Dynamic DNS in pfSense - Automatic Record Updates
Dynamic DNS (DDNS) maintains a consistent hostname for services hosted behind an internet connection with a changing IP address. Whenever the WAN address changes, pfSense automatically updates the DNS record with the provider, keeping the domain name pointed at the current address. This is essential for remote VPN access, self-hosted web servers, surveillance systems, and any scenario requiring a stable domain name on a dynamic IP connection.
How Dynamic DNS Works
When pfSense connects to an ISP, it receives a WAN address via DHCP or PPPoE. This address may change on reconnection or lease expiration. The Dynamic DNS client monitors the current WAN address and sends an update request to the DNS provider API whenever a change is detected. The domain name therefore always resolves to the current IP address.
The update process follows these steps:
- pfSense periodically checks the IP address on the monitored interface
- When a change is detected, it sends an update request to the DNS provider API
- The provider updates the A record (or AAAA for IPv6) for the specified domain
- The update propagates through DNS according to the record TTL
Supported Providers
pfSense supports a broad range of DNS providers for automatic record updates.
| Provider | Notes |
|---|---|
| Cloudflare | Free DNS hosting, proxy support, API token authentication |
| No-IP | Free tier with limitations, widely compatible |
| DynDNS | One of the oldest DDNS services, paid plans |
| Namecheap | Free DDNS for domains registered with Namecheap |
| Route 53 | AWS DNS service, requires Access Key and Zone ID |
| HE.net | Hurricane Electric, free DNS with DDNS support |
| FreeDNS | Free service at afraid.org |
| DNSimple | API-oriented DNS provider |
| GleSYS | Swedish hosting provider with DNS API |
| Custom | Any provider with an HTTP-based update API |
When selecting a provider, consider reliability requirements, update propagation speed, and additional features such as proxying or provider-side DNSSEC.
Configuring the DynDNS Client
Configuration is performed under Services > Dynamic DNS on the Dynamic DNS Clients tab.
Creating an Entry
Click Add to create a new client entry and populate the following fields.
| Field | Description | Example |
|---|---|---|
| Disable | Temporarily disable the entry without deleting it | Unchecked |
| Service Type | DDNS provider from the dropdown list | Cloudflare |
| Interface to Monitor | Interface whose IP address is tracked | WAN |
| Hostname | Fully qualified domain name (FQDN) | home.example.com |
| Domain Name | Domain name (separate field for Namecheap) | example.com |
| Username | Username or API key | Provider-dependent |
| Password | Password or API token | Provider-dependent |
| Description | Reference note for this entry | Home server DDNS |
Interface Selection
The Interface to Monitor field determines which IP address is sent to the provider.
| Option | When to Use |
|---|---|
| WAN | Standard single-WAN connection |
| OPTx | Additional WAN interfaces in a multi-WAN configuration |
| Gateway Group | Automatic failover between WAN connections |
Selecting a Gateway Group causes Dynamic DNS to automatically switch to the backup WAN address when the primary link fails, maintaining service availability.
IP Address Detection Method
pfSense offers multiple methods for determining the current public IP address.
Interface address - uses the IP address assigned to the selected WAN interface. This method is appropriate when pfSense connects directly to the ISP and receives a public address.
External IP check service - pfSense queries an external HTTP service that returns the public IP address. This method is required when pfSense sits behind an upstream NAT router and its WAN interface holds a private address.
Warning:
If pfSense is behind carrier-grade NAT (CGNAT) or another router, the external IP check service must be used. Otherwise, the private WAN interface address will be registered in DNS, which is unreachable from the internet.
Additional Options
| Option | Description |
|---|---|
| MX | Mail Exchanger record for a mail server |
| Wildcard | Resolve all subdomains to the same IP address |
| Verbose Logging | Detailed logging for troubleshooting |
| SSL Peer Verification | Verify the SSL certificate when contacting the provider API |
Update Frequency
The Dynamic DNS client checks the IP address on every interface state change and also forces an update every 25 days even if the address has not changed. This prevents providers with inactivity policies from removing the record.
Provider-Specific Configuration
Cloudflare
Cloudflare is a popular choice due to its free DNS hosting and additional proxy features.
- Create an API token in the Cloudflare dashboard with DNS zone edit permissions
- In pfSense, set Service Type to Cloudflare
- Enter the Cloudflare account email address in the Username field
- Enter the API token (not the Global API Key) in the Password field
- Enter the full hostname in the Hostname field
Namecheap
Free DDNS is available for domains registered with Namecheap.
- Enable Dynamic DNS in the Namecheap domain management panel
- Copy the generated Dynamic DNS password
- In pfSense, set Service Type to Namecheap
- Leave the Username field blank
- Enter the password from the Namecheap panel in the Password field
- Enter the host name (without the domain) in the Hostname field
- Enter the domain in the Domain Name field
Route 53 (AWS)
Using Route 53 requires an AWS account with a configured hosted zone.
- Create an IAM user with a policy that permits
route53:ChangeResourceRecordSets - Enter the Access Key ID in the Username field
- Enter the Secret Access Key in the Password field
- Specify the Zone ID in the corresponding field
- Set the record TTL (60-300 seconds is recommended)
Custom Provider
The Custom service type allows updates through any HTTP-based API.
| Field | Description |
|---|---|
| Update URL | URL for the update request with %IP% substitution |
| Result Match | String expected in the response on successful update |
Example URL: https://dns.example.com/update?hostname=home.example.com&ip=%IP%&token=secret
pfSense substitutes the current IP address for %IP% and checks the server response for the Result Match string.
