. The daemon only needs to be installed once with a simple terminal command

I would have thought that most people who need this today (e.g. those who were using Google Domains DDNS) already have ddclient installed.<p>ddclient already works with Cloudflare: <a href="https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;dns&#x2F;manage-dns-records&#x2F;how-to&#x2F;managing-dynamic-ip-addresses&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;dns&#x2F;manage-dns-records&#x2F;how...</a>

There&#x27;s one gotcha tho.<p>For Dynamic DNS you want minimal TTL, ideally less than 60 seconds, otherwise the DNS records will be cached and will not reflect the correct address during the short period of time window it changes.<p>Dedicated DDNS services usually have very short TTL (some offering as low as 5 seconds IIRC), but free Cloudflare accounts have a minimal TTL of 300 seconds (5 minutes), coupled with the crontab running every 5 minutes, your endpoint could be out of contact for 10 minutes if everything aligns right.

I used ddclient with Cloudflare for years with no issues.<p>Recently upgraded my home router and the manufacturer operates a free dynamic dns service enabled with a toggle button. I have a cname record in my domain’s dns records pointing to the dynamic dns entry. I actually don’t even need that anymore. All the services I run at home are only for immediate family so only available remotely via a Wireguard vpn connection. I migrated that to the router also because it can do 900Mbs of Wireguard traffic and has a great vpn server management implementation. By default the client configs it generates points to the dynamic dns name. No real need for the cname but I have it out of habit.

Nothing that afraid.org hasn&#x27;t been doing for years at this point....<p>Which got me into a 4-year exploration of FreeBSD! I&#x27;m still a bit sad I had to replace it with Proxmox on Debian to get what I wanted.

Seems to rely on <a href="https:&#x2F;&#x2F;api.ipify.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;api.ipify.org&#x2F;</a> to determine public IP.<p>Is there any Cloudflare service one can use to determine the IP instead? That way there’s not an extra company in addition to Cloudflare itself that you need to continue existing.

If you too are tired of relying on outdated software from paid services like NoIP and DynDNS, and are in need for a reliable way to manage your home server with your own domain name, try this simple script with a free Cloudflare account. It just gets the job done...

If for some reason your DDNS client supports dyndns but not Cloudflare (e.g. UniFi OS), you can use this Cloudflare Worker as an adapter:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;willswire&#x2F;unifi-ddns">https:&#x2F;&#x2F;github.com&#x2F;willswire&#x2F;unifi-ddns</a>

Some time ago, I built a similar project: <a href="https:&#x2F;&#x2F;github.com&#x2F;dethos&#x2F;worker-ddns">https:&#x2F;&#x2F;github.com&#x2F;dethos&#x2F;worker-ddns</a><p>The main difference is that, for security reasons, it uses a &quot;Cloudflare worker&quot; to change the DNS record.<p>&gt; Since Cloudflare API Token permissions aren&#x27;t granular enough to limit the token access to a single DNS record, we place a worker in front of it (this way the token with extra priviledges never leaves cloudflare&#x27;s servers).<p>It works very well, no complaints until now.

I also wrote my own pseudo-DDNS recently! With inspiration from a couple of similar projects on github<p>Mine is a golang executable that runs <i>directly</i> on my OpenWRT-based router on a 30 minute cron job. The beauty of running it on my router directly is that I can simply query the `eth0` interface for my public ip address - no need for a `curl` to determine my public IP.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;jackphilippi&#x2F;r53-ddns">https:&#x2F;&#x2F;github.com&#x2F;jackphilippi&#x2F;r53-ddns</a>

You can achieve the same on virtually any DNS hosting with RGAP[1]. The trick is to delegate name of your interest to server which runs RGAP DNS server and let it respond to queries for such domain name. Bonus: you can have more than one address running RGAP-agent and exporting its address to DNS.<p>[1]: <a href="https:&#x2F;&#x2F;github.com&#x2F;SenseUnit&#x2F;rgap">https:&#x2F;&#x2F;github.com&#x2F;SenseUnit&#x2F;rgap</a>

This kind of script should ideally run on your main router, and openwrt already has support for Cloudflare DDNS [1]<p>[1] - <a href="https:&#x2F;&#x2F;openwrt.org&#x2F;packages&#x2F;pkgdata&#x2F;ddns-scripts-cloudflare" rel="nofollow">https:&#x2F;&#x2F;openwrt.org&#x2F;packages&#x2F;pkgdata&#x2F;ddns-scripts-cloudflare</a>

A bit of a tangent, but something like PowerDNS authoritative server comes with an API[0] that can be leveraged for similar functionality to what Cloudflare provides.<p>Decentralization of the internet has to start with Authoritative DNS. I know it&#x27;s not free to host an authoritative server like this on a VPS, and there are DDoS considerations. But the flip side is that DNS is a metadata protocol and contains a wealth of information that anybody privacy focused should think twice about. It&#x27;s also an incredibly powerful and important protocol to understand.<p>[0] <a href="https:&#x2F;&#x2F;doc.powerdns.com&#x2F;authoritative&#x2F;http-api&#x2F;index.html" rel="nofollow">https:&#x2F;&#x2F;doc.powerdns.com&#x2F;authoritative&#x2F;http-api&#x2F;index.html</a>

I&#x27;m calling out the elephant in the room - you’re putting way too much faith in these IP lookup services without questioning their obvious ability to screw you over with giving the wrong IP. Is no-one in here able to see this is terrible security??

