Hi everyone
Thanks for all the advice on buying a domain. Its a big week for me. Getting on grapheneos, buying a domain, and I also recently started self hosting my contacts and calendar. I love this way of life.
My original plan was to one of the xyz 1.1111b domains for $1 a year but most of the feedback I got said just go with cloudflare. Its a lot more money than I had planned but all the security features are baked in and I feel that’s worth the extra money.
Here are my questions. I use the latest version of truenas community
- How do I connect my domain to my server apps? I’ve got a series of apps I’d love to he able to access without tailscale and solely use the domain.
- I have heard the term DNS a million times but don’t really understand it. What do.I need to know about DNS to keep security up and stay protected
- I’d like to let family access my media server, are there any considerations I need to make?
- How can I use one domain to access multiple services on my server? Do I need to pay extra for subdomains?
Thank you for any advice


I recommend you make A and AAAA records for the top level domain you own, and then set the needed subdomains as CNAME entries.
example.com points to your IP addresses, and the subdomains point then to your top level name.
This avoids you having to point a new IP at multiple places (be it manually or by dyndns) when/if your public IP changes.
Then you can set up a reverse proxy (caddy for example, it comes with automatic TLS), bind ports 80 and 443 to it, and route the traffic based on the domain name a client is trying to connect to.
So jellyfin.example.com would lead to your reverse proxy which would forward it somewhere internally, say 192.168.1.10:8096 for example.
This way you can use one top level domain for multiple services, and not have to specify ports when connecting externally
I kept all my certificates separate - have I been wasting time with 15 subdomains each with their own cert and A record? I have wondered. And then set in my reverse proxy a single domain.tld cert for each entry? TIA.
I wrote bash scripts to run via cron to keep my IPs updated, using Cloudflare API. It’s probably useful to other folk but as I used to need just v4 addresses I made one separate script for v4 IPs, v6 IPs and proxied, but it wouldn’t take long to combine. Here’s my v4:
#!/bin/bash CLOUDFLARE_API_TOKEN="<api_here>" ZONE_ID="<zone_id_here" DOMAINS=({subdomains.,www.}domain.tld) log="/opt/ddns/log_$(date +%F).txt" result="" CURL="/usr/bin/curl" JQ="/usr/bin/jq" IP=$($CURL -s http://ipv4.icanhazip.com/) echo $(date +"%FT%T")>>$log echo "Performing v4 proxied domain IP address check...">>$log # Get v4 records for DNS_RECORD in ${DOMAINS[@]}; do DNS_RECORD_ID=$($CURL -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?type=A&name=$DNS_RECORD" \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -H "Content-Type: application/json" | $JQ -r '{"result"}[] | .[0] | .id') # Get each record's IP current_ip=$($CURL -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -H "Content-Type: application/json" | $JQ -r '.result.content') # Check if the IP addresses are different if [[ "$IP" == "$current_ip" ]] || [[ "$IP" == "" ]]; then continue fi echo "IP address for $DNS_RECORD has changed from $current_ip to $IP. Updating record...">>$log result="$result${DNS_RECORD%%.*}, " # Sets the new IP if different response=$($CURL -s -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -H "Content-Type: application/json" \ --data '{ "type": "'"A"'", "name": "'"$DNS_RECORD"'", "content": "'"$IP"'", "ttl": 120, "proxied": true }') if [[ $response == *"\"success\":true"* ]]; then echo "DNS record updated successfully">>$log else echo "Failed to update DNS record for $DNS_RECORD. Response: $response">>$log result="$result\nFailed. See log." fi # Sends information to webhook unset DNS_RECORD_ID done if [ -n "$result" ]; then $CURL -X POST -d '{"result": "'"$result"'\n'"$current_ip"' -> '"$IP"'"}' "<home_assistant_local_webhook-delete_this_block_if_unwanted>" -H "Content-Type:application/json" fi echo $result>>$log echo $'Done.\n'>>$log /opt/ddns/cloudflare_ddns_v4_direct.sh # This triggers the next scriptA single wildcard CNAME that points to your domains A record is easier to manage I would say. This comes handy when you add a new service to your stack, as you dont have to go and make a new subdomain record.
You already seem to manage all subdomain updates with that script, so it won’t help you much with dyndns. That is, unless you hit a rate limit when trying to update a very large amount of records at once.
Keeping separate TLS certificates is a separate topic from having a single wildcard CNAME record. Separate TLS certificates offer a slight security advantage over a wildcard cert, as a single leaked certificate secret wont compromize the rest of your sites.