Dynamic DNS with ddclient on Raspberry Pi and Ubuntu

This tutorial will show you how to configure ddclient on Raspbian and Ubuntu. Many tutorials don't explain what to do if your server is behind a router, but this one will.

I recently set up a backup server on an internet connection that has a dynamic IP address. So far, I've been spoiled at home because my ISP (PlusNet) makes switching to a static IP address easy and cheap, so obviously I did that. This time though, I didn't have that option, and I didn't want to configure a dynamic dns client on that router either, so I had to set it up on the server itself.

Installation

Some DNS providers offer their own dynamic DNS clients, but most of them are proprietary. The one I am going to use is called ddclient, it's free and open source, and written in Perl. Use this command to install ddclient:

sudo apt-get install ddclient

Enable dynamic DNS with your DNS provider

If you're not using namecheap, then this section will be different, but the concept is the same regardless of DNS provider.

Log into namecheap and select the relevant domain, then choose "Dynamic DNS" under Miscellaneous settings.

Use the radio buttons to enable dynamic DNS, and then make a note of the password. It should go without saying, but be really careful what you do with this password - anyone with access to it could change any DNS record for your domain that they wanted to. Unfortunately, namecheap doesn't let you restrict the dynamic DNS to just one subdomain.

Next, navigate to "All host records" add a DNS A record for your domain (use the @ symbol for this), or subdomain. Use the dummy IP address 127.0.0.1 for now, the first time we run ddclient this will be updated to your actual Wide Area Network (WAN) IP address.

ddclient configuration

Now you have everything you need to configure ddclient.

The main configuration file for ddclient is at /etc/ddclient.conf, you can open this file to edit it with a text editor of your choice - this command will open it in nano:

sudo nano /etc/ddclient.conf

Here is a sample "normal" configuration file for ddclient:

protocol=namecheap
server=dynamicdns.park-your-domain.com
login=yourdomain.com
password='password'
subdomain
  • protocol is set by your dynamic DNS provider. For namecheap the value is "namecheap"
  • server is the hostname of the dynamic DNS server. The dynamic DNS servers used by namecheap are located at "dynamicdns.park-your-domain.com"
  • login is your domain name
  • password is the string we obtained earlier from the namecheap web interface. Leave the single quotation marks around the string.
  • The last line is the subdomain to be modified. In my case this was backup, for backup.samhobbs.co.uk. If you wanted to update your root domain, you would put an @ symbol on this line instead

WAN IP discovery

The above configuration would work fine if ddclient was installed on a router, since the router knows your WAN IP address. However, it doesn't work if your server is behind a router because the server only knows its Local Area Network (LAN) IP address.

There is a configuration parameter called use, which determines the method ddclient uses to find the WAN IP.

Important! - if you specify this parameter, it must go above the rest of the configuration in the file. If you specify it below, it won't work! This caused me quite a lot of grief.

The default value for use is if, which uses information from the netwrok interface (think ifconfig). If you have multiple network interfaces, you can specify which one like use=if, if=eth0 for ethernet, if=lo for the loopback address, if=wlan0 for wireless LAN etc. However, none of these will work for us because none of them will give the WAN IP.

There are two more types of value you can set: web, and router firmware values like fw and linksys.

Getting your WAN IP from your router's status page

Although I haven't opted for the router firmware method, I think it's quite interesting and worth discussing. Router firmware settings look something like this:

use=fw, fw=192.168.1.1/status.htm, fw-login=admin, fw-password=admin, fw-skip='IP Address'

...where fw= sets the location of the status page for that particular router containing the WAN IP address. If the status page is not available to unauthenticated users, you must set the username and password to allow ddclient to authenticate with the router. fw-skip tells ddclient to ignore any IP address on the status page you specified before a certain string, in this case 'IP Address'.

Some popular router manufacturers have their own settings for ease of use, for example if you have a Linksys router you can use this line:

use=linksys, fw=linksys, fw-login=admin, fw-password=admin

Note that since a lot of routers won't let more than one user log in as admin at a time, you could potentially prevent ddclient from updating your dynamic IP address if you are logged in yourself at the same time.

