Deals! 🛒
Dynamic DNS, or DDNS, is one of the most powerful features of a home Wi-Fi router. It’s the base for hosting many services within your home network.
Examples of these services are a VPN server or a remote desktop connection. At the very least, DDNS allows you to manage your router when you’re away from home using the familiar web interface.
This post will explain what DDNS is and how to set one up to enable remote access to your home router in layman’s terms. It’ll also talk about port forwarding, the most popular networking feature used in tandem with DDNS.
Though this is in the realm of advanced networking, DDNS is straightforward. Still, before continuing, make sure you’re familiar with IP addresses, especially the WAN IP.
Dong’s note: I first published this piece on April 24, 2019, and updated it on November 1, 2020, to include additional relevant information.
Table of Contents
Dynamic DNS explained
To know what DDNS is, you first need to understand DNS — short for domain name system. You can find out more about DNS in this post, but, in a nutshell, DNS is a mechanism that associates a label — such as a domain name like dongknows.com — with an IP address.
DNS is helpful because it’s much easier for us to remember a label than a string of numbers. (This is similar to your phone’s Contacts, where you only need to remember your friends’ names and not their digits.)
Dynamic DNS is the same concept but applies to a periodically changing or “dynamic” WAN IP. The majority of home broadband plans don’t include a static WAN IP — it’s expensive to have a fixed WAN IP address that remains the same at all times.
You can easily find out your WAN IP right now. In a week, though, check again, and chances are you’ll get a new address.
In other words, even if you write down your current WAN IP address — or remember it by heart — you probably can’t rely on it to dial home. That address might have moved to somebody else’s home network when you do.
That’s where DDNS comes into play: It associates your current WAN IP address — no matter what it is at any given time — with a consistent domain name of your choice.
As a result, you can always use that label (domain name) to access your home network from anywhere in the world without even having to know its IP address.
Dynamic DNS requirements
To take advantage of DDNS, you need three things: A private WAN IP, a Dynamic DNS service, and a DDNS updater device.
1. A private WAN IP
You need to have direct access to your home network’s WAN IP address if you want to dial home. So, you can’t use DDNS if you use somebody else’s IP.
That said, your home network must have a WAN IP of its own. That’s the case of most residential Internet plans, where you have a modem (or gateway) or a fiber optical network terminal (ONT) unit.
But there are situations where you can access the Internet but have no WAN IP of your own — one that you have control over, that is.
Here are some examples of unusual situations where DDNS is a no go:
- You live in a condo (or hotel room) where the building’s central location provides everybody with the Internet. In this case, your local network has no WAN IP of its own. It just has access to the Internet.
- You have an Internet service that uses large-scale NAT (CGNAT).
- You need to keep your ISP-provided gateway and want to put another router on top of it. (In this case, check out this post on a double NAT setup.)
2. Dynamic DNS service
This service is the provider of the domain you want to use. There are many third-party DDNS services, like NoIP, FreeDNS, or Dyn. Some require a small annual fee, but most give you one domain for free. And you don’t need more than one.
Better yet, known networking vendors — Asus, Netgear, TP-Link, and so on — also include a DDNS domain with a router for free. It’s convenient to use the networking vendor’s DDNS, but that’s not necessary.
Extra: Asus routers and DDNS
For its DDNS feature, Asus also includes a secure certificate (SSL) with its routers.
This free SSL certificate is a bonus since a domain needs one — typically requiring an annual fee — to be recognized as “secure” or “private” by a browser. You can use this certificate with any third-party DDNS service, as seen in the screenshot at the top of this page.
Without this certificate, the browser might generically prompt that it’s “unsafe” to visit the domain, even though you know that’s not the case.
That said, considering many of Asus’s home Wi-Fi routers are among the best, if you want to dabble into the world of DDNS with ease, I’d recommend an Asus router. But any router with this feature will do.
3. Dynamic DNS updater device
A DDNS updater resides within your network and does the job of persistently binding a domain name with your WAN IP.
Specifically, this device updates the domain with the new WAN IP each time it changes. And this address doesn’t change that often — it generally does only when the modem restarts. But it’s generally a good idea to have this updater device run at all times.
Most routers and NAS servers have a built-in DDNS updating function. Since your router is the gateway to the Internet, it’s best to use it as the DDNS updater device.
(If a router doesn’t support DDNS, chances are it’s not a good router anyway. It’s not suitable for your needs, considering you’re reading this.)
