Configuring Cloudflare in DNS-O-matic

Today I ran into an issue configuring DNS-O-Matic to update my Cloudflare DNS records (specifically, the record with the dynamic IP that points to my home IP address, and is automatically updated by the router in my home network). I entered all necessary settings in the DNS-O-Matic form, but when I sent an update to it the update to the Cloudflare service always errored out with message “err Invalid request headers (6003)”.

After a bit of trial and error, and going back and forth through documentation and tutorials, I finally figured out that the DNS-O-Matic field that says “API Token” does not expect what Cloudflare calls an API Token; it wants Cloudflare’s Global API Key.

This is actually clear in Cloudflare’s documentation on how to set up DNS-O-Matic, although I think it needs to be more explicitly stated that you’re not supposed to use the Cloudflare thing with the same name that the DNS-O-Matic form has. Maybe the documentation predates the implementation of API Tokens on Cloudlflare’s side and that’s why the terminology isn’t the clearest.

Once I put my Global API key there, the updates started working as expected. Then I pinged OpenDNS on Twitter to see if they have any plans of supporting API Tokens instead of the global API key, which would allow for more granular control of what they can do and would be a good security practice. That way if the DNS-O-Matic databases ever got compromised, the attackers wouldn’t get complete control over our Cloudflare accounts.

8 thoughts on “Configuring Cloudflare in DNS-O-matic

  1. Lucent

    Using the global API key to update a DNS entry is absurd. Is there some permission we can generate that’ll allow a specific token to work?

  2. Robert Dole

    I’m confused with what to put in the hostname and domain.
    if i Have
    would the hostname be: blah and domain ?

    1. alexvy86 Post author

      Put the whole thing in hostname ( and just in domain.

  3. Mike

    Hi Alex – thanks for the article – that helped exactly with my same problem!
    As Twitter suggested to write an email –> have you ever got an update from them?
    (Because it seems that the “problem” is still the same that we have to use the Global API Token..)

    1. alexvy86 Post author

      I just looked and I couldn’t find an email to them, so it might have fallen through the cracks. Feel free to send one, though 🙂

  4. duke999s

    Thanks everyone this saved me after an afternoon of trying different configs using Marcs client updater, DNS-O-Matic and Cloudfare.

    Finally using

    a dnsomatic service for each subdomain (settting host as above!)
    the Marcs hostname of to reach each dnsomatic service and the legacy cloudfare api key!

    1. Anonymous569

      dukes999s…. can you expand on your statement, I’m not sure I’m entirely clear what was done here? Trying to do the same for my subdomains.

      “the Marcs hostname of to reach each dnsomatic service and the legacy cloudfare api key!”



Leave a Reply to alexvy86 Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s