Getting your WAN IP address from a web service

The web method involves ddclient querying one of the many "what is my ip" type web services on the internet, and extracting your IP address from the page returned. You can tell ddclient to use this method by using this line:

use=web

Similarly to other methods, you can also specify which website to use with the web-skip parameter. Some options with preset values are dnspark, dyndns and loopia, although you can use any site you like. For example, you could use somedomain.com by setting use=somedomain.com, with an appropriate web-skip-pattern=foo to ignore IP addresses before the string "foo" if necessary..

Secure submission

Remember how I said anyone with your dynamic dns password can change your DNS records? Sending your password via http (not https) is a bad idea. This parameter will force https:

ssl=yes

Again, this needs to go above the protocol parameter in your config file.

For this to work, you need a perl library that can use SSL. Install it with this command:

sudo apt-get install libio-socket-ssl-perl

Testing your configuration

You can check if the pre-defined use values can detect your WAN IP by running this command:

sudo ddclient -query

If your server is connected with an ethernet cable, the output should look something like this:

use=if, if=lo address is 127.0.0.1
use=if, if=p2p1 address is 192.168.1.119
use=if, if=wlan0 address is NOT FOUND
use=web, web=dnspark address is 1.2.3.4
use=web, web=dyndns address is 1.2.3.4
use=web, web=loopia address is 1.2.3.4

To test your ddclient configuration with really verbose output, printing all possible configuration parameters and their values, you can use this command:

sudo ddclient -debug -verbose -noquiet

I won't print a sample output because it's too long, but somewhere near the bottom you should see a line like this:

SUCCESS:  updating backup: good: IP address set to 1.2.3.4

While we've got all this information, It's worth checking to make sure you are actually using SSL to connect to your dynamic DNS provider. Look for lines like this:

CONNECT:  dynamicdns.park-your-domain.com
CONNECTED:  using SSL

Run ddclient as a daemon

Since we don't just want the IP address to update once, we still need to set up ddclient to run as a daemon so it can check for a change of IP address periodically and notify the dynamic DNS provider if necessary.

To start the daemon we need to open another configuration file, /etc/default/ddclient and set:

run_daemon="true"

You will notice there is a daemon_interval parameter there too, I think the default value of 300 seconds (5 minutes) is reasonable, so I didn't change it.

Save and close the file, and then run:

sudo service ddclient start

to start the daemon, and:

sudo service ddclient status

to check its status.

ddclient keeps a cache of your IP address, and it will only update the record with your dynamic DNS provider if your IP address hasn't changed. Since some ISPs seem to only allocate new IP addresses when the modem is power cycled, and some dynamic DNS providers will time out if you don't update the record in a while, there is one thing left to do - we need to add a cron job to force an update weekly, just in case.

Choose whether you want to force an update daily or weekly, and then create a file called ddclient in the relevant directory, e.g. /etc/cron.daily or /etc/cron.weekly:

sudo nano /etc/cron.daily/ddclient

Fill in this information:

#!/bin/sh
/usr/sbin/ddclient -force

Then make the script executable:

sudo chmod +x /etc/cron.daily/ddclient

Done :)

Useful links

Type: 

Comments

Sam,
I am new to the Raspberry. I have followed your excellent tutorial and setup DDNS with NameCheap using ddclient. My domain is annapolisbluebird.com which I have set up for my Raspberry on a sailboat in a marina so I can keep track of critical parameters on my boat. The Raspberry is connected to the Internet with a WiFi connection through a router. Using hcidata I come up with an IP address for that domain. I can ping to it. The problem when I try to make a Putty or VNC connection, I get the error message that the server has actively refused the connection. Not sure what the problem is.

I have used ssl=yes and use=web at the beginning of the configuration file. I assume these settings are for communications with NameCheap, but it appears there may be some kind of authentication problem with Putty.

