Enabling dynamic DNS is too convoluted, difficult


TL;DR See Step 9 for the actual request for this feature request

Needed to setup dynamic dns, I was surprised that it I hadn't previously made it work.

During setup I realized I had given up on it last time I tried it.

So I'm using freedns.afraid.org and here is what the setup looks like

Step 1

Go to System -> Software
Click on Updates lists, wait a little and then click dismiss
In the filter type "ddns"

Now choose among this list the appropriate software that needs to be installed

In my specific case that was


Click on each, click install, the dependencies are fine

Step 2 setup

Refresh interface a few times until

Services -> Dynamic DNS

appears, and click on it

Delete the two examples IPv4 and IPv6, they cannot help you

Step 3 get special URL

Go to freedns.afraid.org, the dynamic dns section, specifically

You must already have created your A and AAAA records, if not, do that first

For the revelant record get your "Direct URL", it will look something like this


Step 4 final setup

Now return to your router configuration page


Click "add new services..."

In Name, DON'T write your domain name, that will make an error that it already exists, maybe, just write something with no space or punctuation that isn't your domainname exactly

Next choose your "DDNS Service provider"

The list is not in alphanumeric order, select this one

Now click Create service, it will make an error, don't worry about it, it's an error of success

Dismiss the other error, it's fine, it means it works

Here you will need to read the docs


and specifically

There are four options for setup, the fourth option is the correct one ! The other will save plaintext password to your DNS on the device, don't use them, unless option four doesn't actually work

In Lookup Hostname write your actual dynamic domain name

DDNS Service provider should already be afraid.org-keyauth

In domain, write your actual dynamic domain name

In username, you don't have anything to write here, but you also HAVE to write something here, write any nonsense, for instance "BLABLBLABLBLABLA"

Next password, this isn't your password, this is your key

So remember the direct URL from before


Your key is everything after the ? character


Don't check "Use HTTP Secure", that will probably break it,

If you click it anyway you will have to answer the Sphinx's following riddle

Path to CA-Certificate

And it's a trick question, you don't have that, the answer is literally to write IGNORE in that textbox

Your settings panel should now look like something like this

Click Save

Step 5 Using it

Now it doesn't work, click restart

You should see this friendly error message

And the line of your service should look something like this

Step 6 testing it

Now everything looks like it should work, let's try to ping our domain


If you get this message it means you have followed my instructions perfectly !

Now your results might look different, something about receiving a ping reply
This is probably because when you created your A record, the DNS server automatically filled in your current IP address already. In this case, wait several weeks for your IP address to randomly change, then you should see the message from the above command line, at this point you can proceed to Step 7

Step 7 Give up

Find a dark secluded area and lie down, wait until your breathing ceases

Step 8 Ask for divine intervention from the machine

Step 9 Write feature request to make setup easier

This that could be improved to make setting this up easier

  1. It should be easier to find what packages to install in software
  2. The DDNS service provider should be in alphanumeric sort order
  3. There should be a link to the openwrt wiki page for the chosen DDNS Service provider (https://openwrt.org/docs/guide-user/services/ddns/client#freednsafraidorg)
  4. If the user already has an update URL, there should be a very obvious place he can paste it in, this URL probably would have most of the required information to auto-fill the rest of the settings page,
  5. The Username, for DDNS Service provider where it does not matter, it should not be visible, if it has to be visible, it should be acceptable to leave it blank.
  6. If the setting HTTP Secure is checked then, it should be acceptable to leave Path to CA-Certificate blank or pre-fill the textbox with "IGNORE", or have a button that will download the appropriate certificate file, place it in the appropriate location and fill in the Path in this textbox. If the certificate is autodownloaded, the signature should be presented to the user with the message "We cannot verify the signature of this certificate, show signature, do you accept it ? Yes/No
  7. HTTP Secure should probably be on by default, but it probably should "just work" by default, without requiring further user input or else the user will probably skip this security feature entirely while he is hunting for the solution for his other problems.
  8. Fixing, well I don't know what my current problem is, it's very weird but I'm out of ideas

1 Like

And to anyone struggling with the exact same specific issue I was having

Which was that my WAN port is connected into another mandatory router from the GPON ISP with no bridge capability

Go to edit and check the "Log File Viewer" for clues

And then set for external URL IP checking

Of course now an IP change will translate into up to 10 minutes of downtime but I don't see a better option until I managed to reprogram my GPON SFP

who not add all this to the Wiki, via Applying for OpenWrt wiki account ?

