Dynamic DNS, or DDNS for short, is one of the most powerful features available in Wi-Fi routers. Though not router-exclusive, when coupled with port forwarding, DDNS is the base for hosting many services within your home network.
Examples of these services are VPN servers or remote desktop connections. At the very least, DDNS allows you to manage your standard router when you’re away from home using the familiar web interface—provided it’s not a Netgear.
This post will explain dynamic DNS and port forwarding in simple terms and how to use them to enable remote access to your home. Though this is in the realm of advanced networking, DDNS is straightforward. Still, before continuing, make sure you’re familiar with IP addresses, especially the WAN IP.
Related stories on home networking
- Home network:The Basics|Setup and Maintenance
- Network protocol: What is an IP address? IPv4 vs. IPv6?
- Manual blocking: How to manage your security via the hosts file
- MAC address: Everything you need to know
- Advanced network features: DNS | Dynamic DNS/Port forwarding | Parental Controls | VPN | QoS | MTU and Jumbo Frame | double NAT
- Router management: Web user interface vs. mobile app
- Getting connected: Dual-WAN vs. Link Aggregation|Dual-band vs. Tri-band vs. Quad-band|Fiber-optic vs. Cable|Getting your home wired|Multi-Gig explained|Cable modem activation
Dynamic DNS explained
To understand DDNS, you first need to understand DNS, which stands for domain name system. You can find out more about DNS in this post, but in a nutshell, DNS is a mechanism that associates a label—such as a domain name like dongknowstech.com—with an IP address.
A quick refresh: DNS is helpful because it’s much easier for us to remember a label than a string of numbers. Open the cabinet below for some highlights.
DNS server in brief
In a nutshell, a DNS server is similar to a public directory. It points you to where you want to go among millions of online websites, applications, and services.
A DNS server is not to be confused with Dynamic DNS, which works somewhat the opposite way.
Here’s a specific example of the role DNS plays:
Let’s say you want to access this website directly and enter its domain name, DongKnowsTech.com, on your browser, such as Chrome, Firefox, or Edge. The following will happen:
- The browser queries the system’s designated DNS server about the user-provided domain name.
- The DNS server looks up the domain to verify that it exists and is attached to a website. If so, it returns the website’s unique IP address, which is a string of seemingly random numbers.
- The browser follows that IP address to load the page you’re viewing.
This process is necessary because computers only understand numbers, while humans are bad at remembering them. In a way, the domain name is the vanity moniker of a website’s IP address. “DongKnowsTech” is much easier to remember than 73.124.79.110 or any other random string of numbers.
And you’re reading this page on your screen because such a process has worked. A similar procedure occurs whenever you want to reach an online party using any application.
In many ways, a DNS server is similar to the once-commonplace telephone directory service, where you only need to remember a person’s name, not their phone number. It’s the first thing that must happen before a connection can be established.
What is Dynamic DNS?
Dynamic DNS is the same concept as DNS but applies to a periodically varying, or “dynamic”, WAN IP. Additionally, while a DNS server helps us reach a remote party, such as a website or a streaming service, Dynamic DNS is often used in the opposite direction—when we want to dial home while out and about.
The majority of home broadband plans don’t include a static WAN IP—it’s expensive to have a fixed WAN IP address that remains the same at all times—which makes DDNS a much-needed feature when you want to use your home as an online destination for outside parties, including you when traveling, to reach.
You can easily find out your WAN IP right now. In a week, though, check again, and chances are you’ll get a new address. You often get a new WAN IP address when you restart your router or your terminal device, which is a cable modem or a Fiber-optic ONT.
In other words, even if you write down your current WAN IP address—or remember it by heart—you probably can’t rely on it to dial home. That address might have already been moved to somebody else’s home network when you do.
That’s where DDNS comes into play: It associates your current WAN IP address—no matter what it is at any given time—with a consistent domain name of your choice. Now, instead of having to fumble with the IP itself, all you have to do is remember that domain name, and you know you can reach home when necessary.
Dynamic DNS requirements
To take advantage of DDNS, you need three things: A private WAN IP, a Dynamic DNS service, and a DDNS updater device.
1. A private WAN IP
You need an exclusive WAN IP address if you want to set up an online service or dial home. While this IP might change from time to time, at any given time, it must be unique and assigned to your location by the Internet provider.
Generally, that’s the case for most residential Internet plans—the WAN IP is assigned to your terminal devices, such as your cable modem (or gateway) or fiber-optic ONT, and then given to your router.
But there are situations where you can access the Internet but have no WAN IP of your own—one that you control. Here are some examples of unusual situations where DDNS is a no-go:
- You live in a condo (or hotel room) where the building’s central location provides everybody with the Internet. In this case, your local network has no WAN IP of its own. It just has access to the Internet.
- You have an Internet service that uses large-scale NAT (CGNAT).
- You need to keep your ISP-provided gateway and want to put another router on top of it. (In this case, check out this post on a double NAT setup.)
In short, if you have a typical broadband service, chances are you have your own (dynamic) WAN IP address.