John Poindexter

John,

Do you control the router the pi is connected to? If not, you will struggle because you need to forward certain ports on the router to the pi, or the firewall on the router will refuse the connection.

Sam

Sam,
Yes, I control the router and have set port forwarding for port 22 to the Raspberry. The router is Netgear WNDR4300. Are there other ports that need to be forwarded for Putty and VNC?
John

Putty connects using SSH, so that's fine. Not sure about VNC because I've never used it.

Check that the pi has a static IP address on the local network (to make sure the DHCP lease doesn't expire resulting in it being given a different IP address on the LAN from the one in your port forwarding rules).

Also worth checking that the dynamic DNS is working, i.e. does your DNS A record resolve to the WAN IP of your router (if you know the WAN IP of your router).

Sam

Sam,
I have it all working now. I changed ddclient.conf to the following:

use web, web=dynamicdns.park-your-domain.com/getip
ssl=yes
protocol=namecheap
server=dynamicdns.park-your-domain.com
login=[my domain]
password=[my password]
@

This is what NameCheap specifies. On the port issues I added port 5902 to the port forwarding of the router. This was in addition to forwarding port 22. I do use a static IP there for the Raspberry. With VNC viewer I connect to the external DDNS IP using port 5902. Both Putty and VNC now work remotely. When I actually put my Raspberry and Interface Board on my boat in the marina (right now it is in my shop...smile), I will probably have more router problems.

As other people have said, thank you for an excellent tutorial and rapid response to questions

John

Sam,
One change I found from your tutorial is that NameCheap has apparently changed their server address to parkingpage.namecheap.com from dynamicdns.park-your-domain.com. I have used the new address in the ddclient.conf file.
John

I'm a total newbie but this guided me thru the dynamic dns setup with ease. Had the same issue as others with not using ssl, but cache clear sorted this out.

Thanks for making the guide!

Thanks a lot for this efficient tutorial, you save me so much time !

Hello Mr Hobbs,

Thanks for your magnificent guide. I was having a lot of trouble with PIA VPN and getting my DDNS to update to the correct public IP address. I switched from the no-ip script (noip2) to a ddclient and it just works. I did have some trouble with using ssl (https) instead of http but I kept changing my "if=web, web=******" to a suitable https://"ip look up site". The only problem I currently have is I have to wait 10 minutes for the ddclient to update to the correct public IP address on reboots (first ddns ip on reboot is the last cached one, second is just slightly wrong for some reason, third is corrected and stays updated). And on an unrelated note my router or computer is blocking forwarded ports so I cant test remote ssh connects.
If you have any ideas on getting the wright ddns on reboot, that would be fantastic, otherwise thanks again!!!!

Also FYI, my config for those trying similar things, ddns:no-ip.com, vpn: PIA VPN, comp: Rasberry PI, OS: Rasbian. comp use: headless remote server.

Hi,

Glad you found it useful!

Not sure if you've hit this problem, but it seems related: if you are trying to SSH to a box on the public internet that is running an openvpn client connection to another remote server, you will have problems because the client will connect to the SSH server on the public IP address, and then the server will reply using the VPN route, which means the reply will appear to come from your VPN provider's IP address instead of your server's IP address and the client won't accept it (and/or your firewall will block it because it's not a reply to an outgoing request). You don't get the same request if the box is on the LAN, because you connect using the LAN IP address (and for a normal VPN setup, LAN traffic is not sent over the VPN).

I've covered the solution in the always on VPN server part of my kodi box tutorial.

I can't think why you'd get the "wrong" answer to your first DDNS request though, sorry.