1 Like

I have a wiki account, but that wiki page is already 50 pages long and I have already spent my sunday evening figuring out and documenting my attempt. Sorry but I'm spent.

Also I believe that much of this documentation could be dispensed with, if the UI of luci-ddns could be make a bit more user friendly and resilient.

The points that need attention, I have highlighted near the end of my post and I would add, for my specific case, make ddns script parse the log file, and automatically (or ask user) switch to URL resolving of the external address when the WAN IP is a invalid or private address.

This writeup will help many... in the meantime I added a spot for additional forum threads for configuration to the wiki: https://openwrt.org/docs/guide-user/services/ddns/client#additional_forum_threads_for_configuration

On another note I also use freedns and just have an hourly cron setup with the update URL that works fine without all of this. I don't need an immediate change so this works for me.

I think after installing the ca-certificates package first the answer should be: /etc/ssl/cert.pem

Well it requires certificates and needs to find them to work... on my system the certificates take >700 KB which is heavy enough to cause problems on routers with little free storage...

Your router will experience no downtime, even if the DDNS provider might take a while to reflect the new IP address...

Honestly, I feel your frustration, but I am not sure that this write-up is the documentation you wished to have found/pointed to/read when setting out to install DDNS.

Yes, I also only have 16MB of storage so 700kb is too much.

However in this case it is not the whole internet of certificates that is required but just the one with the ddns web interface.

I think there is a way to make an openssl query to download the full chain of certificates for just one address.

This would be less than 1kb of data total.

Ideally when you create the ddns service entry, it should download only this certificate and put it in a known location.

When this certificate reaches it's date of expiration, the new certificate should be automatically accepted inside of a certain time delay and from the same IP address so as not to create an administrative burden of updating that certificate all the time.

What I meant by that is that when the IP address changes, whatever remote computer who depends on this dns entry to be up to date, will experience service downtime for the duration until the next update + the dns entry time to live in their dns cache.

Maybe there's could be another way to determine our external IP address that does not depend on external services.

For instance maybe something related to doing a traceroute. Maybe doing a traceroute to openwrt.org and then sending a packet to each of the addresses, starting from the closest, until we get that packet back, indicating that this address is our own.

Back in the padt on my 16 MB wnder3700v2 I accepted the cost as more secure DDNS was worth it for me, but I tended to run my routers relatively lean back then, so 700KB was no showstopper abd since then I upgraded to a router with ample storage. But that is not universal... and if storage is tight then 700KB is qiote a lot.

I am sure that the maintainer of the DDNS package is open for patvhes implementig something like that. Which is the beauty of open source, if you have an idea you can help to get this fixed not only for yourself but for many users. I would guess most maintainers prefer a tested implementation over a pure feature request, but even a decent feature request has value if directed to the right person.

I don't think that would work, coming from the inside you only see the LAN side address of the NAT router that causrs your problems in the first place, and to perform this test from the outside you already need to know your public address.

Anuway, what I do is to use either X2Go or screen over mosh/ssh so if my sessions get affected by an address change, I can reconnect later and find my existing state... in my case, due to forced pppoe reconnects by my ISP every 24 hours, this strategy is needed even without the DDNS issue.

Thanks for your write-up.

I am coming from another third party firmware (DDWRT) and agree that there is room for improvement of the web interface.

I am a reasonable experienced user but it took me 30 minutes of reading, trying and tinkering before I got my freedns.afraid.org running.

I knew I had to do an "externa"l IP check as my router is a secondary router but it was not obvious at first that I could find that under URL.

1 Like

I created an account here just to thank the OP for writing up this how to. I would say that I am experienced with all things DNS, routing, and this simple task of setting up DDNS is very difficult.

Thank you so much. Seriously, you rock!

One nit pick of a feedback. I don't believe you need the package ddns-scripts-freedns as I believe that's for another provider.

ddns-scripts-freedns - 2.8.2-25 - Dynamic DNS Client scripts extension for "freedns.42.pl".

I did not install that package, and things seem to be working.

