Free DDNS with Cloudflare and a cronjob

Original Article ↗ Hacker News Discussion ↗

Existing DDNS Solutions & Alternatives

  • Many note the script duplicates long‑solved problems: ddclient, inadyn, multiple Cloudflare‑specific DDNS tools, and Docker images already exist.
  • Several people have built their own minimal scripts (bash, Go, Rust, Python, C#, Deno) for Cloudflare, DigitalOcean, Route53, etc.
  • Routers and firewalls (OpenWRT, OPNsense, Mikrotik, FritzBox, commercial routers) often ship with DDNS clients or vendor DDNS services.

Where to Run DDNS (Router vs Host)

  • Strong preference for running DDNS on the main router/firewall, which knows immediately when the WAN IP changes and avoids polling.
  • DHCP lease hooks or router events are cited as ideal, versus cron polling every few minutes on a random host.

Public IP Discovery Methods

  • Original script uses ipify; many prefer Cloudflare-based options: /cdn-cgi/trace, icanhazip.com (now CF-run), or DNS tricks like dig @1.1.1.1 ch txt whoami.cloudflare.
  • Debate over simply reading IPv6 from local interfaces vs using an external echo service; some argue NATed IPv6 still exists.
  • One commenter warns that “what’s my IP” services can sometimes return wrong IPs and suggests cross-checking multiple sources.

Security & Permissions Concerns

  • Concern about giving routers full Cloudflare API tokens; mitigations include scoped tokens (per zone), workers that proxy a narrowly defined API, or running the updater on a more trusted internal machine.
  • Some want finer-grained record-level permissions from Cloudflare, which currently aren’t possible.

Cloudflare Tunnels vs DDNS

  • Some prefer Cloudflare Tunnels over DDNS: simpler, no port-forwarding, integrated TLS and access control.
  • Others highlight downsides: mandatory TLS termination at Cloudflare (MITM by design), upload limits, disallowed video/media serving, and client software requirements for non-HTTP protocols like SSH.

Cloudflare Policies, Limits, and Costs

  • Discussion about whether Cloudflare’s generous free tier hides a “bait-and-switch”: concerns focus on high bandwidth use (especially video, large binaries) triggering sales pressure or enforcement.
  • Cloudflare’s stance (as relayed in-thread) is: normal web traffic on the free plan is safe; issues arise with streaming video or legally problematic content that gets IPs blocked.

Operational Details: TTL, Cron, CGNAT

  • For DDNS you want low TTL; free Cloudflare has a floor (300s for proxied, 60s for some unproxied), so combined with 5‑min cron, outages up to ~10 minutes are possible.
  • Some ISPs ignore low TTLs and cache for hours.
  • If behind CGNAT (common on IPv4, some mobile ISPs), updating DNS to the WAN IP doesn’t help with inbound connectivity; people instead rely on IPv6, tunnels, or VPNs (e.g., Tailscale/WireGuard).