Sam

Hello Sam,

Thanks for your response, forgive me if I've misunderstood.
You're saying that I wont be able to connect to my box running a openvpn service because a public (external to lan) remote request will give me an incorrect public IP address to the box?
Wouldn't the ddclient getting the public ip from the web route give me my openvpn public ip? And from there my router will direct the forwarded port to the box?
i.e. outside web ssh request>openvpn public ip>router port>box on the inside.
Again sorry if I have misunderstood your previous comment.
Kind Regards,
Chrishan

Thanks once again Sam for all your stuff. I've been running the pi mail server for 2 years now with no issues. Arrived back here because of an issue with my internet connection and closed down my dynamic dns temporarily. But now they seem to have sorted out the connection so I needed to remind myself of the client config information...
Please keep your pages going, I keep thinking I should take hard copies in case you decide to delete them, but there's a lot there!
regards Michael

Hi Sam,

it's me again. You helped me a lot last year. Now I'm totally lost. Last year I was able to manage that the domain dns was setup to use duckdns for updating the ip for using raspi as mail server. But now I'm totally lost. Followed every step from your tutorial. So postfix and dovecot run fine so far. But the dns entries are killing me. What to set where? I't can't figure it out.

The ddclient command gives me this out:

RECEIVE: Current IP CheckCurrent IP Address: 1.2.3.4
DEBUG: get_ip: using web, http://checkip.dyndns.org/ reports 1.2.3.4
WARNING: skipping update of thisismydomaintobeupdated.com from to 1.2.3.4.
WARNING: last updated but last attempt on Sun Dec 23 23:41:02 2018 failed.
WARNING: Wait at least 5 minutes between update attempts.

Don't know what. I added a txt entry so far in dns section for spf ptr, but the error happened before too. have an mx record set:


Type Host Value TTL
MX Record @ thisisthedomaintobeupdated.com. 10 Automatic

Thanks in advance for reading this.

Kind regards from germany
Roman

Hi Roman,

I may be reading that wrong, but I think it's saying that the IP address is already correct so it's skipping the update?

Have you checked your IP address with dig and is it currently correct?

Sam

Hi Sam,

happy new year to you and your beloved ones. Thanks for your support. My MX-entry was missing :o( - sorry.

I fixed it and all runs well now. The only problem I have is my IP-range (because dynamic) is in the bad list on spamhaus. So it will only be delivered to spam every time I send one (to myself atm). SPF setting throws errors in the mx-check on google dev tools. But the more important point is that all mail marketing tools I wanted to use are not running on raspi. Some dependencies or whatever are missing not fixable for a noob like me. I learned a lot and tried day in night out but know I'm at the point to make it easier for me and - so I think atm - to take things over to aws on amazon cloud services. And that's where my question begins and adds up.

Will all these steps to make the mailserver running be possible on aws cloud server? I stuck in thinking. Because I never used aws before and don't know what then have to be changed in the scripts. Do I have to use dynamic dns service (ddclient) again or does this work another way round? Do you have any experience with that?

Thanks and warm regards
Roman

Roman,

That's a shame but it sounds like you learned a lot which is the main aim!

You should be able to follow these steps on a Debian or Ubuntu VPS - my mail server is running on a VPS from Scaleway at the moment. You can configure the VPS to have a static IP if you pay for one, which I would recommend.

Sam

Hi Sam,

that sounds good so far. AWS offers elastic ip, I guess this is not the same like the static one? A static ip from my isp is not possible since I'm not a business at the moment. As a private I can't have one, german telekom :o(

I'm a bit confused now.

Read you soon.

Kind regards
Roman

I think "elastic ip" is just a marketing term, not a technical one. From the quick look I just had, I think it's a static IP that you can assign wherever you want ("elastically"). I have the equivalent on the scaleway server: I paid for a static IP with Scaleway and assigned it to my VPS (so the server is now accessible using that static IP address; by default it would only have a dynamic IP address).

Scaleway is a VPS (Virtual Private Server) provider, like Amazon AWS. They are not my residential ISP - nowadays I host my web server, mail server and chat server on the Scaleway VPS because I moved house to the middle of nowhere and the upload speed on my residential internet connection is very poor (definitely not suitable for a web server). On top of that, in the year we moved here we had fairly regular power cuts - not ideal in terms of uptime! I still have some other servers at home that I can connect to via the internet (like the Kodi server) but most of it is on the VPS.