Configurations for many services are included in ddns-scripts-services, which is a dependency of ddns-scripts. So installing only ddns-scripts will work much of the time. The service files are in /usr/share/ddns/default.

freedns.afraid.org is one of the default ones.

Thank you for the positive feedback

It is quite a convoluted process, I have to do it like once every two years and each time I have to go through the process of learning the process with all the many psychological "u-turns" that I depicted above.

setting Dynamic dns and setting port fowarding are probably the two first things anyone using openwrt need to do, it really should be more straightforward.

Next time I do openwrt stuff, I will try to create a mockup of "how it should be" rather than how it is now.

It should be something like

[ ] check "dynamic dns" to enabled for yourWAN interface
then type in the "special url"

and that should probably be it

From the special URL's domain name, you can determine which DDNS provider it is, the special URL contains your dynamic hostname and your credentials so

just pasting in the special URL should be all that's needed.

It should know on it's own how to figure out the external IP address, all the defaults should be sane out of the box.

And it unfortunately, it will need a second special URL for ipv6, but we can hope in the future that dynamic dns providers will offer a combine special URL that includes both your A and AAAA record in
a single special URL.

Setting up dynamic dns is so extremely important to taking control of your internet, it really should be easier.

The problem is that once you set it up, it's not that complicated. It becomes very difficult to see how much of a hurdle this step is once you know how to do it.

A lot of the first listed in this request confused me.

  • I only have to install 1 DDNS package, 2 for web GUI
  • It comes with sample configs
  • I can easilly do URLs
  • I can also makes variables in URLs for username, password, domain, account, etc. - it seems fron your description that's confusing you. :bulb: BTW, it's not required to setup the variables in your URL
  • This allows for custom DDNS services
  • I though these weren't mutually exclusive, but I assumed if you don't use CA and you're adding a certificate as root, I'm confused why and when agreeing to the certificate becomes necessary
1 Like

I feel you and I'm the one who "perfectly followed" your steps. I'm using DDNS provided by noip.com and it worked perfectly on my Netgear R7000 under exactly the same network condition.

My question is if it is relevant to the firewall. The Netgear router doesn't have an active firewall, and it worked well with NoIP DDNS. But with the firewall activated on Openwrt, I can't use NoIP and I can't even access my local service via pure IP. I'm wondering if there is any configuration (especially default config) of the firewall that can lead to the failure of DDNS.

Your problem seem to be port forwarding related.
Dynamic DNS should have no impact on the firewall

Try setting up only port forwarding first

1 Like

@RoManInv, welcome to the community.

Your inquiry seems unrelated to the Original Poster's topic/discussion here regarding changes to DDNS to make it less difficult and convoluted. If it's related, please feel free to clarify.

Otherwise, if you have a questions about Port Forwarding and other firewall inquires - feel free to create a thread in the "Installing and Using OpenWrt - Network and Wireless Configurations" section.

Usually no, assuming the <my-interent_ipv4-ip> is actually global public address. This can usually be verified by ensuring the IP listed as WAN matches what's seen on a website such as whatismyip.com.

Thank you @shodanx and @lleachii for reminding me.

Maybe I didn't clarify my question clearly. I did want to ask if any configuration (especially the default config) in the firewall could lead to the failure of DDNS, especially the error XHR request timed out.

If that's not the case, as @shodanx has mentioned, then this error is not related to the firewall.

I will delete the last part of my reply so that it won't be misleading.

OK. That provides clarity.

Nonetheless, this is still a topic regarding Feature Additions to OpenWrt. As noted by @shodanx:

It seems like you have a few issues occurring. IMHO, it would be more appropriate to open a new topic for your own - list your device mode, version, configs, etc. - instead to segway (i.e. an online slang term is "hijack") @shodanx's topic in "Feature Requests" section.

You can get 100% attention to your issue, in your own topic - placed in the appropriate section.

I remember getting the XHR request timed out wire

However it has been too long and I don't remember how fixed it

It was one of the obscure frustrations that motivated me to create this feature request

Better error messages certainly should be kept in mind when overhauling this component

Just FYI, the XHR message is not specifically related to DDNS.

Searching the forum will produce threads on that error message.

To minimize confusion, it may be best for the user to create a thred dedicated to their issue.