Dynamic DNS, or DDNS, is one of the most powerful features of a home Wi-Fi router. It’s the base for hosting many services within your home network.
Examples of these services are a VPN server or a remote desktop connection. At the very least, DDNS allows you to manage your router when you’re away from home using the familiar web interface.
This post will explain what DDNS is and how to set one up to enable remote access to your home router in layman’s terms. It’ll also talk about port forwarding, the most popular networking feature used in tandem with DDNS.
Though this is in the realm of advanced networking, DDNS is straightforward. Still, before continuing, make sure you’re familiar with IP addresses, especially the WAN IP.
Dong’s note: I first published this piece on April 24, 2019, and updated it on November 1, 2020, to include additional relevant information.
Dynamic DNS explained
To know what DDNS is, you first need to understand DNS — short for domain name system. You can find out more about DNS in this post, but, in a nutshell, DNS is a mechanism that associates a label — such as a domain name like dongknows.com — with an IP address.
DNS is helpful because it’s much easier for us to remember a label than a string of numbers. (This is similar to your phone’s Contacts, where you only need to remember your friends’ names and not their digits.)
Dynamic DNS is the same concept but applies to a periodically changing or “dynamic” WAN IP. The majority of home broadband plans don’t include a static WAN IP — it’s expensive to have a fixed WAN IP address that remains the same at all times.
You can easily find out your WAN IP right now. In a week, though, check again, and chances are you’ll get a new address.
In other words, even if you write down your current WAN IP address — or remember it by heart — you probably can’t rely on it to dial home. That address might have moved to somebody else’s home network when you do.
That’s where DDNS comes into play: It associates your current WAN IP address — no matter what it is at any given time — with a consistent domain name of your choice.
As a result, you can always use that label (domain name) to access your home network from anywhere in the world without even having to know its IP address.
Dynamic DNS requirements
To take advantage of DDNS, you need three things: A private WAN IP, a Dynamic DNS service, and a DDNS updater device.
1. A private WAN IP
You need to have direct access to your home network’s WAN IP address if you want to dial home. So, you can’t use DDNS if you use somebody else’s IP.
That said, your home network must have a WAN IP of its own. That’s the case of most residential Internet plans, where you have a modem (or gateway) or a fiber optical network terminal (ONT) unit.
But there are situations where you can access the Internet but have no WAN IP of your own — one that you have control over, that is.
Here are some examples of unusual situations where DDNS is a no go:
- You live in a condo (or hotel room) where the building’s central location provides everybody with the Internet. In this case, your local network has no WAN IP of its own. It just has access to the Internet.
- You have an Internet service that uses large-scale NAT (CGNAT).
- You need to keep your ISP-provided gateway and want to put another router on top of it. (In this case, check out this post on a double NAT setup.)
2. Dynamic DNS service
This service is the provider of the domain you want to use. There are many third-party DDNS services, like NoIP, FreeDNS, or Dyn. Some require a small annual fee, but most give you one domain for free. And you don’t need more than one.
Better yet, known networking vendors — Asus, Netgear, TP-Link, and so on — also include a DDNS domain with a router for free. It’s convenient to use the networking vendor’s DDNS, but that’s not necessary.
Extra: Asus routers and DDNS
For its DDNS feature, Asus also includes a secure certificate (SSL) with its routers.
This free SSL certificate is a bonus since a domain needs one — typically requiring an annual fee — to be recognized as “secure” or “private” by a browser. You can use this certificate with any third-party DDNS service, as seen in the screenshot at the top of this page.
Without this certificate, the browser might generically prompt that it’s “unsafe” to visit the domain, even though you know that’s not the case.
That said, considering many of Asus’s home Wi-Fi routers are among the best, if you want to dabble into the world of DDNS with ease, I’d recommend an Asus router. But any router with this feature will do.
3. Dynamic DNS updater device
A DDNS updater resides within your network and does the job of persistently binding a domain name with your WAN IP.
Specifically, this device updates the domain with the new WAN IP each time it changes. And this address doesn’t change that often — it generally does only when the modem restarts. But it’s generally a good idea to have this updater device run at all times.
Most routers and NAS servers have a built-in DDNS updating function. Since your router is the gateway to the Internet, it’s best to use it as the DDNS updater device.