But alternatively, you can use any device within your network that has a DDNS updating feature, such as a NAS server. Or you can also use a DDNS updater software client on a computer to turn it into an updater.
In this case, again, you only need to run the software each time the IP changes. Still, it’s a good idea to use a stationary and, better yet, always-on computer (like a server or a desktop).
If you use a laptop, make sure you run the software only when within the network you want to use with the DDNS domain. If you use the software when you travel, it will update your DDNS domain with the IP of a different location.
Dynamic DNS: Should I be concerned about security?
Yes, you should always be concerned about security. But that has little — if at all — to do with DDNS.
DDNS does not affect your home network’s security. It doesn’t make your system safer, nor does it make it more vulnerable. The WAN IP — all home networks have one — is all hackers would need to attempt to do bad deeds.
That said, though, a DDNS domain name does make accessing your home network easier — and consistent — since it remains the same even when the WAN IP changes.
(On top of that, keep in mind your DDNS domain provider can know your WAN IP — use one that you trust.)
So, for security reasons, it’s a good idea to keep your DDNS domain name secure. Don’t reveal it to anyone willy-nilly — in a way, it’s like your home address.
(And also like your home address, just because somebody knows it doesn’t necessarily mean you’re in danger.)
Still, follow these good practices to keep your router safe. At the very least, use a secure admin password for your router and avoid using default port numbers — more below.
Steps to set up Dynamic DNS
No matter what router you use — clearly, we’re talking about one that supports DDNS here — the steps to set up DDNS are mostly the same. The following are the general steps.
Setting up DDNS on any router
- Check to make sure your router has the WAN IP address. If it’s the only router (or gateway) you use then that’s always the case. On the other hand, if you use a router on top of another router, make sure you follow these steps to get the WAN IP to the router first.
- Check the router’s web interface to find out what DDNS services it supports — most routers support at least a few — and pick one for yourself. By the way, within a router’s web interface, the location of the DDNS feature varies from one networking vendor to another, but generally, it’s in the WAN (a.k.a Internet) or Advanced or Administration (Admin), or System part.
- Sign up for an account with the DDNS service and pick a domain of your liking. After signing up, you’ll get an account (username and password) and a domain name. Write down this information and keep it secure.
- Go back to your router’s interface and enter the information you have written down at the DDNS section. Apply the changes, and you’ll see a message that the association is successful.
From then on, the domain name is now the persistent address of your home router.
Extra: Setting up DDNS on an Asus router using Asus’ DDNS service
If you use an Asus router and want to use Asus’ built-in free DDNS service, here are the more specific steps:
- Log in to your router’s web interface.
- Under the Advanced Settings menu item, click on WAN and then on the DDNS tab.
- Change the value of Enable the DDNS Client to Yes and Server to WWW.ASUS.COM
- Enter a Host Name value of your liking — your DDNS domain will be hostname.asuscomm.com with hostname being whichever you choose that’s not already taken by somebody else.
- Pick the option to use a Free Certificate from Let’s Encrypt then click on Apply. If the hostname you picked is available, then your DDNS is now ready. If it’s not (already used by somebody else), you’ll get an error. Now repeat from step #4 to pick a new one.
And that’s it; now your DDNS domain name is ready and in effect. And you can use it for any remote access services hosted within your home network.
Understanding network ports
To set up most remote access services, you’ll need to know about network ports. These are identifying numbers at the destination side of a connection.
A router uses a port to determine which application/service on a client, which itself is identified by its IP local address, to deliver a message from the remote party.
Calling a port
Back to the home analogy: if the DDNS domain name is your home address, then ports are like the doors of your house.
That said, a remote party generally needs to specify the port it wants to use by attaching it to the domain name in this format: DomainName:Port (note the colon). It’s like specifying a specific door to knock on.
For example, if the DDNS domain name is hostname.asuscomm.com and you want to use port 1000, then you use this address to send the message through (to a particular device that’s the target of the port number):
hostname.asuscomm.com:1000
Default ports
There are a few exceptions where you don’t need to specify a port; one of them is port 80. This port is a well-known and default port for web hosting.
For this reason, when you type in a domain name in a web browser without specifying any port, it’s understood that you want to call port 80.
For the same token, if you deliberately specify this port with any website (like dongknows.com:80), the port will be omitted automatically. Try a different port number, and you’ll get an error or no result at all.
But the rule of thumb is you generally need to specify a port when you want to access a destination via the Internet.
