DynDNS client on PANOS 9.0

Showing results for 
Search instead for 
Did you mean: 

DynDNS client on PANOS 9.0

L3 Networker



I'm trying to setup DynDNS based on the instructions found at https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-dynamic-dns-for-firew...


I'm using DuckDNS, but I'm stuck at the 'certificate profile' portion.  As I understand it correctly I have to import the (public) SSL certificate of DuckDNS, but this is not provided by them.

I don't understand why this is needed since their certificate is signed by Starfield CA, which is already in the list of 'Default Trusted Certificate Authorities' on the Paloalto firewall.


Also other DynDNS provides such as DYN don't seem to provide their public certificates for download.


Thank you @StevenEerdekens!!! Worked like a charm!!! Appreciate your help! 

Glad to hear!



Thank you very much for taking the time to post this. I feel like the biiggest "rock" in the world right now. I have been trying for two days to download the right files to get this to work. I thought I had them, but it continues to fail according to system logs. Is there any chance you could export the files that worked for you and let me know what order you have listed in the profile? I would be more then greatful and would add you to next years christmas card list 🙂 Seriously, and help would be much appreciated. Thanks, RickScreen Shot 2020-01-03 at 4.37.40 PM.pngScreen Shot 2020-01-03 at 4.38.25 PM.pngScreen Shot 2020-01-03 at 4.39.49 PM.png

I have been working this for days. I'm thinking it is something else. Can anyone please tell me why I would get a Timeout message? Could it be policy related? 


( description contains 'Interface ethernet1/1 DDNS update to DuckDNS v1 unsuccessful for host mybighost with Server response: Timeout was reached' )


*Note I changed host and IP for privacy purposes. 

Figured it out. I had to change the service route configuration under /Device/Services/ServiceRouteConfiguration so the traffic would go out the WAN and not the default MGMNT interface. 

Hey Rick.


I've been having a similar problem for while. I solved it by making the URL filtering categories of 'high-risk' and 'dynamic-dns' to alert or allow. Then I imported the certificates I got from a packet capture to that IP. Those certificates were different than what Firefox provided me with. You can find them here:

Starfield Class 2 Certification Authority Root Certificate

Starfield Secure Server Certificate (Cross Intermediate Certificate)

Starfield Secure Server Certificate (Intermediate Certificate) - G2

and finally DuckDNS's certificate (note: you will need to save that as a .pem file)


Then I selected all three Starfield certificates in my certificate profile

After commiting I went to the CLI and ran these commands:

test dns-proxy ddns update interface name ethernet1/1

show dns-proxy ddns interface name ethernet1/1


The return code was good.


Hope this helps


I tried all of the recommendations that were described here. None of them worked. I am currently with a setup and recommendation from MPipes and ddns is not working with DuckDNS service. 

error i am getting:   'Interface vlan.10 DDNS registration to DuckDNS v1 unsuccessful for host #####.duckdns.org with 10.xx.xx.4 Server response: Couldn\'t connect to server' 



Certificates imported:



Certificate profile setup:



in my setup I am using vlan that has internet access and setup is as following:

vlan.10 == PA220 == eth1/1 == NAT router = ISP  (no security profiles are used in security policy allowing traffic to internet)



Anyone with an idea what to do, what to troubleshoot? 


I tried all of the previous recommendations and combinations with certificates and i am out of ideas. Any help more than welcome. 

Make sure you imported the certificates as Trusted Root CA Certificates. I also imported DuckDNS's certificateScreen Shot 2021-03-05 at 22.47.11.png

updated certificates as Trusted CA and imported DuckDNS cert too. installed-cert.JPG


DuckDNS cert cannot be imported under cert profile since it is not a  CA certificate. 

I am still getting the same error: "Interface vlan.10 DDNS registration to DuckDNS v1 unsuccessful for host ####.duckdns.org with 10.XX.XX.4 Server response: Couldn't connect to server."



after i checked the traffic logs and url logs, whenever i run the "test dns-proxy ddns update interface name vlan.10"

it only generates logs under system logs, no traffic logs for the source. 

also debug dataplane shows no logs:


duckdns.org is resolved to 


having in mind that vlan.10 interface is local firewall interface that has to match fw policy and nat policy in order to reach to internet ran packet-diag:


admin@PAFW> debug dataplane packet-diag show setting

Packet diagnosis setting:
Packet filter
Enabled: yes
Match pre-parsed packet: yes
Index 1: 10.xx.xx.4/32[0]->[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
Index 2:[0]->10.xx.xx.4/32[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
Enabled: yes
Log-throttle: no
Sync-log-by-ticks: yes
flow : basic ager np arp receive ha nd mcast log track cluster pred
ctd : basic
ssl : basic
Packet capture
Enabled: yes
Snaplen: 0
Stage receive : file duck-receive
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage firewall : file duck-firewall
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage transmit : file duck-transmit
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage drop : file duck-drop
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0


perhaps i might be wrong, but i do think that pa220 is not making requests to duckdns when i run test dns-proxy ddns update interface name vlan.10, and there is no ssl session for that matter to use certificate profiles. 


Based on my previous update and further digging, the PA was not initiating traffic due to incorrect (default) service route configuration. After changing the setting and placing vlan.10 instead of default value DuckDns started to update properly. 


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!