AWS with pfSense Part 2: Route53 DynDNS with pfSense

After a lot of talking about it, we will dive right into it with setting up AWS Route53 DynDNS with pfSense. In this step by step tutorial, I will show you how you get Route53 DynDNS with pfSense working in no time!

If you missed the post about our Concept, check it out here.


What is Dynamic DNS?

DynDNS is a service that translates your external IP Address into an URL like

If you have a static IP from your provider, you will not need DynDNS necessarily, I got a static IP but will use DynDNS anyway, just to have an address I can remember out of my head instead of remembering an IP address.

Most of you, at least for private usage, will have an external IP Address that changes every 24 hours. So it would be impossible to reach your internal network after the change of your IP Address.

This is where DynDNS comes into play.

Each time you got your 24h disconnect, pfSense will tell your DynDNS provider your new IP Address automatically.

There are plenty of completely free services out there that do that, I recommend NO-IP.

But because we are talking about AWS here, I will utilize AWS own DNS Service: Route53.

Now, Route53 can do A LOT more than just DynDNS. You can register domains, host websites and so on.

If you want to utilize Route53 for DynDNS, you  HAVE TO use route53 on that Domain. You can register a new domain with AWS just for the purpose of using DynDNS or transfer your own domain to them to use Route53 on it.

For example

In our case we will not use this homepage in any way, it solely is for the purpose of DynDNS, that’s not bad, cost just around 9$ per year for the domain. There will be some very little fees for each DNS request tho, but they are minimal. Just be aware, there are fees.  IN doubt, use NO-IP.

Ok, let’s do this. It is very important that you read carefully through ALL the steps!


Step 1 Logging in to your AWS Web Interface and creating a new User

Navigate to Route53 after logging in.

Register a domain you like or transfer your own, for example: and go through the registration process. The registration can take a few hours to be finished. A Hosted Zone will be automatically created in the process. After everything is registered and the Hosted Zone populated, continue.

Now we want to create a new user who is designated and has permission to update our DNS Records in the newly created Hosted Zone. We don’t want to use our root account for this. In the AWS Web Interface navigate to IAM and to Users.

Enter a User Name and for Access type choose: Programmatic access.

Click Next: Permissions.


Select: Attach existing policies directly. Type: Route53 in the search field. Tick AmazonRoute53FullAccess. Click Next: Review.


Check if all is set correctly and hit: Create User. You will get presented with your Access Key ID and your Secret Access Key. Note BOTH down for later, we need them in our pfSense. If you do not note them, you need to create a new key pair later, this will be the only time this key pair is shown to you.


Step 2 Configuring pfSense

Good. Now we already got our AWS side set up and ready to go. Let’s head over to our pfSense.

After logging in to the pfSense Web Interface head to: Services / Dynamic DNS / Dynamic DNS Clients and hit: +Add.

Now fill the information in like below:

Service Type: Route53.

Interface to Monitor: Your WAN Interface.

Hostname: The Name your DynDNS will update to, for example, if you registered write in the hostname field:

Route53 will automatically create that entry for you inside of your Hosted Zone.

Username: The Access Key ID of your Route53 Admin user you created earlier.

Password: The Secret Access Key of your Route53 Admin user.

ZoneID: You find your ZoneID in Route53 under Hosted Zones and on the right side of your Zone Name.

It is very important that you enter us-east-1/YOURZONEID and NO MATTER where you are located, it is always us-east-1.

TTL: 60

Description: MyWANDynDNSRoute53


Your Zone ID

pfSense DynDNS Settings


If all went well, a green IP shows up and confirmed that the DNS record was updated. You can now reach your internal network over the dynamic DNS name you just created.


You can test it by pinging: from a computer outside of the network.

Also, if you go back to your Hosted Zone and click on the Zone, you will see that an entry with the name: and your IP Address was created.

Now every time your ISP changes your IP Address, pfSense will send an update to Route53 and update it to the new IP Address, meaning no matter how often your IP changes, your company network will always  be reachable over

I hope this can help some of you, it took me quite a long time to find all the information on the internet especially with pfSense and the use of us-east-1 as the only working zone for DynDNS.

8 thoughts on “AWS with pfSense Part 2: Route53 DynDNS with pfSense

  • February 8, 2019 at 11:08 pm

    In the interest of security, I would recommend a much stricter policy on your IAM user than AmazonRoute53FullAccess.
    This is all you need to get it to work, restricting it to specific API calls on the specific zone you want to update.

    “Version”: “2012-10-17”,
    “Statement”: {
    “Action”: [
    “Resource”: “arn:aws:route53:::hostedzone/your-zone-id”,
    “Effect”: “Allow”

  • July 5, 2018 at 2:27 pm

    @ceos3c great work with the article:) It seems like this has changed with 2.4.3. #ZoneID
    us-east-1/YOURZONEID is not longer vaild. Just add YOURZONEID and your are good to go.

    • July 5, 2018 at 2:36 pm

      Amazing! Thanks for pointing that out!

  • November 23, 2017 at 3:43 am

    I’m running pfSense 2.4.0, and I couldn’t get it to work *with* the us-east-1 in the Zone ID. Once I deleted it, and just used the plain zone id as reported in Route 53, everything worked.

    Thanks for everything else. Much appreciated.

    • November 23, 2017 at 10:48 am

      Interesting! Thanks for letting me know. I am glad I was able to help!

    • January 19, 2018 at 11:50 am

      Odd.. It wasn’t working for me until I put in the US East 1.

      @ceos3c, thanks for posting this guide. It got me up and running with Route53

  • September 9, 2017 at 8:32 pm

    Thanks! The “us-east-1” part of the Zone ID threw me off too!

    • September 11, 2017 at 10:45 am

      No worries. Yeah, that’s a bit hard to grasp 🙂


Tell us what you think!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: