Saturday, April 13, 2024 • Welcome to the 💯 Nonsense-Free Zone!
🛍️ Today’s 🔥 Deals on 🛒

Dynamic DNS and Port Forwarding Explained: How To Customize Your Router for Secure Remote Access

Share what you're reading!

Dynamic DNS, or DDNS for short, is one of the most powerful features available in Wi-Fi routers. Though not router-exclusive, when coupled with port forwarding, DDNS is the base for hosting many services within your home network.

Examples of these services are VPN servers or remote desktop connections. At the very least, DDNS allows you to manage your standard router when you're away from home using the familiar web interface—provided it's not a Netgear.

This post will explain dynamic DNS and port forwarding in simple terms and how to use them to enable remote access to your home. Though this is in the realm of advanced networking, DDNS is straightforward. Still, before continuing, make sure you're familiar with IP addresses, especially the WAN IP.

An Asus Router has lots of option for Dynamic DNS hosts
The Dynamic DNS section on the web interface of an Asus router.

Dynamic DNS explained

To understand DDNS, you first need to understand DNS, which stands for domain name system. You can find out more about DNS in this post, but in a nutshell, DNS is a mechanism that associates a label—such as a domain name like dongknowstech.com—with an IP address.

A quick refresh: DNS is helpful because it's much easier for us to remember a label than a string of numbers. Open the cabinet below for some highlights.

DNS server in brief

In a nutshell, a DNS server is similar to a public directory. It points you to where you want to go among millions of online websites, applications, and services.

A DNS server is not to be confused with Dynamic DNS, which works somewhat the opposite way.

Here's a specific example of the role DNS plays:

Let's say you want to access this website directly and enter its domain name, DongKnowsTech.com, on your browser, such as Chrome, Firefox, or Edge. The following will happen:

  1. The browser queries the system's designated DNS server about the user-provided domain name.
  2. The DNS server looks up the domain to verify that it exists and is attached to a website. If so, it returns the website's unique IP address, which is a string of seemingly random numbers.
  3. The browser follows that IP address to load the page you're viewing.

This process is necessary because computers only understand numbers, while humans are bad at remembering them. In a way, the domain name is the vanity moniker of a website's IP address. "DongKnowsTech" is much easier to remember than 73.124.79.110 or any other random string of numbers.

How a DNS server works when you load a web page
Here's how your DNS server works to help you access this web page. (The IP address is only for demo purposes.)

And you're reading this page on your screen because such a process has worked. A similar procedure occurs whenever you want to reach an online party using any application.

In many ways, a DNS server is similar to the once-commonplace telephone directory service, where you only need to remember a person's name, not their phone number. It's the first thing that must happen before a connection can be established.

What is Dynamic DNS?

Dynamic DNS is the same concept as DNS but applies to a periodically varying, or "dynamic", WAN IP. Additionally, while a DNS server helps us reach a remote party, such as a website or a streaming service, Dynamic DNS is often used in the opposite direction—when we want to dial home while out and about.

The majority of home broadband plans don't include a static WAN IP—it's expensive to have a fixed WAN IP address that remains the same at all times—which makes DDNS a much-needed feature when you want to use your home as an online destination for outside parties, including you when traveling, to reach.

You can easily find out your WAN IP right now. In a week, though, check again, and chances are you'll get a new address. You often get a new WAN IP address when you restart your router or your terminal device, which is a cable modem or a Fiber-optic ONT.

In other words, even if you write down your current WAN IP address—or remember it by heart—you probably can't rely on it to dial home. That address might have already been moved to somebody else's home network when you do.

That's where DDNS comes into play: It associates your current WAN IP address—no matter what it is at any given time—with a consistent domain name of your choice. Now, instead of having to fumble with the IP itself, all you have to do is remember that domain name, and you know you can reach home when necessary.

Dynamic DNS requirements

To take advantage of DDNS, you need three things: A private WAN IP, a Dynamic DNS service, and a DDNS updater device.

1. A private WAN IP

You need an exclusive WAN IP address if you want to set up an online service or dial home. While this IP might change from time to time, at any given time, it must be unique and assigned to your location by the Internet provider.