Did a very similar script with Deno&#x2F;TS with DigitalOcean&#x27;s DNS. I also setup a couple domains on a small Linux instance to deliver IP address responses. In order to facilitate IP lookups.<p><pre><code> ipv4.bbs.land ipv6.bbs.land</code></pre>

This is a pretty nice option for Cloudflare domains. An alternative I use is DomainConnect, which provides free DDNS but the main backer of it is GoDaddy so I had to leave the domain I use it with registered there.

I wrote one of these in C# years ago after seeing my friend write one in GoLang even more years ago.<p>GoLang: <a href="https:&#x2F;&#x2F;github.com&#x2F;wyattjoh&#x2F;cloudflare-ddns">https:&#x2F;&#x2F;github.com&#x2F;wyattjoh&#x2F;cloudflare-ddns</a><p>C#: <a href="https:&#x2F;&#x2F;github.com&#x2F;nick-funk&#x2F;dyn-dns">https:&#x2F;&#x2F;github.com&#x2F;nick-funk&#x2F;dyn-dns</a><p>Mine is more barebones since I threw it together quickly in an afternoon. I feel like many a HomeLab person fighting their ISP is taking advantage of this Cloudflare API trick

I feel ripped off! (kidding, this is commonly &quot;reinvented&quot; by many. Here&#x27;s my Cloudflare and Google DNS ones: <a href="https:&#x2F;&#x2F;github.com&#x2F;zackoch&#x2F;easy_cloudflare_dns_updater&#x2F;tree&#x2F;master">https:&#x2F;&#x2F;github.com&#x2F;zackoch&#x2F;easy_cloudflare_dns_updater&#x2F;tree&#x2F;...</a><p><a href="https:&#x2F;&#x2F;github.com&#x2F;zackoch&#x2F;easy-dynamic-google-cloud-dns">https:&#x2F;&#x2F;github.com&#x2F;zackoch&#x2F;easy-dynamic-google-cloud-dns</a>

I use cloudflare with ddclient for a raspberry pi weather station on t-mobile (a regular line, not TMHI). This allows ms to view it anywhere.<p>It just sets the AAAA every 5 minutes via cloudflare&#x27;s API and their CDN proxies it automatically for the ipv4 only clients. I leave the A record blank.<p>EDIT: Has to he this way because ipv4 is behind CGNAT on their network where ipv6 is fully routed public addresses. The home internet product is setup differently and you can&#x27;t host stuff on it.

Since my IP hardly changes, I went from DDNS to an email notifying me when the IP changes with this cron:<p><pre><code> old_ip=`cat ~&#x2F;.prev_ip` my_ip=`ifconfig em0 | awk &#x27;&#x2F;inet&#x2F; {print $2}&#x27; 2&gt;&amp;1` my_email=me@example.com if [ &quot;$my_ip&quot; != &quot;$old_ip&quot; ]; then echo $my_ip &gt; ~&#x2F;.prev_ip echo $my_ip | mail -r $my_email -s &quot;New IP: $my_ip&quot; $my_email fi</code></pre>

I’ve been favoring Tailscale lately for establishing magical access to machines at home. Because it permits two-factor authentication based on Google and other systems, it seems more secure than just having things exposed via public IP. That being said I definitely appreciate that being really on the internet has its uses!

Did anyone here here set up a good rsyslogd configuration where the receiving syslog collector limits incoming logs to only known ddns machines ?<p>I think I may be able to stitch something together with periodically reconfigured packet filters, but I&#x27;d appreciate an existing solution.<p>Bonus points if running on freebsd.

I&#x27;ve used this project which provides a Docker container: <a href="https:&#x2F;&#x2F;github.com&#x2F;timothymiller&#x2F;cloudflare-ddns">https:&#x2F;&#x2F;github.com&#x2F;timothymiller&#x2F;cloudflare-ddns</a>

There are a lot of these on github. This one seems to be maintained well:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;zebradil&#x2F;cloudflare-dynamic-dns">https:&#x2F;&#x2F;github.com&#x2F;zebradil&#x2F;cloudflare-dynamic-dns</a>

This application would suit checking the external IP from multiple external sources before updating the Cloudflare API.<p>Also, if running a home server you’d want that 5min wait time brought down to something like 1 minute.

