When I had a static IP address I just added the various hostnames into the Fasthosts (domain registrar) DNS configuration. However, when changing to an ISP that doesn't offer a fixed IP address I needed to find a way of automating the updated IP address whenever it changed. Initially I was using ydns and using ddclient to update the IP addresses as required.

Automated DNS updates was fairly simple and only involved changing the ddclient settings so that it updated Cloudflare instead of ydns but I then ran into an issue where my Lets Encrypt certificates wouldn't update and I realised that this was because of the proxying that Cloudflare turns on by default. The easy solution would have been to just turn off the proxying (and this is what I did at first) but I figured that I may as well carry on using the CDN where possible and after spending so much time getting things working I'm not reverting back!!

Initial DNS configuration

  • Go to the Cloudflare Dashboard and note the Cloudflare DNS servers
  • Go to your domain registrar and add these servers as the Name servers for your domain
  • Back to the Cloudflare Dashboard
  • Click on your domain
  • Click on DNS
  • Add the domain and IP address click on OK
  • Repeat for any subdomains

Update IP addresses automatically

Before I started using docker I used ddclient on one of the VMs that was providing a service. Once I started using docker I changed to having a container updating the IP addresses using the Cloudflare API

ddclient config

Config file for updating DNS when using Cloudflare for DNS. The global API key can be found in your Cloudflare dashboard. My Profile → API Tokens → Click on view and enter your password to view the key
The last line is the domains (and sub domains) to be updated 

use=web, web=checkip.dyndns.org/, web-skip='IP Address'
daemon=600
syslog=yes
ssl=yes
protocol=cloudflare,
zone=example.com, ttl=1,
login=admin@example.com,
password=*global API key*
example.com,www.example.com,plex.example.com

Using docker container

There's at least two choices for this, the first is to run a container that runs ddclient and use the config above and the second is to use one that uses the Cloudflare API. I'm using the API on the basis that the maintainer of ddclient has announced that he's stopping development…

docker-compose config for Cloudflare API container 

  cloudflareddns:
    container_name: cloudflareddns
    image: hotio/cloudflareddns
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=002
      - TZ=Etc/London
      - INTERVAL=300
      - DETECTION_MODE=curl-wtfismyip.com
      - LOG_LEVEL=3
      - cloudflareddns
      - CF_APITOKEN=DNS-EDIT-TOKEN
      - CF_HOSTS=www.example.com;media.example.com;service1.example.com;service2.example.com
      - CF_ZONES= cloudflare zone ID
      - CF_RECORDTYPES=A
    volumes:
      - /var/lib/docker/volumes/config/cloudflareddns:/config
    restart: unless-stopped

CF_HOSTS is the domains and subdomains that you wish to update. As I've moved a couple of subdomains out to the cloud I don't want them being updated when my home IP address changes so I've left them out of the config.
The CF_ZONES variable is your zone ID which is on the front page of the dashboard after clicking on your domain.
The CF_APITOKEN is generated from the Cloudflare website.
CF_RECORDTYPES can also be set for IPv6 by adding AAAA

The API token is created from the Cloudflare dashboard.

  • Click on “My Profile” and then on API Tokens and create a new token.
  • Click on the Edit Zone DNS template, Ensure the permissions section is Zone, DNS, Edit
  • or the zone resources I've selected include, Specific Zone, raglits.co.uk
  • Then click on continue to summary as there's no need to select an IP range as the whole point of dynamic DNS is that you won't know what address you're going to be accessing from to update DNS
  • You can also set how long the token is valid for, I've left this on the default of no time limit but if you're really security concious you could change this every month or so…
  • Click on continue to summary
  • Click on create token

Now you can copy the API token that has permissions to edit the DNS zones and when the IP check runs (every 5 minutes in this example) it will update if your ISP has changed your IP address.

Note: You can not view the token again so ensure it's saved somewhere otherwise you will need to create another one in future. Obviously, if you always have access to the stack then you won't lose it but if you don't have a copy and the disk gets trashed for example you may lose the token if you don't have it saved elsewhere.