Generally, that's the case for most residential Internet plans—the WAN IP is assigned to your terminal devices, such as your cable modem (or gateway) or fiber-optic ONT, and then given to your router.

But there are situations where you can access the Internet but have no WAN IP of your own—one that you control. Here are some examples of unusual situations where DDNS is a no-go:

  • You live in a condo (or hotel room) where the building's central location provides everybody with the Internet. In this case, your local network has no WAN IP of its own. It just has access to the Internet.
  • You have an Internet service that uses large-scale NAT (CGNAT).
  • You need to keep your ISP-provided gateway and want to put another router on top of it. (In this case, check out this post on a double NAT setup.)

In short, if you have a typical broadband service, chances are you have your own (dynamic) WAN IP address.

2. Dynamic DNS service

This service is the provider of the domain you want to use. Many third-party DDNS services exist, like NoIP, FreeDNS, or Dyn. Some require a small annual fee, but most give you one domain for free—and you don't need more than one.

Better yet, known networking vendors—such as Asus or TP-Link—also include a free DDNS domain with a router. While it's convenient to use the networking vendor's DDNS, it's not necessary. Use the service you can trust or are comfortable with.

3. Dynamic DNS updater device

A DDNS updater must reside within your network and does the job of persistently binding a domain name with your WAN IP.

Specifically, this device updates the domain with the new WAN IP each time it changes. While this address doesn't change that often—as mentioned above, your network is generally assigned a new WAN IP when the modems or router restart—it's a good idea to have this updater device running at all times.

Most routers and NAS servers have a built-in DDNS updating function. Since your router is the gateway to the Internet, it's best to use it as the DDNS updater device. If a router doesn't support DDNS, it's probably not a good router anyway.

Alternatively, you can use any device within your network that has a DDNS updating feature, such as a NAS server. You can also turn a computer into an updater by installing a DDNS updater software client. To be sure, you can use more than one updater within a network. However, in most cases, the router's Dynamic DNS feature is enough.

Important: Do not use a device that you often move out of your network, such as a laptop, as the DDNS updater. As you can imagine, that will cause your domain to be synced up with a foreign WAN IP address.

For the rest of this post, we'll use the router as the DDNS updater.

Extra: Should I be concerned about security when using Dynamic DNS?

You should always be concerned about security, but that has little—if anything—to do with DDNS.

DDNS does not affect your home network's security. It doesn't make your system safer or more vulnerable. The WAN IP—all home networks have one—is all hackers would need to attempt evil deeds.

That said, though, a DDNS domain name does make accessing your home network convenient and more consistent since it remains the same even when the WAN IP changes. Also, keep in mind your DDNS domain provider can know your WAN IP, so use one that you trust.

So, for security reasons, it's a good idea to keep your DDNS domain name secure. Don't reveal it to anyone willy-nilly—in a way, it's like your home address. If a party knows your WAN IP alone, that doesn't mean they can hack you immediately.

Your WAN IP (or DDNS domain) can be likened to your home address. Just because somebody knows it doesn't necessarily mean you're in danger, but it's generally a good idea to keep it private.

Follow these good practices to keep your router safe. At the very least, use a secure admin password and avoid using default port numbers for any remote access application. We'll come back to this soon.

Steps to set up Dynamic DNS on a router

No matter what router you use—clearly, we're talking about one that supports DDNS here—the steps to set up DDNS are mostly the same. The following are the general steps.

Setting up DDNS on any router

  1. Check to make sure your router has the WAN IP address. If it's the only router (or gateway) you use, then that's always the case. On the other hand, if you use a router on top of another router, make sure you follow these steps to get the WAN IP to the router first.
  2. Check the router's web interface to find out what DDNS services it supports—most routers support at least a few—and pick one for yourself. The location of the DDNS feature within a router's web interface varies from one networking vendor to another. Still, generally, it's in the WAN (a.k.a. Internet), Advanced, Administration (Admin), or System part.
  3. Sign up for an account with the DDNS service and pick a domain of your liking. After signing up, you'll get an account (username and password) and a domain name. Write down this information and keep it secure.
  4. Go back to your router's interface and enter the information you have written down in the DDNS section. Apply the changes, and you'll see a message that the association is successful.