RFC 2136 - Updating Your Own DNS Server
RFC 2136 defines a standard protocol for dynamic DNS record updates. This method allows pfSense to update records directly on a DNS server (BIND, PowerDNS, Windows Server DNS) without relying on a third-party provider.
When to Use RFC 2136
- The organization operates its own authoritative DNS server
- Full control over DNS infrastructure is required without external service dependencies
- The DNS server supports the dynamic update protocol (BIND 9, PowerDNS, Microsoft DNS)
RFC 2136 Configuration
Configuration is performed under Services > Dynamic DNS on the RFC 2136 tab.
| Field | Description | Example |
|---|---|---|
| Enable | Activate this entry | Checked |
| Interface | Interface whose IP address is registered | WAN |
| Hostname | Fully qualified domain name (FQDN) | fw.corp.example.com |
| Zone | DNS zone to update | corp.example.com |
| Server | IP address or hostname of the DNS server | 10.0.0.53 |
| Record Type | Record type: A, AAAA, or Both | A |
| TTL | Time to live in seconds | 60 |
| Key Name | TSIG key name | fw.corp.example.com |
| Key Algorithm | TSIG algorithm | HMAC-SHA256 |
| Key | TSIG secret key in Base64 format | (generated key) |
Generating a TSIG Key
TSIG (Transaction Signature) authenticates update requests. The key must be generated on the DNS server and entered in the pfSense configuration.
For BIND, generate the key with the following command:
tsig-keygen -a hmac-sha256 fw.corp.example.comThe output contains the key in Base64 format. Copy this value into the Key field in pfSense and add the same key to the BIND configuration, allowing updates for the corresponding zone.
Additional RFC 2136 Options
| Option | Description |
|---|---|
| Use Public IP | Detect the public IP through an external service (when behind NAT) |
| Update Source | Interface used to send update requests |
| Protocol | UDP (default) or TCP |
Warning:
When using TCP for updates, verify that firewall rules permit outbound TCP traffic on port 53 to the DNS server. Updates are sent over UDP by default.
Multi-WAN and Multiple DDNS Entries
pfSense supports any number of Dynamic DNS entries, enabling several configurations.
Multiple Providers for One Domain
For increased reliability, entries can be created with multiple providers for the same hostname. If one provider becomes unavailable, the other continues serving queries.
Separate Records per WAN
In a multi-WAN configuration, each WAN interface should have its own Dynamic DNS entry:
| Entry | Interface | Domain |
|---|---|---|
| Entry 1 | WAN | wan1.example.com |
| Entry 2 | WAN2 | wan2.example.com |
Gateway Group for Failover
When a Gateway Group is selected as the interface, Dynamic DNS automatically updates the record when the active WAN switches. This maintains reachability for inbound connections during a primary link failure.
Verifying Update Status
The status of all Dynamic DNS entries is displayed on the Status > Dynamic DNS page.
| Column | Description |
|---|---|
| Interface | Monitored interface |
| Service | Provider type |
| Hostname | Domain name being updated |
| Cached IP | Last registered IP address |
| Status | Result of the most recent update |
A status of Updated indicates a successful update. A status of Error signals a problem - details are available in the log.
Troubleshooting
Record Not Updating
- Check the status on Status > Dynamic DNS - the Status field should contain error information
- Enable Verbose Logging in the entry settings for detailed output
- Review the log: Status > System Logs > Dynamic DNS
- Verify that the WAN interface has an IP address and the default gateway is reachable
- Test DNS resolution on pfSense via Diagnostics > DNS Lookup
Incorrect IP Address Detected
- If pfSense is behind NAT, enable public IP detection through an external service
- Verify that the correct interface is selected in Interface to Monitor
- When using a Gateway Group, confirm that the group is configured properly
Authentication Failures
- Verify the credentials (API token, password) are correct
- For Cloudflare, ensure an API token with DNS zone edit permissions is used, not the Global API Key
- For Namecheap, confirm that Dynamic DNS is enabled in the domain management panel
- For Route 53, check the IAM user policy
RFC 2136 Not Updating
- Verify the DNS server is reachable from pfSense: Diagnostics > Ping
- Confirm the TSIG key matches on both pfSense and the DNS server
- Check that the zone on the DNS server allows dynamic updates
- Review the DNS server log for authentication errors
Integration with VPN and Port Forwarding
Dynamic DNS is commonly used alongside VPN and port forwarding configurations.
VPN with Dynamic DNS
When configuring remote VPN access (OpenVPN, IPsec), Dynamic DNS provides a stable server address:
- The VPN client configuration references a domain name instead of an IP address
- When the WAN address changes, the client automatically reconnects using the updated DNS record
- A record TTL of 60-120 seconds is recommended to minimize reconnection delay
Port Forwarding with Dynamic DNS
For accessing internal services through port forwarding, Dynamic DNS provides a stable domain name:
- Create a port forward rule under Firewall > NAT > Port Forward
- Create a Dynamic DNS entry for the WAN interface
- Access the service at
hostname.example.com:port
Related Sections
- DNS (Resolver and Forwarder) - DNS resolution configuration and record overrides at the pfSense level
- Firewall Rules - controlling access to services when using Dynamic DNS
- Multi-WAN Failover - link failover with automatic DNS record updates