(If a router doesn’t support DDNS, chances are it’s not a good router anyway. It’s not suitable for your needs, considering you’re reading this.)
But alternatively, you can use any device within your network that has a DDNS updating feature, such as a NAS server. Or you can also use a DDNS updater software client on a computer to turn it into an updater.
In this case, again, you only need to run the software each time the IP changes. Still, it’s a good idea to use a stationary and, better yet, always-on computer (like a server or a desktop).
If you use a laptop, make sure you run the software only when within the network you want to use with the DDNS domain. If you use the software when you travel, it will update your DDNS domain with the IP of a different location.
Dynamic DNS: Should I be concerned about security?
Yes, you should always be concerned about security. But that has little — if at all — to do with DDNS.
DDNS does not affect your home network’s security. It doesn’t make your system safer, nor does it make it more vulnerable. The WAN IP — all home networks have one — is all hackers would need to attempt to do bad deeds.
That said, though, a DDNS domain name does make accessing your home network easier — and consistent — since it remains the same even when the WAN IP changes.
(On top of that, keep in mind your DDNS domain provider can know your WAN IP — use one that you trust.)
So, for security reasons, it’s a good idea to keep your DDNS domain name secure. Don’t reveal it to anyone willy-nilly — in a way, it’s like your home address.
(And also like your home address, just because somebody knows it doesn’t necessarily mean you’re in danger.)
Still, follow these good practices to keep your router safe. At the very least, use a secure admin password for your router and avoid using default port numbers — more below.
Steps to set up Dynamic DNS
No matter what router you use — clearly, we’re talking about one that supports DDNS here — the steps to set up DDNS are mostly the same. The following are the general steps.
Setting up DDNS on any router
- Check to make sure your router has the WAN IP address. If it’s the only router (or gateway) you use then that’s always the case. On the other hand, if you use a router on top of another router, make sure you follow these steps to get the WAN IP to the router first.
- Check the router’s web interface to find out what DDNS services it supports — most routers support at least a few — and pick one for yourself. By the way, within a router’s web interface, the location of the DDNS feature varies from one networking vendor to another, but generally, it’s in the WAN (a.k.a Internet) or Advanced or Administration (Admin), or System part.
- Sign up for an account with the DDNS service and pick a domain of your liking. After signing up, you’ll get an account (username and password) and a domain name. Write down this information and keep it secure.
- Go back to your router’s interface and enter the information you have written down at the DDNS section. Apply the changes, and you’ll see a message that the association is successful.
From then on, the domain name is now the persistent address of your home router.
Extra: Setting up DDNS on an Asus router using Asus’ DDNS service
If you use an Asus router and want to use Asus’ built-in free DDNS service, here are the more specific steps:
- Log in to your router’s web interface.
- Under the Advanced Settings menu item, click on WAN and then on the DDNS tab.
- Change the value of Enable the DDNS Client to Yes and Server to WWW.ASUS.COM
- Enter a Host Name value of your liking — your DDNS domain will be hostname.asuscomm.com with hostname being whichever you choose that’s not already taken by somebody else.
- Pick the option to use a Free Certificate from Let’s Encrypt then click on Apply. If the hostname you picked is available, then your DDNS is now ready. If it’s not (already used by somebody else), you’ll get an error. Now repeat from step #4 to pick a new one.
And that’s it; now your DDNS domain name is ready and in effect. And you can use it for any remote access services hosted within your home network.
Understanding network ports
To set up most remote access services, you’ll need to know about network ports. These are identifying numbers at the destination side of a connection.
A router uses a port to determine which application/service on a client, which itself is identified by its IP local address, to deliver a message from the remote party.
Calling a port
Back to the home analogy: if the DDNS domain name is your home address, then ports are like the doors of your house.
That said, a remote party generally needs to specify the port it wants to use by attaching it to the domain name in this format: DomainName:Port (note the colon). It’s like specifying a specific door to knock on.
For example, if the DDNS domain name is hostname.asuscomm.com and you want to use port 1000, then you use this address to send the message through (to a particular device that’s the target of the port number):
There are a few exceptions where you don’t need to specify a port; one of them is port 80. This port is a well-known and default port for web hosting.