From then on, the domain name will be the persistent address of your home router.

A specific example: Steps to set up DDNS using Asus’s DDNS service

The Dynamic DNS page of an Asus router
The Dynamic DNS page of an Asus router—routers of other brands generally have a similar page. In this example, the DDNS domain is DongKnowsTech.asuscomm.com.

If you use an Asus router and want to use Asus' built-in free DDNS service, here are the more specific steps:

  1. Log in to your router's web interface, navigate to the Advanced Settings menu item, click on WAN, and then click on the DDNS tab.
  2. Change the value of Enable the DDNS Client to Yes and Server to WWW.ASUS.COM
  3. Enter a Host Name value of your liking. Your DDNS domain will be in the hostname.asuscomm.com format, with the hostname being whichever you choose that has not already been taken by somebody else.

That's it. Your DDNS domain name is ready and in effect. You can use it for any remote access services hosted within your home network.

Understanding network ports

To set up most remote access services, you'll need to know about network ports, which are identifying numbers on the destination side of a connection.

A router uses a port to determine which application/service on a client, which itself is identified by its IP local address, to deliver a message from the remote party.

Calling a port

Back to the home analogy: if the DDNS domain name is your home address, then ports are like the doors of your house. That said, a remote party generally needs to specify the port it wants to use by attaching it to the domain name in this format:

DomainName:Port

(Note the colon and the fact there are no spaces in the entire string.)

When you call a domain name in that format, such as by typing it into the address bar of a web browser, you're specifying a particular door on of the house to knock on.

More specifically, if the DDNS domain name is DongKnowsTech.asuscomm.com as shown example above, and you want to use port 1000, then you use this address to send the message through (to a particular device that's the target of the port number):

DongKnowsTech.asuscomm.com:1000

The rule of thumb is you generally need to specify a port when you want to access a destination via the Internet.

Default ports

There are a few exceptions where you don't need to specify a port; one of them is port 80. This port is a well-known and default port for web hosting.

For this reason, when you type in a domain name in a web browser without specifying any port, it's understood that you want to call port 80.

For the same token, if you deliberately specify this port with any website—such as dongknows.com:80—the website will load, and the port number will be removed automatically. Try the same domain on a browser using a different port number—such as dongknows.com:123—and you'll get an error or no result at all.

Port forwarding (a.k.a Virtual Server)

Port forwarding is the job of the router at the destination. It opens the called port and delivers messages to a specific device or service within the local network.

For example, if you want to host a website at home, forward port 80 to the computer's IP address you use as the webserver.

For port forwarding to work consistently, the destination device's local IP address (the server) needs to remain the same at all times. That is where the router's IP reservation feature comes into play.

Some networking vendors call port forwarding a "Virtual Server." Each virtual server is a port forwarding entry. Generally, a home router can handle a few dozen entries.

In a network, any port that's not forwarded is generally closed. Consequently, any access requests to this port will return an error. (It's like trying to get through a closed door.)

The Port forwarding settings on a TP-Link Archer router
Here's an example of a port forwarding entry for a web server on a TP-Link Archer router. This particular case is for Remote Desktop, which uses the 3389 port by default. The entry allows a remote party to access a Windows computer with the shown IP address using the built-in Remote Desktop app.
Note the the device's IP address and the ports. You can use the same or different port numbers for the External and Internal ports—only the former is exposed to the outside world.
The port determines the service (web hosting in this case), and the IP address determines the device within the local network that handles the service (the server in this case.)

Some routers allow two values in port forwarding: external (or public) and internal (private). In this case, external is the port the remote party calls, i.e., the one attached to the domain name as mentioned above. Internal is the port at the device that hosts the service.

You can use the same number for both or a different one for each—only the external port is exposed to the outside world, and you should avoid using the default numbers for known services. Using one port number for the external side and another for the internal side is like knocking on the window to open the front door.

Tip

For security, when turning on port forwarding for sensitive services, do not use the default known default port numbers, at least on the public (external) side.

