bijavix blog

Cloudflare Dynamic DNS with ddclient

bijavix <[email protected]>

Set up ddclient as DDNS to update Cloudflare records automatically using an account API Token with the minimum required scopes. Reliable IPv4/IPv6 detection for multi-zone Dynamic DNS.

1. Cloudflare API authentication

  1. Create an Account API Token with these permissions:

    Zone.Zone.Read Zone.DNS.Edit

  2. In Cloudflare DNS, add the A and AAAA records that you want to update.

2. Install ddclient

apt update
apt install ddclient

3. Configure /etc/ddclient.conf for dual-stack updates

There are issues with usev4 and usev6, they won’t aaccept inline commands in the current the version, so we’ll be using bash scripts for public IP detection. 
nano /etc/ddclient.conf
############################################################
##  Global settings
############################################################
pid     = /run/ddclient.pid
daemon  = 300

ssl     = yes

protocol = cloudflare
server   = api.cloudflare.com/client/v4/

login    = token
password = "YOUR_CLOUDFLARE_API_TOKEN"

zone     = example.com

############################################################
##  IPv4 update (A record)
############################################################
usev4 = cmdv4, cmdv4 = "/usr/local/bin/getipv4.sh"
host  = www.example.com
ttl   = 1

############################################################
##  IPv6 update
############################################################
usev6 = cmdv6, cmdv6 = "/usr/local/bin/getipv6.sh"
host  = www.example.com
ttl   = 1

4. Public IP discovery scripts

nano /usr/local/bin/getipv4.sh
#!/usr/bin/env bash
/usr/bin/dig +short TXT CH whoami.cloudflare @1.1.1.1 | tr -d '"'
nano /usr/local/bin/getipv6.sh
#!/usr/bin/env bash
/usr/bin/dig -6 +short TXT CH whoami.cloudflare @2606:4700:4700::1111 | tr -d '"'
chmod +x /usr/local/bin/getipv4.sh /usr/local/bin/getipv6.sh

5. Multi-zone configuration template

############################################################
##  Global settings
############################################################
pid      = /run/ddclient.pid
daemon   = 300
ssl      = yes
protocol = cloudflare
server   = api.cloudflare.com/client/v4/
login    = token
password = "YOUR_CLOUDFLARE_API_TOKEN"

############################################################
##  Public IP detection
############################################################
usev4 = cmdv4, cmdv4 = "dig +short TXT CH whoami.cloudflare @1.1.1.1 | tr -d '\"'"
usev6 = cmdv6, cmdv6 = "dig -6 +short TXT CH whoami.cloudflare @2606:4700:4700::1111 | tr -d '\"'"

##############################################
# Zone: example.com
##############################################
zone = example.com
host = example.com
ttl  = 1

##############################################
# Zone: example2.com
##############################################
zone = example2.com
host = www.example2.com
ttl  = 1

6. Enable and test the service

systemctl enable --now ddclient

Run verbosely for debugging:

ddclient -daemon=0 -debug -verbose -noquiet -force