Sam

Hi Sam,

thanks for your good reply. I assigned the elastic IP as the instance was running. But the elastic IP is not the Public IP mentioned in the instance entry. Don't know, but it's accessible throught the public IP.

The mail server is up and running. At this very moment I ended to configure postfix for spamassassin from your tutorial. But now :) I can't login through the web panel "Authorization failed" rainloop is saying to me. And I don't get it, what happened. I don't think it has something to do with the other. But as I mentioned before. I'm not a UNIX/LINUX professional. I have to look up every problem in forums and other web sources.

Before the problem existed, I tried to send an email to the email from configured but it didn't arrive supervising the mail.log showed no response as if nothing was put through to em. The IP was renewed through ddclient. I thought this time it could be a little easier ... but "Hey, take this and that". I don't want to give this up, but I guess I'm too stupid to figure this out.

Nice to hear from you.
Roman

the "use=" part helped me a lot on my case which is "a local IP in NAT behind the router which has a public IP"
I was wondering how my server can DDNS update with ddclient.

Excellent thread!

Hi Sam,

This is like my go-to post to configure ddclient and has been for a few years! Cheers for that! :)

I was wondering if you can help me with what I think is a simple problem but perhaps isn't.

I'm trying to update my A+ records, for @ and www, so that `blah.tld` and `www.blah.tld` both point to my IP.

I can't seem to get the last line right in the .conf. Namecheap told me to put `blah.tld,www.blah.tld` but it didn't work that I could see (I set the IPs in namecheap advanced dns panel A+ records to 127.0.0.0 to see that they'd changed)
I've tried '@,wwww' but also no luck.

Have you any experience of this?

Hi Nathan,

I've never tried to do this, sorry. If you can't find a way to update multiple records with ddclient, you could consider using CNAME records, which basically just say "this domain name has the same details as this other record" so you could only update one and the other would change with it. I don't know if that could cause problems elsewhere, but it would be worth experimenting with.

Sam

Hi Nathan!

I have two different DNS providers. I have two websites with one provider and two different websites with the other. With one of the providers, I could update multiple hosts on one line (blah.tld, www.blah.tld). With the other, I had to have separate entries for each host:

Login=xxx
password=yyy
blah.tld

login=xxx
password=yyy
www.blah.tld

It took me a loooong time figure this out as a single line worked perfectly with one of the providers.

Hope this helps!

Bye.... :-)
Charles

That's a very useful piece of information to share, Charles, thank you kindly! I did not know you could use/include multiple .conf files - this is what you are implying? I'll find out soon :)

Hi Nathan!

No, I was not trying to imply include files. All of the hosts are in a single .conf file. One mistake I did make, was not putting a "\" (backslash) after the login and the password lines. Also, I left off the protocol and server info.

What I was trying to show was the login, password and sub-domains had to be separate, complete entries for each sub-domain.

Here is a more complete example:

#The following is common to both DNS providers:
daemon=0
syslog=yes
quiet=no
verbose=no
debug=no
pid=/run/ddclient.pid
exec=yes
retry=no

#Get the public ip address of this machine. Note, the "https://" is needed, otherwise, the response will be too slow and will time out.
#This is unique to zoneedit. Other DNS providers don't require it. Also, setting SSL=yes, prior to this statement, does not solve
# the "https" problem. See my comment on 8 September 2016, for more detail.

use=web, web=https://dynamic.zoneedit.com/checkip.html

#Zoneedit specific parameters, all sub-domains may be on one line.
ssl=yes
protocol=zoneedit1
server=dynamic.zoneedit.com

login=xxx password=yyy blah1.tld, www.blah1.tld

#Hurricane Electric specific parameters, sub-domains must be on separate lines.
ssl=no
protocol=dyndns2
server=dyn.dns.he.net

login=xxx password=yyy blah.tld
login=xxx password=yyy www.blah.tld

Click here for my comment on 8 September 2016 regarding the use of "https://" to get the ip address.

Hope this helps!

Let me know if you have any questions.

Bye... :-)
Charles

Pages

Add new comment