For example, port numbers 3389 and 8080 are the known defaults for Microsoft Windows' Remote Desktop service and a router's web interface. Using these default ports will make it easy for no-good parties to attack.

Specifically, for a remote desktop entry, you can specify the external port as a random (unused) number, such as 12345, and keep the 3389 as the internal side. In this case, to call the 3389 port, you can use DomainName:12345, and port 3389 is still hidden from the outside world.

This trick is also useful when you cannot change the port on your local server device.

How to enable remote access to your router’s interface

As mentioned above, DDNS opens up many applications. Using it to remotely access your router's web interface from anywhere in the world is one of them. And it's probably the most popular use of DDNS.

For security reasons, routers tend to have this remote access feature turned off by default—as mentioned, Netgear has removed this feature from all of its routers. Here are the general steps to turn it on:

  1. Within the router's interface, navigate to the Remote Management (or Remote Access, or Web Administration, or Web Access from WAN) section. The location varies depending on the router you use, but it's generally in the Advanced or System area of the interface.
  2. Change the settings to enable the feature—it's always turned off by default. Don't specify a specific computer or IP for the remote party.
  3. Change the default port (8080) to a number of your liking, just not one already used for another service—this is a must-do step to keep the connection secure. Turn on https when applicable.
  4. Apply the changes.
The settings for remote access in an Asus router web user interface
Here's an actual Asus router with remote access turned on using Dynamic DNS.
Note that the port number has changed from the default, and the domain is blurred out for security reasons.

And that's it. Since you'll access the router itself—not a device within your home network—there's no need to set up port forwarding for remote management. In other words, the router has already set that up for you.

After this, you can log in to your router's interface from anywhere in the world via the DDNS domain name. Just make sure you use the correct address.

For example, if:

  1. DongKnowsTech.asuscomm.com is your DDNS domain name. (Yours has to be something else.) And
  2. 8910 is the port for remote management. (You can use this port or any other you like; just keep it private.)

then the web address to access your router remotely is:

DongKnowsTech.asuscomm.com:8910

If you also have HTTPS turned on, then the address now is:

https://DongKnowsTech.asuscomm.com:8910

Use that web address on a browser, such as Chrome, on an Internet-connected computer, and you'll be able to access your router's web user interface, no matter where you are in the world.

Using remote access this way is an excellent alternative to signing up for an account with the vendor. Vendor-assisted remote access generally means you'll have to sacrifice your privacy because your router will always connect to the vendor. Dynamic DNS allows you to stay independent and have lots of flexibility, and that's just one of its many benefits.

When logging into a router's or any local device's web interface, you'll likely encounter a privacy/security error notice in which the browser suggests the webpage is potentially unsafe, as shown in the screenshot below.

Privacy Notice
Wi-Fi router security: You can ignore this Privacy/Security notice when accessing your router's web interface. This one is on the Chrome browser.

The reason is that the device's built-in web server doesn't have a mechanism to prove that it supports the now-required HTTPs protocol. For that, among other things, it needs to be signed by an external party.

It's safe to ignore this notice and proceed to the interface when using your local device.

Different browsers have slightly different warnings and ways to bypass them, but they all require clicking a few extra times. Pay attention, and you'll find out.

The takeaway

Again, for advanced users, Dynamic DNS is a valuable feature a router has to offer. It allows users to control their network for advanced applications, even when they are out and about. The other way around is also true: knowing how to use DDNS and port forwarding properly is a significant threshold that separates advanced users from the uninitiated. Try them out!

Dong's note: I first published this piece on April 24, 2019, and updated it on March 19, 2024, to include additional relevant information.

Share what you just read!

Comments are subject to approval, redaction, or removal.

It's generally faster to get answers via site/page search. Your question/comment is one of many Dong Knows Tech receives daily.  

  1. Strictly no bigotry, falsehood, profanity, trolling, violence, or spamming, including unsolicited bashing/praising/plugging a product, a brand, a piece of content, a webpage, or a person (•).
  2. You're presumed and expected to have read this page in its entirety, including related posts and links in previous comments - questions already addressed will likely be ignored.
  3. Be reasonable, attentive, and respectful! (No typo-laden, broken-thought, or cryptic comments, please!)

