Allow DDNS addresses in Cloudflare Access

In an age of work from home setting up proper Zero-Trust is necessary and Access is a great tool for that; however, there’s one major problem.

Most home users have Dynamic IPs from their ISPs. This means if I want to set up Cloudflare Access rules to include restricting logins from approved IPs I have to continually update that list whenever someone’s home IP changes (which can be as frequently as every 6 hours for some ISPs).

I wish there was a way to have Access automatically allow whatever IP a DDNS domain resolves to. That way I could have users install some DDNS updater and then input their DDNS domain into access.

Firewalls like pfSense have a feature that allows this in their firewall rules. Can we get something like this for Access?

Surely if you are locking down via IP address it is not Zero Trust in the true sense of the word, as you trust the Home Users IP??

Asking users to install DDNS updaters as well has its risks, trusting the user only updates it from their home IP address. What happens if they work from a coffee shop? will the DDNS updater on their laptop then update it to a public wifi and all associated users using the same connection?

Would be better to find more modern ways of confirming the users using the correct laptop (i.e. posture checks) to see a valid enterprise certificate so its trusting the device rather than IP address or connection? Then a enterprise machine with Zero Trust enabled is much more likely to be more secure than trusting a updater or trusting IP addresses?

Zero trust is not a one and done thing. That’s what Zero Trust platforms like Access allow for And statements.

IP address AND Approved corporate domain account AND 2FA, etc.

Multi-Faceted ways of confirming identification is what Zero-Trust wants. It also solves your hypothetical situation. Say a user does bring their laptop to Starbucks and the DDNS updater updates their IP to that. Without an approved corporate account then it doesn’t really matter because one of the checks has failed so the user is not allowed.

Would be better to find more modern ways of confirming the users using the correct laptop (i.e. posture checks) to see a valid enterprise certificate so its trusting the device rather than IP address or connection?

The best option is to create as many transparent checks as possible. The user only sees one (the OAuth having them pick their corporate GSuite/O365 account) but in the background the Zero-Trust solution is checking multiple things like IP, Geo Location, Employee leave schedules, user agent strings, service token, etc.