Skip to content

docs: add DigitalOcean DDNS example and split DNS guidance #267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gsanchietti wants to merge 2 commits into
base: main
Choose a base branch
from
Open

docs: add DigitalOcean DDNS example and split DNS guidance #267

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5fb97ff
docs(ddns): add DigitalOcean example and split DNS note
gsanchietti May 26, 2026
fa61d4f
docs(ddns): generalize examples and split DNS section
gsanchietti May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions ddns.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,41 @@ Additional notes:
- Consider enabling logging for the DDNS service to monitor updates and troubleshoot any issues.
- Some providers may offer advanced features like wildcards and subdomain updates. Explore these options based on your specific needs.

Example: DigitalOcean (DO)
^^^^^^^^^^^^^^^^^^^^^^^^^^

The following example uses the fictional ``firewall.example.net`` setup on NethSecurity.
The DigitalOcean API token is intentionally redacted; replace it with your own token. ::

uci set ddns.do=service
uci set ddns.do.service_name='digitalocean.com-v2'
uci set ddns.do.lookup_host='firewall.example.net'
uci set ddns.do.domain='example.net'
uci set ddns.do.username='firewall'
uci set ddns.do.password='REDACTED_DIGITALOCEAN_API_TOKEN'
uci set ddns.do.param_opt='21694203'
uci set ddns.do.enabled='1'
uci set ddns.do.interface='wan'
uci set ddns.do.ip_source='network'
uci set ddns.do.ip_network='wan'
uci commit ddns
/etc/init.d/ddns restart

The relevant DigitalOcean fields are:

- ``domain``: the domain managed in DigitalOcean
- ``username``: the hostname label to update
- ``password``: the personal access token
- ``param_opt``: the DNS record ID for that hostname

To list the records and find the ID, run::

curl -X GET -H 'Content-Type: application/json' \
-H "Authorization: Bearer TOKEN" \
"https://api.digitalocean.com/v2/domains/DOMAIN/records"

Replace ``TOKEN`` and ``DOMAIN`` with your own values.

Example: afraid.org (FreeDNS)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Expand Down Expand Up @@ -135,6 +170,20 @@ The domain is named "nstest1.freeddns.it" and the username and password are "nst
uci commit ddns
/etc/init.d/ddns restart

Split DNS
---------

Some deployments publish the same hostname inside the LAN and on the public internet.
If ``lookup_host`` resolves to a private address on the firewall itself, DDNS can compare the public WAN IP against the internal answer and keep retrying even when the provider update succeeded.

The recommended fix is to make DDNS query an external resolver for the lookup instead of the local split-DNS answer. For example::

uci set ddns.do.dns_server='1.1.1.1'
uci commit ddns
/etc/init.d/ddns restart

This keeps split DNS for LAN clients while the DDNS client validates the public record.

Using Luci
----------

Expand Down