Available on: Free (Redirect) Plus (Stealth) Pro (Stealth) Elite (Stealth)
1. What This Feature Does
Web Forwarding redirects HTTP traffic from a DDNS domain to a target URL. Two forwarding types are supported: Redirect and Stealth.
Redirect forwarding issues a standard HTTP redirect response (301, 302, 307, or 308) that instructs the browser to navigate to the target URL. The browser address bar updates to show the destination URL. Redirect forwarding is unlimited and available on all plans.
Stealth forwarding embeds the target URL in an iframe while keeping the original domain visible in the browser address bar. Stealth forwarding consumes a stealth flag resource and requires a Plus plan or higher. Stealth forwards support custom page titles, meta descriptions, and meta keywords for SEO purposes. Some websites block iframe embedding (frame-breaking), which will prevent stealth forwarding from working correctly.
When a forward is created, the domain's DNS records are automatically updated to point to CertaDNS web server IP addresses. When the forward is deleted, the original DNS records are restored.
2. When You Should Use It
- You want to redirect a DDNS domain to a web application hosted on a different URL or port (e.g.,
server.certadns.comredirects tohttps://example.com:8080). - You need to create a short, memorable alias for a longer URL or a URL with a complex port or path structure.
- You want to mask the destination URL in the browser address bar using stealth forwarding while displaying custom SEO metadata.
- You need to change the destination of a hostname without updating DNS records manually or reconfiguring client software.
3. When You Should Not Use It
- Pointing to an IP address directly: If you need a domain to resolve to an IP address, use Dynamic DNS Domains instead of web forwarding.
- Target site blocks iframes: Stealth forwarding will fail if the target website uses frame-breaking JavaScript or sets
X-Frame-OptionsorContent-Security-Policyheaders that block embedding. Major sites (Facebook, Google, YouTube, Twitter, Instagram, LinkedIn, PayPal, Stripe, GitHub, Amazon, Apple, Microsoft, Netflix) are blocked from stealth forwarding. - HTTPS on the source domain: Web forwarding operates on HTTP only. The forwarding service itself does not provide SSL/TLS certificates for the source domain.
- Complex routing or load balancing: Web forwarding is a simple redirect or iframe embed. For advanced traffic routing, use a reverse proxy or CDN configuration instead.
4. Prerequisites
- A registered CertaDNS account with a verified email address.
- An existing DDNS domain. You cannot create a web forward without first creating a domain. See Dynamic DNS Domains.
- For stealth forwarding: a Plus plan or higher and at least one available stealth flag.
- The target URL must not point to a CertaDNS domain (
certadns.com,eliteip.vip,premiumip.vip) to prevent recursive forwarding loops.
5. How It Works (Brief)
When you create a web forward, the system updates the domain's DNS A and AAAA records to point to the CertaDNS web server IP addresses (configured in the WEB_SERVER_IPS environment variable). When a browser requests the domain over HTTP, the CertaDNS web server checks the forwarding database for a matching forward configuration.
For redirect forwards, the server responds with an HTTP redirect status code (301, 302, 307, or 308) and a Location header pointing to the target URL. The browser follows the redirect and the address bar updates to the target URL.
For stealth forwards, the server responds with an HTML page containing an iframe that loads the target URL. The page includes a custom title, meta description, and meta keywords if configured. The browser address bar continues to display the original domain. Stealth forwards consume one stealth flag from your plan's allocation.
When a forward is deleted, the DNS records are restored to their previous values (either the original IP address or removed entirely if the domain had no prior IP). The forward configuration is removed from the database.
6. How to Use It
Creating a web forward
- Navigate to Dashboard > Web Forwarding.
- Click Add Forward in the top right.
- In the Add Forward modal:
- Select the domain from the dropdown. Only DDNS domains that do not already have a forward are listed.
- Enter the target URL. The system automatically adds
https://if no protocol is specified. - Select the forwarding type: Redirect or Stealth.
- If you selected Redirect, choose the HTTP status code: 301 (permanent redirect), 302 (temporary redirect), 307 (temporary, preserves HTTP method), or 308 (permanent, preserves HTTP method).