Port forwarding (a.k.a Virtual Server)
Port forwarding is the job of the router at the destination. It’s a function that opens the called port and delivers messages to a specific device or service within the local network.
For example, if you want to host a website at home, forward port 80 to the computer’s IP address you use as the webserver.
For port forwarding to work consistently, the destination device’s local IP address (the server) needs to remain the same at all times. That is where the router’s IP reservation feature comes into play.
Some networking vendors call port forwarding a “Virtual Server.” Each virtual server is a port forwarding entry. Generally, a home router can handle a few dozen entries.
In a network, any port that’s not forwarded is generally closed. Consequently, any access requests to this port will return an error. (It’s like trying to get through a closed door.)
Note the external and internal sides — you can use the same or different port numbers on each — and the device’s IP address.
The port determines the service (web hosting in this case), and the IP address determines the device within the local network that handles the service (the server in this case.)
Some routers allow two values in port forwarding: external (or public) and internal (private). In this case, external is the port the remote party calls, i.e., the one attached to the domain name as mentioned above. Internal is the port at the device that hosts the service.
You can use the same number for both or use a different one for each. In the latter case, it’s like knocking on the window to get the front door open.
Pro tip
For security, when turning on port forwarding for sensitive services, make sure you do not use the default known default port numbers, at least on the public (external) side.
For example, port numbers 3389 and 8080 are the known defaults for Windows remote desktop and a router’s web interface. They are being checked on all the time by no-good parties.
Specifically, for a remote desktop entry, you can specify the external port as 12345 and keep the 3389 as the internal side. In this case, to call the 3389 port, you can use DomainName:12345 and port 3389 is still hidden from the outside world.
This trick is also useful when, for some reason, you cannot change the port on your local server device.
How to enable remote access to your router’s interface
As mentioned above, DDNS opens up many applications. Using it to remotely access your router’s web interface from anywhere in the world is one of them. And it’s probably the most popular use of DDNS.
For security reasons, routers tend to have this remote access feature turned off by default. Here are the general steps to turn it on:
- Within the router’s interface, navigate to the Remote Management (or Remote Access, or Web Administration, or Web Acess from WAN) section. The location varies depending on the router you use, but it’s generally in the Advanced or System area of the interface.
- Change the setting to enable the feature — it’s alwasy turned off by default. Don’t specify a specific computer or IP for the remote party.
- Change the default port (8080) to a number of your liking, just not one already used for another service — this is a must-do step to keep the connection secure. Turn on https when applicable.
- Apply the changes.
Note the port number.
And that’s it. Since you’ll access the router itself — and not a device within your home network — there’s no need to set up a port forwarding for remote management. In other words, the router already set that up for you.
After this, you can log in to your router’s interface from anywhere in the world via the DDNS domain name. Just make sure you use the correct address.
For example, if hostname.asuscomm.com is your DDNS domain name and 8910 is the port for remote management — again, you can use any other port number to your liking, just don’t use the default or one already used by another device/service –, then the full web address to access your router remotely is:
hostname.asuscomm.com:8910
If you also have HTTPS turned on, then the address now is:
https://hostname.asuscomm.com:8910
Here’s an interesting fact: Using remote access this way is an excellent alternative to signing up for an account with the vendor.
When logging into a router’s or any local device’s web interface, you’ll likely run into a privacy/security error notice where the browser suggests that the website you’re accessing is potentially not safe, like the screenshot below.
The reason is the device’s built-in web server doesn’t at the time have a mechanism to prove that it supports the now-required HTTPs protocol. For that, among other things, it needs to be signed with an external party.
This is similar to when you get a brand-new vehicle — you can’t prove that it’s legit the normal way since it has no license plate or registration. But you know that it’s safe to get in and drive, and if you choose to only use it within your property — like a ranch — you might not even need to register it.
The point is it’s generally safe to ignore this notice and proceed to the interface when using your device. Be concerned with this warning only when you use a third party’s website, especially one that asks you to enter sensitive information like a credit card number or a username/password.
Different browsers have slightly different warnings and ways to bypass, but they all require clicking a few extra times. Pay a bit of attention, and you’ll find out.
Vendor-assisted remote access generally means you’ll have to sacrifice your privacy because your router will connect to the vendor at all times. Dynamic DNS allows you to stay independent, and that’s just one of its many benefits.