2. Dynamic DNS service
This service is the provider of the domain you want to use. Many third-party DDNS services exist, like NoIP, FreeDNS, or Dyn. Some require a small annual fee, but most give you one domain for free—and you don’t need more than one.
Better yet, known networking vendors—such as Asus or TP-Link—also include a free DDNS domain with a router. While it’s convenient to use the networking vendor’s DDNS, it’s not necessary. Use the service you can trust or are comfortable with.
3. Dynamic DNS updater device
A DDNS updater must reside within your network and does the job of persistently binding a domain name with your WAN IP.
Specifically, this device updates the domain with the new WAN IP each time it changes. While this address doesn’t change that often—as mentioned above, your network is generally assigned a new WAN IP when the modems or router restart—it’s a good idea to have this updater device running at all times.
Most routers and NAS servers have a built-in DDNS updating function. Since your router is the gateway to the Internet, it’s best to use it as the DDNS updater device. If a router doesn’t support DDNS, it’s probably not a good router anyway.
Alternatively, you can use any device within your network that has a DDNS updating feature, such as a NAS server. You can also turn a computer into an updater by installing a DDNS updater software client. To be sure, you can use more than one updater within a network. However, in most cases, the router’s Dynamic DNS feature is enough.
Important: Do not use a device that you often move out of your network, such as a laptop, as the DDNS updater. As you can imagine, that will cause your domain to be synced up with a foreign WAN IP address.
For the rest of this post, we’ll use the router as the DDNS updater.
Extra: Should I be concerned about security when using Dynamic DNS?
You should always be concerned about security, but that has little—if anything—to do with DDNS.
DDNS does not affect your home network’s security. It doesn’t make your system safer or more vulnerable. The WAN IP—all home networks have one—is all hackers would need to attempt evil deeds.
That said, though, a DDNS domain name does make accessing your home network convenient and more consistent since it remains the same even when the WAN IP changes. Also, keep in mind your DDNS domain provider can know your WAN IP, so use one that you trust.
So, for security reasons, it’s a good idea to keep your DDNS domain name secure. Don’t reveal it to anyone willy-nilly—in a way, it’s like your home address. If a party knows your WAN IP alone, that doesn’t mean they can hack you immediately.
Your WAN IP (or DDNS domain) can be likened to your home address. Just because somebody knows it doesn’t necessarily mean you’re in danger, but it’s generally a good idea to keep it private.
Follow these good practices to keep your router safe. At the very least, use a secure admin password and avoid using default port numbers for any remote access application. We’ll come back to this soon.
Steps to set up Dynamic DNS on a router
No matter what router you use—clearly, we’re talking about one that supports DDNS here—the steps to set up DDNS are mostly the same. The following are the general steps.
Setting up DDNS on any router
- Check to make sure your router has the WAN IP address. If it’s the only router (or gateway) you use, then that’s always the case. On the other hand, if you use a router on top of another router, make sure you follow these steps to get the WAN IP to the router first.
- Check the router’s web interface to find out what DDNS services it supports—most routers support at least a few—and pick one for yourself. The location of the DDNS feature within a router’s web interface varies from one networking vendor to another. Still, generally, it’s in the WAN (a.k.a. Internet), Advanced, Administration (Admin), or System part.
- Sign up for an account with the DDNS service and pick a domain of your liking. After signing up, you’ll get an account (username and password) and a domain name. Write down this information and keep it secure.
- Go back to your router’s interface and enter the information you have written down in the DDNS section. Apply the changes, and you’ll see a message that the association is successful.
From then on, the domain name will be the persistent address of your home router.
A specific example: Steps to set up DDNS using Asus’s DDNS service
If you use an Asus router and want to use Asus’ built-in free DDNS service, here are the more specific steps:
- Log in to your router’s web interface, navigate to the Advanced Settings menu item, click on WAN, and then click on the DDNS tab.
- Change the value of Enable the DDNS Client to Yes and Server to WWW.ASUS.COM
- Enter a Host Name value of your liking. Your DDNS domain will be in the hostname.asuscomm.com format, with the hostname being whichever you choose that has not already been taken by somebody else.
That’s it. Your DDNS domain name is ready and in effect. You can use it for any remote access services hosted within your home network.
Understanding network ports
To set up most remote access services, you’ll need to know about network ports, which are identifying numbers on the destination side of a connection.
A router uses a port to determine which application/service on a client, which itself is identified by its IP local address, to deliver a message from the remote party.
Calling a port
Back to the home analogy: if the DDNS domain name is your home address, then ports are like the doors of your house. That said, a remote party generally needs to specify the port it wants to use by attaching it to the domain name in this format:
DomainName:Port(Note the colon and the fact there are no spaces in the entire string.)
When you call a domain name in that format, such as by typing it into the address bar of a web browser, you’re specifying a particular door on of the house to knock on.
More specifically, if the DDNS domain name is DongKnowsTech.asuscomm.com as shown example above, and you want to use port 1000, then you use this address to send the message through (to a particular device that’s the target of the port number):
DongKnowsTech.asuscomm.com:1000The rule of thumb is you generally need to specify a port when you want to access a destination via the Internet.
