Hi everyone
Thanks for all the advice on buying a domain. Its a big week for me. Getting on grapheneos, buying a domain, and I also recently started self hosting my contacts and calendar. I love this way of life.
My original plan was to one of the xyz 1.1111b domains for $1 a year but most of the feedback I got said just go with cloudflare. Its a lot more money than I had planned but all the security features are baked in and I feel that’s worth the extra money.
Here are my questions. I use the latest version of truenas community
- How do I connect my domain to my server apps? I’ve got a series of apps I’d love to he able to access without tailscale and solely use the domain.
- I have heard the term DNS a million times but don’t really understand it. What do.I need to know about DNS to keep security up and stay protected
- I’d like to let family access my media server, are there any considerations I need to make?
- How can I use one domain to access multiple services on my server? Do I need to pay extra for subdomains?
Thank you for any advice


I kept all my certificates separate - have I been wasting time with 15 subdomains each with their own cert and A record? I have wondered. And then set in my reverse proxy a single domain.tld cert for each entry? TIA.
I wrote bash scripts to run via cron to keep my IPs updated, using Cloudflare API. It’s probably useful to other folk but as I used to need just v4 addresses I made one separate script for v4 IPs, v6 IPs and proxied, but it wouldn’t take long to combine. Here’s my v4:
#!/bin/bash CLOUDFLARE_API_TOKEN="<api_here>" ZONE_ID="<zone_id_here" DOMAINS=({subdomains.,www.}domain.tld) log="/opt/ddns/log_$(date +%F).txt" result="" CURL="/usr/bin/curl" JQ="/usr/bin/jq" IP=$($CURL -s http://ipv4.icanhazip.com/) echo $(date +"%FT%T")>>$log echo "Performing v4 proxied domain IP address check...">>$log # Get v4 records for DNS_RECORD in ${DOMAINS[@]}; do DNS_RECORD_ID=$($CURL -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?type=A&name=$DNS_RECORD" \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -H "Content-Type: application/json" | $JQ -r '{"result"}[] | .[0] | .id') # Get each record's IP current_ip=$($CURL -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -H "Content-Type: application/json" | $JQ -r '.result.content') # Check if the IP addresses are different if [[ "$IP" == "$current_ip" ]] || [[ "$IP" == "" ]]; then continue fi echo "IP address for $DNS_RECORD has changed from $current_ip to $IP. Updating record...">>$log result="$result${DNS_RECORD%%.*}, " # Sets the new IP if different response=$($CURL -s -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -H "Content-Type: application/json" \ --data '{ "type": "'"A"'", "name": "'"$DNS_RECORD"'", "content": "'"$IP"'", "ttl": 120, "proxied": true }') if [[ $response == *"\"success\":true"* ]]; then echo "DNS record updated successfully">>$log else echo "Failed to update DNS record for $DNS_RECORD. Response: $response">>$log result="$result\nFailed. See log." fi # Sends information to webhook unset DNS_RECORD_ID done if [ -n "$result" ]; then $CURL -X POST -d '{"result": "'"$result"'\n'"$current_ip"' -> '"$IP"'"}' "<home_assistant_local_webhook-delete_this_block_if_unwanted>" -H "Content-Type:application/json" fi echo $result>>$log echo $'Done.\n'>>$log /opt/ddns/cloudflare_ddns_v4_direct.sh # This triggers the next scriptA single wildcard CNAME that points to your domains A record is easier to manage I would say. This comes handy when you add a new service to your stack, as you dont have to go and make a new subdomain record.
You already seem to manage all subdomain updates with that script, so it won’t help you much with dyndns. That is, unless you hit a rate limit when trying to update a very large amount of records at once.
Keeping separate TLS certificates is a separate topic from having a single wildcard CNAME record. Separate TLS certificates offer a slight security advantage over a wildcard cert, as a single leaked certificate secret wont compromize the rest of your sites.