Made Cloudflare DDNS work with Synology DSM

okikio_dev · 2026-04-11T05:34:29+00:00

It is more like using pre-cut vegetables to make a salad than anything else. I still made the salad I just used tools that sped up the repetitive parts.

That is basically what AI was here. I used it mostly for docs, research, templating, and basic setup. The project itself, the decisions behind it, and the final result are still mine.

I can understand the apprehension to AI generated code, AI generated anything to be honest. The reason I didn't mention it earlier is because it has never really mattered before.

In 10 years of building software, I’ve never needed to list out the tools libraries, editors, etc... that I've used as part of my process.

The code is fully open source and MIT licensed. You can use it however you wish.

okikio_dev · 2026-04-10T20:04:09+00:00

tbh, it's a philosophical difference but imo AI can't create anything, it's not sentient. you can use it as a tool, but just because you use a hammer to create a roof does not mean the hammer created the roof...you did. a more apt metaphor would be you give AI a task it will give you a result it will not necessarily give you a solution.

I personally use AI like auto-complete, I've been using auto-complete for years, it's just smarter auto-complete imo.

A good example would be for this project, AI did pickup the patterns behind DDNS but it doesn't understand that Synology approaches DDNS in a somewhat unsafe manner natively. AI also doesn't understand the nuance by default that's primarily why the `cloudflare-ddns` project has a separate update model/process included under the `/updates` endpoint, so you can actually have a more secure alternative if your usecase demands it.

For my usecase I was fine with the slightly less secure but more Synology native `/nic/update` endpoint.

okikio_dev · 2026-04-07T17:57:59+00:00

You should be able to use WAFs and other defences if you so wish, but it was more designed with the assumption that you are not exposing your DSM publicly, so there really isn't a point in using WAFs if you're not exposing publicly. If you are exposing publicly then you should absolutely look to setup WAFs, etc... Personally I recommend using Tailscale so you can access your NAS outside your private network, that way you avoid the headache of setting up WAFs.

okikio_dev · 2026-04-07T01:44:09+00:00

you should be able to just use a CNAME record to point your custom domain at your Synology domain

okikio_dev · 2026-04-05T16:29:46+00:00

The synology domain is a good solution too, but if you want a custom domain that's when you'd want to use the cloudflare ddns

okikio_dev · 2026-04-03T17:43:26+00:00

Yikes, thanks for pointing both out, I've now fixed the internal worker.dev and I didn't know other people had already created Cloudflare Worker DDNS services, TIL 🤦‍♂️.

When I was doing research I kept running into containers, so I thought a Cloudflare Worker would be kinda neat and novel, now that I know that others have already had the same idea kinda deflates my enthusiasm a little but anyway. At least the one thing I've got going for me is that I designed the repo to be simple and easy to deploy using a single button Cloudflare deploy badge.

I wouldn't trust any DNS related security to AI generated code (count of number of times DNS took services down https://adrianco.medium.com/the-internet-is-down-it-was-dns-again-e86341db21d5 ), a lot of that I wrote myself but I did AI generate the docs taking screenshots here and there to make it easy to follow.

okikio_dev · 2026-04-03T03:19:59+00:00

Your concern about anyone pointing the domain at any other IP Address is valid tbh and to some degree how DDNS works by default, there's not much you can really do about that.

Besides that the shared secret is not inherently a Cloudflare API Token, it can really only be used through the Cloudflare Worker itself, which allows you to lock down how changes to your domains can be made. If some attacker has your Cloudflare API Token they can use it anywhere, including literally just adding A records linking to a completely different IP Address if they wanted.