Thank you!

(•) If you have subscription-related issues or represent a company/product mentioned here, please use the contact page or a PR channel.

33 thoughts on “Dynamic DNS and Port Forwarding Explained: How To Customize Your Router for Secure Remote Access”

Hate scrolling? Consider subscribing!
  1. I just tried ASUS Instant Guard on my Wifi-6 router. It does connect but yet to try it on a public wifi.

    Is it safe to use the ASUS DDNS address/name?

    I tried to turn of an on the ddns setting but the long –
    (EXAMPLE) EC298CH99C72YBC99328645.asuscomm.com Never changes, is it default to the router IP or something even if I do a factory reset? is there any risks with it being the same name all the time?

    Also when turning on the Instant Guard (macOS iPad app) I have to CMD-V the password each time, I cmd-v it into notes and the password is the same even after reinstalling the vpn configuration and reinstalling the app..

    I don’t really have any use for it, and would probably just buy a proper VPN sub if surfing random wifi on Starbucks etc. But wanted to try remote access for the router, if needed in the future.

    Reply
  2. If I am setting up remote access via a ddns I should not use default ports. Am I correct to conclude that I can use any Port within this range 49152-65535. Also how do I determine if a given Port in this range is already in use.?

    Reply
  3. Hi, I have my own domain. The method that it uses to update the DDNS is Cpanel, webcall URL. I am looking for a cable modem ( Docsis 3.0) to which you can add a custom DDNS url. Not noip dyndns etc. Do you know of any ?

    Reply
    • What you talked about is not a modem, James, but a router. More here.

      As for your need, the best way is this:
      1. Set up a Dynamic DNS as described in this post, such as janes.DynamicDNS.domain
      2. On your customize domain, such as abc.com, maps the CNAME to point to your DDNS domain. So abc.com -> janes.DynamicDNS.domain

      In short, unless you have a static IP address, you still need to use a Dynamic DNS account.

      Reply
  4. Hi Dong, read up on your post a few times. There’s one thing I’m not sure of. If I am just happy accessing my router from ‘outside the house”, no port forwarding/VPN/NAS etc. why should I configure this, as with the ASUS app (GT11000 + AX92’s) I can do that already?
    I’m asking because I had to grant permission for data collection to Alexa and IFTTT.
    Thanks in advance, Henk

    Reply
    • The Asus router app would turn on the router’s DDNS, Henk, using a randomly picked domain. That’s the only reason you don’t need a login account — like the case with all other vendors. (But there’s also an option to use an Asus account now which you shouldn’t use.)

      There’s no other way for any type of remote access. It’s not like your phone can magically find your home router among all others.

      By the way, if you change the DDNS domain to something you like, as I mentioned in this post, the app will automatically use that, too, instead of the one it created on its own.

      Reply
  5. Dong, many thanks for another excellent tech write-up. As I understand it, moving to a DDNS set up allows me to access my Asus XT8 AiMesh setup remotely from outside my private home network. Unfortunately, I seem to be missing something after following your steps because I am unable to access my Synology 220+ NAS running DSM 7.0.1 (even within my home network) after enabling my router’s DDNS feature. I know the NAS’s DSM has a port forwarding feature, but after looking through your discussion of port forwarding, it’s not clear to me what (if any) additional steps I need to take to resolve this issue. By any chance, would you have any plans to write an update to this article to explain how to integrate a Synology NAS into a DDNS-enabled Asus router environment? Asking for a friend.😁Thanks!

    Reply
    • If you haven’t messed up a lot, you need to add “:5000” (no quotes) to the DDNS domain and forward port 5000 to the server’s IP within the router, Tom. You need to understand the principles — just read the post closely again — there’s no way one can write you a 1-2-3 step guide for every port forwarding scenario. There are 10s of thousands of them.

      Reply
      • Thanks for the additional explanation. Also, FWIW, I’ve re-read your excellent article several times as you’ve suggested with the goal of sussing out the magic process. My hope is that when I apply your teachings later tomorrow I will be able to sort what is, from my liberal arts and non-tech perspective, a very difficult subject to grasp, much less implement. Perhaps in my next life I will be lucky enough to graduate cum laude with a technical degree.

