Configuring a Dynamic DNS Client

pfSense® software supports Dynamic DNS to automatically update DNS providers when an interface address changes. This allows remote clients to reference a constant hostname instead of a dynamic IP address which could change over time.

This service is located in the GUI at Services > Dynamic DNS.

Choosing a Dynamic DNS Provider

pfSense software allows registration with many different dynamic DNS providers. The available providers may be viewed by clicking the Service Type selector. More information about the providers may be found by searching for their name to find their web site. Several offer a basic level service at no cost, and some offer additional premium services at a cost. There is also a Custom option that allows for a custom URL to accommodate an unsupported provider.

Select a provider, visit their website, register for an account, and setup a hostname. The procedures for this vary with each provider, but they all have instructions on their websites. After configuring a hostname with a provider, configure the firewall with matching settings.

Dynamic DNS Settings

Most providers have the same, or similar options. There are a few types with custom options that will be covered later in this section.


Check to disable the entry, or leave unchecked so it will be active.

Service Type

Select the dynamic DNS provider here.

Interface to Monitor

Select the interface that has the IP address to keep updated, such as WAN, or an OPTx interface. Selecting a gateway group for the interface allows the Dynamic DNS entry to switch between WANs so it can allow inbound Multi-WAN failover of services on this hostname.


Enter the hostname created at the dynamic DNS provider. This is typically the complete fully qualified domain name, such as, except for Namecheap where this is only the host portion of the address.

Domain Name

For Namecheap hosts, this box must be set to the domain part of the full hostname.


An MX (Mail Exchanger) record is how Internet mail servers know where to deliver mail for a domain. Some dynamic DNS providers will let MX records be configured via the dynamic DNS client. If the chosen provider allows this, enter the host name of the mail server that will receive Internet mail for the dynamic DNS domain.


When wildcard DNS is enabled on a dynamic DNS name, all host name queries under the given domain will resolve to the IP address of the dynamic DNS host name. For example, if the host name is, enabling wildcard will make * (,, etc.) resolve the same as

Verbose Logging

Check this option to increase the logging for the Dynamic DNS update process, which is useful for troubleshooting update problems.

Verify SSL Peer

When checked, the SSL certificate of the DynDNS provider server will be validated. Some servers with self-signed certificates, or those using a less common CA, may require this to be set.


Enter the username for the dynamic DNS provider. Provider-specific requirements:

Namecheap, FreeDNS

Leave blank

Route 53

Enter the Access Key ID


Enter the API user


The username is used with basic HTTP authentication and may be left blank.


Enter the password for the dynamic DNS provider. Provider-specific requirements:

Namecheap, FreeDNS

This is the Authentication Token

Route 53

Enter the Secret Access Key


Enter the API Key


Enter the API Token


A text field for reference.

Providers with Extra or Different Settings

Some providers have special settings or certain fields that need to be set in a specific way that may not be obvious. The differences are outlined in this section.


As mentioned in the settings, Namecheap requires that the fully qualified domain name be split into the hostname part and domain name part in separate fields.

When setting up Dynamic DNS for a Namecheap domain, an authentication token is given by Namecheap. This goes in the Password field, and the Username field is left blank. Tunnelbroker

The Tunnelbroker choice updates an IPv6 tunnel endpoint IP address when the WAN IP changes. The Hostname in this case is the Tunnel ID from

Route 53

When using an Amazon Route 53 type, the Username is the Access Key ID provided by Amazon.

The following additional options are available when using Route 53:

Verify SSL Peer

Enable to verify the server certificate when using HTTPS.

Zone ID

Received when creating the domain in Route 53.

This field is required.


Time to Live for the DNS record.


The Custom Dynamic DNS type configures options that allow for updating otherwise unsupported services. When using the custom Dynamic DNS type, the Username and Password fields are sent using HTTP basic authentication.

The following additional options are available when using Custom:

Interface to send update from

Almost always the same as the Interface, but can be changed as needed.

Force IPv4 Resolving

When checked, the update host will only be resolved using IPv4

Verify SSL Peer

Enable to verify the server certificate when using HTTPS

Update URL

The URL given by the Dynamic DNS provider for updates. If the IP address must appear in the URL, enter it as %IP% and the real value will be substituted as needed.

Result Match

Defines expected output from the Dynamic DNS query. If it succeeds and matches the output given, then the firewall will know that the update was successful. If it does not match exactly, then it is assumed that the update failed. Leave empty to disable result checking.


Verify SSL Peer

Enable to verify the server certificate when using HTTPS.

Zone ID

Received when creating the domain.


Time to Live for the DNS record.

Configuring a Dynamic DNS Entry

To configure a Dynamic DNS client:

  • Navigate to Services > Dynamic DNS

  • Click fa-plus Add to add a new entry

  • Configure the Dynamic DNS entry with general and provider-specific settings

  • Click Save