For this reason, when you type in a domain name in a web browser without specifying any port, it’s understood that you want to call port 80.
For the same token, if you deliberately specify this port with any website (like dongknows.com:80), the port will be omitted automatically. Try a different port number, and you’ll get an error or no result at all.
But the rule of thumb is you generally need to specify a port when you want to access a destination via the Internet.
Port forwarding (a.k.a Virtual Server)
Port forwarding is the job of the router at the destination. It’s a function that opens the called port and delivers messages to a specific device or service within the local network.
For example, if you want to host a website at home, forward port 80 to the computer’s IP address you use as the webserver.
For port forwarding to work consistently, the destination device’s local IP address (the server) needs to remain the same at all times. That is where the router’s IP reservation feature comes into play.
Some networking vendors call port forwarding a “Virtual Server.” Each virtual server is a port forwarding entry. Generally, a home router can handle a few dozen entries.
In a network, any port that’s not forwarded is generally closed. Consequently, any access requests to this port will return an error. (It’s like trying to get through a closed door.)
Some routers allow two values in port forwarding: external (or public) and internal (private). In this case, external is the port the remote party calls, i.e., the one attached to the domain name as mentioned above. Internal is the port at the device that hosts the service.
You can use the same number for both or use a different one for each. In the latter case, it’s like knocking on the window to get the front door open.
For security, when turning on port forwarding for sensitive services, make sure you do not use the default known default port numbers, at least on the public (external) side.
For example, port numbers 3389 and 8080 are the known defaults for Windows remote desktop and a router’s web interface. They are being checked on all the time by no-good parties.
Specifically, for a remote desktop entry, you can specify the external port as 12345 and keep the 3389 as the internal side. In this case, to call the 3389 port, you can use DomainName:12345 and port 3389 is still hidden from the outside world.
This trick is also useful when, for some reason, you cannot change the port on your local server device.
How to enable remote access to your router’s interface
As mentioned above, DDNS opens up many applications. Using it to remotely access your router’s web interface from anywhere in the world is one of them. And it’s probably the most popular use of DDNS.
For security reasons, routers tend to have this remote access feature turned off by default. Here are the general steps to turn it on:
- Within the router’s interface, navigate to the Remote Management (or Remote Access, or Web Administration, or Web Acess from WAN) section. The location varies depending on the router you use, but it’s generally in the Advanced or System area of the interface.
- Change the setting to enable the feature — it’s alwasy turned off by default. Don’t specify a specific computer or IP for the remote party.
- Change the default port (8080) to a number of your liking, just not one already used for another service — this is a must-do step to keep the connection secure. Turn on https when applicable.
- Apply the changes.
And that’s it. Since you’ll access the router itself — and not a device within your home network — there’s no need to set up a port forwarding for remote management. In other words, the router already set that up for you.
After this, you can log in to your router’s interface from anywhere in the world via the DDNS domain name. Just make sure you use the correct address.
For example, if hostname.asuscomm.com is your DDNS domain name and 8910 is the port for remote management — again, you can use any other port number to your liking, just don’t use the default or one already used by another device/service –, then the full web address to access your router remotely is:
If you also have HTTPS turned on, then the address now is:
Here’s an interesting fact: Using remote access this way is an excellent alternative to signing up for an account with the vendor.
When logging into a router’s or any local device’s web interface, you’ll likely run into a privacy/security error notice where the browser suggests the webpage is potentially unsafe, as shown in the screenshot below.
The reason is that the device’s built-in web server doesn’t have a mechanism to prove that it supports the now-required HTTPs protocol. For that, among other things, it needs to be signed by an external party.
It’s safe to ignore this notice and proceed to the interface when using your local device.
Different browsers have slightly different warnings and ways to bypass them, but they all require clicking a few extra times. Pay a bit of attention, and you’ll find out.
Vendor-assisted remote access generally means you’ll have to sacrifice your privacy because your router will connect to the vendor at all times. Dynamic DNS allows you to stay independent, and that’s just one of its many benefits.
Again, Dynamic DNS is by far one of the most valuable features of a home router. It gives users control of their network for advanced applications.
The proper use of this feature and port forwarding is a significant part of turning you into an advanced user. Try them out!