The takeaway
Again, Dynamic DNS is by far one of the most valuable features of a home router. It gives users control of their network for advanced applications.
The proper use of this feature and port forwarding is a significant part of turning you into an advanced user. Try them out!
I just tried ASUS Instant Guard on my Wifi-6 router. It does connect but yet to try it on a public wifi.
Is it safe to use the ASUS DDNS address/name?
I tried to turn of an on the ddns setting but the long –
(EXAMPLE) EC298CH99C72YBC99328645.asuscomm.com Never changes, is it default to the router IP or something even if I do a factory reset? is there any risks with it being the same name all the time?
Also when turning on the Instant Guard (macOS iPad app) I have to CMD-V the password each time, I cmd-v it into notes and the password is the same even after reinstalling the vpn configuration and reinstalling the app..
I don’t really have any use for it, and would probably just buy a proper VPN sub if surfing random wifi on Starbucks etc. But wanted to try remote access for the router, if needed in the future.
You can change the DDNS domain via the router’s web user interface. Give this post another good read! After that check out this post on VPN. If you don’t have use for VPN then don’t use it. Paying attention is the key.
If I am setting up remote access via a ddns I should not use default ports. Am I correct to conclude that I can use any Port within this range 49152-65535. Also how do I determine if a given Port in this range is already in use.?
You can use ports as low as two digits, Ryan. Generally, the router will tell you if a port is used for something else already, or not applicable.
Great so any of the ports I mentioned will work Thanks
Hi, I have my own domain. The method that it uses to update the DDNS is Cpanel, webcall URL. I am looking for a cable modem ( Docsis 3.0) to which you can add a custom DDNS url. Not noip dyndns etc. Do you know of any ?
What you talked about is not a modem, James, but a router. More here.
As for your need, the best way is this:
1. Set up a Dynamic DNS as described in this post, such as janes.DynamicDNS.domain
2. On your customize domain, such as abc.com, maps the CNAME to point to your DDNS domain. So abc.com -> janes.DynamicDNS.domain
In short, unless you have a static IP address, you still need to use a Dynamic DNS account.
Hi Dong, read up on your post a few times. There’s one thing I’m not sure of. If I am just happy accessing my router from ‘outside the house”, no port forwarding/VPN/NAS etc. why should I configure this, as with the ASUS app (GT11000 + AX92’s) I can do that already?
I’m asking because I had to grant permission for data collection to Alexa and IFTTT.
Thanks in advance, Henk
The Asus router app would turn on the router’s DDNS, Henk, using a randomly picked domain. That’s the only reason you don’t need a login account — like the case with all other vendors. (But there’s also an option to use an Asus account now which you shouldn’t use.)
There’s no other way for any type of remote access. It’s not like your phone can magically find your home router among all others.
By the way, if you change the DDNS domain to something you like, as I mentioned in this post, the app will automatically use that, too, instead of the one it created on its own.
👍🏻
Dong, many thanks for another excellent tech write-up. As I understand it, moving to a DDNS set up allows me to access my Asus XT8 AiMesh setup remotely from outside my private home network. Unfortunately, I seem to be missing something after following your steps because I am unable to access my Synology 220+ NAS running DSM 7.0.1 (even within my home network) after enabling my router’s DDNS feature. I know the NAS’s DSM has a port forwarding feature, but after looking through your discussion of port forwarding, it’s not clear to me what (if any) additional steps I need to take to resolve this issue. By any chance, would you have any plans to write an update to this article to explain how to integrate a Synology NAS into a DDNS-enabled Asus router environment? Asking for a friend.😁Thanks!
If you haven’t messed up a lot, you need to add “:5000” (no quotes) to the DDNS domain and forward port 5000 to the server’s IP within the router, Tom. You need to understand the principles — just read the post closely again — there’s no way one can write you a 1-2-3 step guide for every port forwarding scenario. There are 10s of thousands of them.
Thanks for the additional explanation. Also, FWIW, I’ve re-read your excellent article several times as you’ve suggested with the goal of sussing out the magic process. My hope is that when I apply your teachings later tomorrow I will be able to sort what is, from my liberal arts and non-tech perspective, a very difficult subject to grasp, much less implement. Perhaps in my next life I will be lucky enough to graduate cum laude with a technical degree.
I hear you, Tom. But I’m sure you can do it. Just remember you have to do it 100% correctly, you can’t ballpark this. Here are some extra for you.