        Reply
        • I hear you, Tom. But I’m sure you can do it. Just remember you have to do it 100% correctly, you can’t ballpark this. Here are some extra for you.

          1. Make sure you have your WAN IP at your router, meaning you’re not using a router on top of a gateway. In that case, deal with the double NAT first.
          2. Set up DDNS, you can do that either on the router or your NAS server. Assuming your domain is now tom.dongknows.com (it will be something else.)
          3. If you haven’t changed anything on your NAS server, here’s how to call it from outside your home (you have to do step #4 first): http://tom.dongknows.com:5000 That’s because 5000 is the default port for Synology NAS. If you want to change it, on your NAS go to Control Panel -> Login Portal and change the port to whatever you want. Just make sure you remember it.
          4. On your router, forward the port 5000 (or whatever you use) to the IP address of your NAS server.

          That’s it. Good luck! 🙂

          Reply
  6. I’m using a VPN to access my local network from abroad. I have enabled the Free Server Certificate in the Asus router. Do I need to configure/import this certificate to my device or VPN server to make it work?

    Reply
      • So is the DDNS certificate working with my vpn by just enabling “Free Certificate from Let’s Encrypt” on the router? Reason for asking is since I see an export button for the certificate assuming I need to import this file elsewhere to make it work.

        Reply
  7. Thanks Dong
    While setting up DDNS on my ZenWifi AX6600 Mesh sytem, it shows:
    1. The wireless router currently uses a private WAN IP address.
    2. This router may be in the multiple-NAT environment and DDNS service cannot work in this environment.

    My XT8 is connected to the ISP provided ONU with a PPoE connection in router mode. Further I have other mesh nodes connected to this main node.
    I’m not able to setup DDNS henceforth

    Reply
  8. Um, actually, one correction: Netgear is screwing over its customers still with the nagware NoIP DDNS option only.
    Anyhow, one other question…. in the article above, it says something about DDNS not working with another router on top of your own ISP modem/router, yet that’s exactly what I have with my Cox ISP modem/router connected to my Asus router, which has an Asus DDNS account made for my webcams to communicate to. It works fine. Am I missing something?

    Reply
      • Oooohhh. Right. I just assumed everyone did that. Might want to clarify in the article above that DDNS is a no go with a router on top of the ISP router IF you don’t enable bridge mode.

        Why wouldn’t anyone enable bridge mode under those circumstances? It doesn’t make sense why someone would choose not to do that. Then again, I’m a neophyte. Also, as long as y’all are so quick to answer, Asus mesh systems don’t get great reviews (not the AiMesh thing… that’s too tricky for me), is there a reason for that? No way am I changing from Asus and their free DDNS service.

        Reply
        • Spend some more time on this website — use the site search — before asking further questions, JK. I don’t have comments on stuff you have learned elsewhere.

          Reply
  9. So, just to be clear. In a 2015 posting, someone asked about Netgear vs Asus for their DDNS service. Asus has provided a free DDNS service for me since I started with their routers in 2015 (they probably offered it before). It’s why I keep buying Asus. Netgear, from my understanding, only offers a ‘free’ DDNS through No-IP, which requires logging onto the NoIP site every month to renew it…. hardly free (from effort). Asus’s is truly free. Hence I refuse to buy Netgear. Does anyone know if Netgear got their act together, or for my new Mesh system, do I stick with Asus? I use webcams and want a DDNS to access them from the road.

    Reply
      • Thank you for this clarification. Do you have any idea how hard it was to get this answered? The NetGear forum sites have people complaining, but I’m stunned it’s not more clearly stated when people are reviewing routers. Is Asus the only company that provides a free DDNS with their routers? Why isn’t Netgear being slammed more for this gross deficiency?

        Reply
  10. Yup. Very nice, but doesn’t work. My provider uses CGNAT :-(. I didn’t know when I signed up. It is this with 500MBit or 30MBit ADSL.

    Reply

Leave a Comment

📌