It&#x27;s better to do a script on your router, which knows exactly when the ISP&#x27;s DHCP changes. Mikrotik has an event to capture this, and *sense has built in scripts for various DDNS providers.

Similar project which runs in Docker:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;favonia&#x2F;cloudflare-ddns">https:&#x2F;&#x2F;github.com&#x2F;favonia&#x2F;cloudflare-ddns</a><p>It&#x27;s cache friendly and respectful of rate limits

This is the script I use for this: <a href="https:&#x2F;&#x2F;github.com&#x2F;g-rocket&#x2F;cloudflare-ddns-updater">https:&#x2F;&#x2F;github.com&#x2F;g-rocket&#x2F;cloudflare-ddns-updater</a>

I wanted to do this a long time ago but I wouldn&#x27;t trust my router with a Cloudflare API key. Paranoid or is there a way to limit that key to one domain or, even better, one DNS entry?

For those who depend on Cloudflare extensively and have some traffic, I have a question:<p>I was researching whether it&#x27;s worth it to switch my pet project to Cloudflare&#x27;s various offerings (D2, Workers) instead of AWS&#x2F;GCP, since Cloudflare has a very generous free tier.<p>But from quick googling (I think it&#x27;s Reddit), some people said Cloudflare uses bait-and-switch where at some point you will need certain features that are only available in enterprise plan or something, basically significant cost increase.<p>Should I be concerned?<p>EDIT: I want to make it clear that I&#x27;m talking about <i>significant</i> cost increase, something that will catch many people by surprise.

If only this didn&#x27;t require an API token with write access to the entire domain. Please Cloudflare, let us grant access to specific (or regexp!) records

66 comments and no mention of inadyn?<p><a href="https:&#x2F;&#x2F;github.com&#x2F;troglobit&#x2F;inadyn">https:&#x2F;&#x2F;github.com&#x2F;troglobit&#x2F;inadyn</a>

I did something similar with `curl` and `sh` about a year ago, when the version of `ddclient` on OpenBSD didn&#x27;t properly support Cloudflare.

My internet router (Fritzbox) has DDNS built-in, so I just use the domain provided by the Fritzbox &#x2F; AVM combined with DNAME records.

If you’re behind a CGNAT then this won’t help you much. For many residential installs that is the case unfortunately

Nice. Consider adding fallback services to api.ipify.org, such as ifconfig.me or icanhazip.com

I used duckdns and have for years

Psa: <a href="https:&#x2F;&#x2F;freedns.afraid.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;freedns.afraid.org&#x2F;</a> still works and it’s free.

A dhcp lease hook is also useful to keep up with changes instantly.

I&#x27;ve using afraid.org for forever now. Works great

Huh, I ignored this article because it sounded like such a solved problem, but it stayed on the home page long enough that I thought I might be missing something.<p>Not only was it exactly what I expected from the title, there were 3 obvious but unimportant flaws in the &quot;Ubuntu&#x2F;Debian&quot; setup section:<p>- a cron line that runs every 60 minutes is commented as running every 5<p>- unnecessary crond restart. Not just reload, which would already be redundant, but a full restart<p>- unnecessarily restrictive heading. There&#x27;s nothing specific to Ubuntu&#x2F;Debian in those instructions<p>I mean, it&#x27;s a fine solution, like the 100s of others out there. I&#x27;m not trying to throw shade on the author; they&#x27;ve made something a little more flexible than most one-offs, without going overboard like the ones that handle dozens of different services. But... why the front page? Why the upvotes? Can&#x27;t you kids just stay off of the damn lawn?!

Nice idea, to note Cloudflare supports tunneling.

do they rate limit dns resolution and force you to enable JavaScript and click a captcha for the full cloudflare experience?

I did the same, with Linode dns and their api

It feels like this trick would violate the terms of service...? Caveat: I don&#x27;t use Cloudflare.

Noip isn&#x27;t free?<p>I have 3 domains there for years and I haven&#x27;t paid them once.<p>Some time ago they started requiring that I mark the domains active each month. I wrote a script that intercepts that email and logs into their site to reup the domains. Recently that script broke and I haven&#x27;t bothered to fix it because logging in once a month is a nothing burger.

&quot;Yeah, but&quot;; do I want to be putting up impossible-to-solve captcha loops in people&#x27;s faces? Can you do this in a way that people who know your domain can go directly to your actual IP address, rather than a Cloudfare proxy?

Weird, this project is very similar to this one <a href="https:&#x2F;&#x2F;github.com&#x2F;zackoch&#x2F;easy_cloudflare_dns_updater&#x2F;tree&#x2F;master">https:&#x2F;&#x2F;github.com&#x2F;zackoch&#x2F;easy_cloudflare_dns_updater&#x2F;tree&#x2F;...</a> Did OP kang my project?