Default ports
There are a few exceptions where you don’t need to specify a port; one of them is port 80. This port is a well-known and default port for web hosting.
For this reason, when you type in a domain name in a web browser without specifying any port, it’s understood that you want to call port 80.
For the same token, if you deliberately specify this port with any website—such as dongknows.com:80—the website will load, and the port number will be removed automatically. Try the same domain on a browser using a different port number—such as dongknows.com:123—and you’ll get an error or no result at all.
Port forwarding (a.k.a Virtual Server)
Port forwarding is the job of the router at the destination. It opens the called port and delivers messages to a specific device or service within the local network.
For example, if you want to host a website at home, forward port 80 to the computer’s IP address you use as the webserver.
For port forwarding to work consistently, the destination device’s local IP address (the server) needs to remain the same at all times. That is where the router’s IP reservation feature comes into play.
Some networking vendors call port forwarding a “Virtual Server.” Each virtual server is a port forwarding entry. Generally, a home router can handle a few dozen entries.
In a network, any port that’s not forwarded is generally closed. Consequently, any access requests to this port will return an error. (It’s like trying to get through a closed door.)
Some routers allow two values in port forwarding: external (or public) and internal (private). In this case, external is the port the remote party calls, i.e., the one attached to the domain name as mentioned above. Internal is the port at the device that hosts the service.
You can use the same number for both or a different one for each—only the external port is exposed to the outside world, and you should avoid using the default numbers for known services. Using one port number for the external side and another for the internal side is like knocking on the window to open the front door.
Tip
For security, when turning on port forwarding for sensitive services, do not use the default known default port numbers, at least on the public (external) side.
For example, port numbers 3389 and 8080 are the known defaults for Microsoft Windows’ Remote Desktop service and a router’s web interface. Using these default ports will make it easy for no-good parties to attack.
Specifically, for a remote desktop entry, you can specify the external port as a random (unused) number, such as 12345, and keep the 3389 as the internal side. In this case, to call the 3389 port, you can use DomainName:12345, and port 3389 is still hidden from the outside world.
This trick is also useful when you cannot change the port on your local server device.
How to enable remote access to your router’s interface
As mentioned above, DDNS opens up many applications. Using it to remotely access your router’s web interface from anywhere in the world is one of them. And it’s probably the most popular use of DDNS.
For security reasons, routers tend to have this remote access feature turned off by default—as mentioned, Netgear has removed this feature from all of its routers. Here are the general steps to turn it on:
- Within the router’s interface, navigate to the Remote Management (or Remote Access, or Web Administration, or Web Access from WAN) section. The location varies depending on the router you use, but it’s generally in the Advanced or System area of the interface.
- Change the settings to enable the feature—it’s always turned off by default. Don’t specify a specific computer or IP for the remote party.
- Change the default port (8080) to a number of your liking, just not one already used for another service—this is a must-do step to keep the connection secure. Turn on https when applicable.
- Apply the changes.
And that’s it. Since you’ll access the router itself—not a device within your home network—there’s no need to set up port forwarding for remote management. In other words, the router has already set that up for you.
After this, you can log in to your router’s interface from anywhere in the world via the DDNS domain name. Just make sure you use the correct address.
For example, if:
- DongKnowsTech.asuscomm.com is your DDNS domain name. (Yours has to be something else.) And
- 8910 is the port for remote management. (You can use this port or any other you like; just keep it private.)
then the web address to access your router remotely is:
DongKnowsTech.asuscomm.com:8910If you also have HTTPS turned on, then the address now is:
https://DongKnowsTech.asuscomm.com:8910Use that web address on a browser, such as Chrome, on an Internet-connected computer, and you’ll be able to access your router’s web user interface, no matter where you are in the world.
Using remote access this way is an excellent alternative to signing up for an account with the vendor. Vendor-assisted remote access generally means you’ll have to sacrifice your privacy because your router will always connect to the vendor. Dynamic DNS allows you to stay independent and have lots of flexibility, and that’s just one of its many benefits.
When logging into a router’s or any local device’s web interface, you’ll likely encounter a privacy/security error notice in which the browser suggests the webpage is potentially unsafe, as shown in the screenshot below.
The reason is that the device’s built-in web server doesn’t have a mechanism to prove that it supports the now-required HTTPs protocol. For that, among other things, it needs to be signed by an external party.
It’s safe to ignore this notice and proceed to the interface when using your local device.
Different browsers have slightly different warnings and ways to bypass them, but they all require clicking a few extra times. Pay attention, and you’ll find out.
The takeaway
Again, for advanced users, Dynamic DNS is a valuable feature a router has to offer. It allows users to control their network for advanced applications, even when they are out and about. The other way around is also true: knowing how to use DDNS and port forwarding properly is a significant threshold that separates advanced users from the uninitiated. Try them out!
📫 Tune in! Sign up for Post Notifications!
Dong’s note: I first published this piece on April 24, 2019, and updated it on March 19, 2024, to include additional relevant information.