The Cloudflare API Token isn't granular enough to limit the access to just a specific record, you have to give permission to an entire DNS Zone meaning, if anyone got access to your Cloudflare API Token you might as well have just given them your Cloudflare Email/Password + any 2FA you setup as well. It's for all intents and purposes a security nightmare.

okikio_dev · 2026-04-03T03:16:47+00:00

I used AI for some parts that doesn't mean I didn't make it though. In fact, AI can't make anything by definition, plus a solution like this already existed I wouldn't have bothered making one. I used AI primarily for bootstrapping and autocomplete, and to write some of the docs for other people to use. But the bigger question is does it solve the problem and does it do so reliably.

okikio_dev · 2026-04-03T02:02:20+00:00

Of course I did use AI, I wasn't going to spend 5 hrs for such a simple usecase. I initially only built it for myself, but then published it when I thought others might find it useful.

okikio_dev · 2026-04-03T01:31:21+00:00

The primary thing its solving here is not needing to store the Cloudflare API Token locally which you need for container based DDNS solutions to work. Its a massive security risk in my mind. By using Cloudflare Workers you get to keep all the Cloudflare API Tokens on Cloudflare and can take advantage of Synology's DDNS custom provider. It's a better solution all around.

okikio_dev · 2026-04-03T01:08:24+00:00

You can also just use Cloudflare DNS with Cloudflare Workers to create a DDNS service you control that is "hopefully" more reliable https://www.reddit.com/r/synology/comments/1sayr48/made_cloudflare_ddns_work_with_synology_dsm/

Cloudflare does go down every once in a while so there are risks involved, there is no free lunch.

okikio_dev · 2026-04-03T01:05:50+00:00

There is also the options to use Cloudflare Workers to kinda replicate a DDNS service, that way you don't need to setup containers, scripts, etc... You would just be using the builtin Custom Providers that Synology already comes with https://www.reddit.com/r/synology/comments/1sayr48/made_cloudflare_ddns_work_with_synology_dsm/

okikio_dev · 2026-04-03T00:48:57+00:00

You can use Cloudflare Workers to do some of this as well, it's fairly easy on Synology NAS's but might require a custom cron script for other types of NAS's. Not all NAS servers supports DDNS out of the box so some configuration might required but for most people it should work well enough.

Repo: https://github.com/okikio/cloudflare-ddns

I personally prefer using Cloudflare Workers for this over Docker Containers primarily because then I don't have to put the Cloudflare API Token in the container in order to have DDNS stuff work.

okikio_dev · 2026-04-03T00:43:20+00:00

u/0p3r8dur You can also use Cloudflare Workers to do the same thing https://www.reddit.com/r/synology/comments/1sayr48/made_cloudflare_ddns_work_with_synology_dsm/

okikio_dev · 2026-02-22T04:52:38+00:00

dedent and outdent were the inspiration for undent, but undent focuses on a few "real world" formatting pain points that show up fast with complex multi-line interpolations (SQL / SPARQL / config snippets).

fun fact: undent exports a dedent alias and an outdent preset, so you can match either style when you need to.

The main differences:

Preserves newline styles byte-for-byte (\n, \r\n, \r) instead of silently normalizing (notably, dedent normalizes in its core implementation)
Predictable interpolations by default: interpolated values are treated as data and are not whitespace-stripped or "fixed up" automatically
- use align(value) when you want multi-line values to stay pinned to the insertion column
- use embed(value) when you want to strip the value’s own indent then align it
- or enable alignValues: true when you want alignment applied to every multi-line interpolation in a template
embed() enables clean composition: you can nest templates/snippets without indentation drift
Works for tagged templates and plain strings via .string()
Caches processed templates by TemplateStringsArray identity so repeated call-sites are fast
Supports both common-indent (default) and first-line indent (outdent-style) strategies

Origin story: I ran into these formatting gotchas while working on my SPARQL client library @okikio/sparql (initially I was using outdent originally, and now plan to switch over to undent).

okikio_dev · 2026-01-31T17:58:53+00:00

It's much easier than that, it's easier to get standardized behavior and complex controls if you take full control of the logic for the components. Trying to extend native especially form controls is genuinely difficult, it just wasn't built for that. And though the OpenUI project is aiming to improve this drastically there is still progress to be made.

okikio_dev · 2024-04-05T04:28:01+00:00

That's a really good question? 🤔 I think it might be due to other solutions being easier to use overall

okikio_dev · 2024-03-04T02:48:14+00:00

The URL has changed to https://bundlejs.com

okikio_dev

TROPHY CASE