Configuring a Dynamic DNS Client¶

pfSense® software supports Dynamic DNS to automatically update DNS providers when an interface address changes. This allows remote clients to reference a constant hostname instead of a dynamic IP address which could change over time.

This service is located in the GUI at Services > Dynamic DNS.

Choosing a Dynamic DNS Provider¶

pfSense software allows registration with many different dynamic DNS providers. The available providers may be viewed by clicking the Service Type selector. More information about the providers may be found by searching for their name to find their web site. Several offer a basic level service at no cost, and some offer additional premium services at a cost. There is also a Custom option that allows for a custom URL to accommodate an unsupported provider.

Select a provider, visit their website, register for an account, and setup a hostname. The procedures for this vary with each provider, but they all have instructions on their websites. After configuring a hostname with a provider, configure the firewall with matching settings.

Dynamic DNS Settings¶

Most providers have the same, or similar options. There are a few types with custom options that will be covered later in this section.

Disable

Check to disable the entry, or leave unchecked so it will be active.

Service Type

Select the dynamic DNS provider here.

Interface to Monitor

Select the interface that has the IP address to keep updated, such as WAN, or an OPTx interface. Selecting a gateway group for the interface allows the Dynamic DNS entry to switch between WANs so it can allow inbound Multi-WAN failover of services on this hostname.

Hostname

Enter the hostname created at the dynamic DNS provider. This is typically the complete fully qualified domain name, such as myhost.example.com, except for Namecheap where this is only the host portion of the address.

Domain Name

For Namecheap hosts, this box must be set to the domain part of the full hostname.

MX

An MX (Mail Exchanger) record is how Internet mail servers know where to deliver mail for a domain. Some dynamic DNS providers will let MX records be configured via the dynamic DNS client. If the chosen provider allows this, enter the host name of the mail server that will receive Internet mail for the dynamic DNS domain.

Wildcards

When wildcard DNS is enabled on a dynamic DNS name, all host name queries under the given domain will resolve to the IP address of the dynamic DNS host name. For example, if the host name is example.dyndns.org, enabling wildcard will make *.example.dyndns.org (a.example.dyndns.org, b.example.dyndns.org, etc.) resolve the same as example.dyndns.org.

Verbose Logging

Check this option to increase the logging for the Dynamic DNS update process, which is useful for troubleshooting update problems.

Verify SSL Peer

When checked, the SSL certificate of the DynDNS provider server will be validated. Some servers with self-signed certificates, or those using a less common CA, may require this to be set.

Username

Enter the username for the dynamic DNS provider. Provider-specific requirements:

Namecheap, FreeDNS: Leave blank
Route 53: Enter the Access Key ID
GleSYS: Enter the API user
Custom: The username is used with basic HTTP authentication and may be left blank.

Password

Enter the password for the dynamic DNS provider. Provider-specific requirements:

Namecheap, FreeDNS: This is the Authentication Token
Route 53: Enter the Secret Access Key
GleSYS: Enter the API Key
DNSimple: Enter the API Token

Description

A text field for reference.

Providers with Extra or Different Settings¶

Some providers have special settings or certain fields that need to be set in a specific way that may not be obvious. The differences are outlined in this section.

Namecheap¶

As mentioned in the settings, Namecheap requires that the fully qualified domain name be split into the hostname part and domain name part in separate fields.

When setting up Dynamic DNS for a Namecheap domain, an authentication token is given by Namecheap. This goes in the Password field, and the Username field is left blank.

HE.net Tunnelbroker¶

The HE.net Tunnelbroker choice updates an IPv6 tunnel endpoint IP address when the WAN IP changes. The Hostname in this case is the Tunnel ID from HE.net.

Route 53¶

When using an Amazon Route 53 type, the Username is the Access Key ID provided by Amazon.

The following additional options are available when using Route 53:

Verify SSL Peer

Enable to verify the server certificate when using HTTPS.

Zone ID

Received when creating the domain in Route 53.

This field is required.

TTL

Time to Live for the DNS record.

Custom¶

The Custom Dynamic DNS type configures options that allow for updating otherwise unsupported services. When using the custom Dynamic DNS type, the Username and Password fields are sent using HTTP basic authentication.

The following additional options are available when using Custom:

Interface to send update from: Almost always the same as the Interface, but can be changed as needed.
Force IPv4 Resolving: When checked, the update host will only be resolved using IPv4
Verify SSL Peer: Enable to verify the server certificate when using HTTPS
Update URL: The URL given by the Dynamic DNS provider for updates. If the IP address must appear in the URL, enter it as %IP% and the real value will be substituted as needed.
Result Match: Defines expected output from the Dynamic DNS query. If it succeeds and matches the output given, then the firewall will know that the update was successful. If it does not match exactly, then it is assumed that the update failed. Leave empty to disable result checking.

DNSSimple¶

Verify SSL Peer: Enable to verify the server certificate when using HTTPS.
Zone ID: Received when creating the domain.
TTL: Time to Live for the DNS record.

Configuring a Dynamic DNS Entry¶

To configure a Dynamic DNS client:

Navigate to Services > Dynamic DNS
Click Add to add a new entry
Configure the Dynamic DNS entry with general and provider-specific settings
Click Save