1. Make sure you have your WAN IP at your router, meaning you’re not using a router on top of a gateway. In that case, deal with the double NAT first.
2. Set up DDNS, you can do that either on the router or your NAS server. Assuming your domain is now tom.dongknows.com (it will be something else.)
3. If you haven’t changed anything on your NAS server, here’s how to call it from outside your home (you have to do step #4 first): http://tom.dongknows.com:5000 That’s because 5000 is the default port for Synology NAS. If you want to change it, on your NAS go to Control Panel -> Login Portal and change the port to whatever you want. Just make sure you remember it.
4. On your router, forward the port 5000 (or whatever you use) to the IP address of your NAS server.
That’s it. Good luck! 🙂
Got it! Many thanks!! Your site is the best for “stuggling non-STEM guys” like me.😁
Sure, Tom. 🙂
I’m using a VPN to access my local network from abroad. I have enabled the Free Server Certificate in the Asus router. Do I need to configure/import this certificate to my device or VPN server to make it work?
No, Donny, and you can’t anyway. The cert is only on the server side.
So is the DDNS certificate working with my vpn by just enabling “Free Certificate from Let’s Encrypt” on the router? Reason for asking is since I see an export button for the certificate assuming I need to import this file elsewhere to make it work.
Yes, Donny. The import option is for when you have one of your own.
Thanks Dong
While setting up DDNS on my ZenWifi AX6600 Mesh sytem, it shows:
1. The wireless router currently uses a private WAN IP address.
2. This router may be in the multiple-NAT environment and DDNS service cannot work in this environment.
My XT8 is connected to the ISP provided ONU with a PPoE connection in router mode. Further I have other mesh nodes connected to this main node.
I’m not able to setup DDNS henceforth
I mentioned that in the post, Parth. Also, check out this one for your situation. Make sure you read closely.
Um, actually, one correction: Netgear is screwing over its customers still with the nagware NoIP DDNS option only.
Anyhow, one other question…. in the article above, it says something about DDNS not working with another router on top of your own ISP modem/router, yet that’s exactly what I have with my Cox ISP modem/router connected to my Asus router, which has an Asus DDNS account made for my webcams to communicate to. It works fine. Am I missing something?
That’s correct, you need to turn your ISP gateway into the bridge mode. More in this post about how to use a router on top of another. And by way, if you go wth NoIP, it’ll nag you every 30 days to pay or “confirm” the account. If you miss confirming, it’ll disable the DDNS domain. Quite horrible.
Oooohhh. Right. I just assumed everyone did that. Might want to clarify in the article above that DDNS is a no go with a router on top of the ISP router IF you don’t enable bridge mode.
Why wouldn’t anyone enable bridge mode under those circumstances? It doesn’t make sense why someone would choose not to do that. Then again, I’m a neophyte. Also, as long as y’all are so quick to answer, Asus mesh systems don’t get great reviews (not the AiMesh thing… that’s too tricky for me), is there a reason for that? No way am I changing from Asus and their free DDNS service.
Spend some more time on this website — use the site search — before asking further questions, JK. I don’t have comments on stuff you have learned elsewhere.
So, just to be clear. In a 2015 posting, someone asked about Netgear vs Asus for their DDNS service. Asus has provided a free DDNS service for me since I started with their routers in 2015 (they probably offered it before). It’s why I keep buying Asus. Netgear, from my understanding, only offers a ‘free’ DDNS through No-IP, which requires logging onto the NoIP site every month to renew it…. hardly free (from effort). Asus’s is truly free. Hence I refuse to buy Netgear. Does anyone know if Netgear got their act together, or for my new Mesh system, do I stick with Asus? I use webcams and want a DDNS to access them from the road.
You should stick with Asus, especially on the DDNS front. Netgear has gone the vendor-assisted route with a login account etc.
Thank you for this clarification. Do you have any idea how hard it was to get this answered? The NetGear forum sites have people complaining, but I’m stunned it’s not more clearly stated when people are reviewing routers. Is Asus the only company that provides a free DDNS with their routers? Why isn’t Netgear being slammed more for this gross deficiency?
Your technical notes are very helpful and very well written. Thank you.
You’re very kind, Wilf. And you’re welcome. 🙂
Yup. Very nice, but doesn’t work. My provider uses CGNAT :-(. I didn’t know when I signed up. It is this with 500MBit or 30MBit ADSL.
Yeap, Sven, unfortunately, that’s a form of double NAT. You’re in a pickle there.