- If you selected Stealth, optionally enter a page title, meta description, and meta keywords for SEO.
- Click Create.
- The forward appears in the Active Forwards list with its type and status.
Editing a web forward
- In the Active Forwards list, find the forward you want to modify.
- Click the edit icon (pencil) in the Actions column.
- Modify the target URL, forwarding type, status code, or SEO fields as needed.
- Click Save.
- The updated configuration takes effect immediately.
Deleting a web forward
- In the Active Forwards list, click the trash icon in the Actions column for the forward.
- Confirm the deletion in the dialog.
- The forward is removed and the domain's DNS records are restored to their previous values. If the forward was using a stealth flag, the flag is released and becomes available again.
7. Inputs and Settings
| Field | Description | Constraints |
|---|---|---|
| Domain | The DDNS domain to forward. Must be an existing domain owned by the user. | Must not already have a forward configured. One forward per domain. |
| Target URL | The destination URL to which traffic is redirected or embedded. | Must be a valid URL. https:// is automatically added if no protocol is specified. Must not point to certadns.com, eliteip.vip, or premiumip.vip domains. Must not contain ".." in the domain portion. Domain must not have leading or trailing dots. |
| Forwarding Type | Redirect (HTTP redirect) or Stealth (iframe embedding). | Stealth requires a Plus plan or higher and consumes one stealth flag. |
| HTTP Status Code | For Redirect forwards: 301 (permanent), 302 (temporary), 307 (temporary, preserves method), 308 (permanent, preserves method). | Only applicable when Forwarding Type is Redirect. |
| Page Title | For Stealth forwards: the HTML <title> tag content displayed in the browser tab. |
Optional. Only applicable when Forwarding Type is Stealth. Maximum 200 characters. |
| Meta Description | For Stealth forwards: the <meta name="description"> tag content for SEO. |
Optional. Only applicable when Forwarding Type is Stealth. Maximum 500 characters. |
| Meta Keywords | For Stealth forwards: the <meta name="keywords"> tag content for SEO. |
Optional. Only applicable when Forwarding Type is Stealth. Maximum 500 characters. |
Forwarding type comparison
| Feature | Redirect | Stealth |
|---|---|---|
| Browser address bar | Updates to target URL | Remains on original domain |
| Plan requirement | All plans | Plus or higher |
| Stealth flag usage | None | One flag per forward |
| Quantity limit | Unlimited | Limited by stealth flag allocation |
| Custom SEO metadata | No | Yes (title, description, keywords) |
| Compatibility | Works with all websites | Blocked by frame-breaking sites |
| HTTP status codes | 301, 302, 307, 308 | 200 (with iframe embed) |
8. Outputs and Results
Usage dashboard
The Web Forwarding dashboard displays three summary cards:
| Card | Description |
|---|---|
| Total Forwards | Count of all active web forwards (redirect and stealth combined). |
| Stealth Flags Used / Max | Number of stealth forwards currently active out of the maximum allocation for your plan. Includes a progress bar indicating usage percentage. |
| Available Flags | Number of stealth flags remaining (Max - Used). |
Active forwards list columns
| Column | Description |
|---|---|
| Domain | Full FQDN of the forwarded domain in monospace font. |
| Target URL | Destination URL in monospace font. Long URLs are truncated with ellipsis. |
| Type | Badge showing forwarding type. Redirect forwards show the HTTP status code (e.g., "Redirect 301"). Stealth forwards show "Stealth". |
| Status | Green "Active" or red "Inactive" badge. |
| Using Flag | Purple badge displayed only for stealth forwards to indicate a stealth flag is in use. |
| Actions | Edit (pencil icon) and Delete (trash icon). |
Progress bar states
| Usage % | Color | Meaning |
|---|---|---|
| 0-70% | Green | Normal usage, flags available. |
| 71-89% | Yellow | High usage, few flags remaining. |
| 90-100% | Red | At or near capacity. No or very few flags available. |
9. How to Interpret Results
Normal
- Forward shows "Active" status. Visiting the domain over HTTP results in the expected redirect or iframe embed.
- For redirect forwards: the browser address bar updates to the target URL and the HTTP response includes the configured status code.
- For stealth forwards: the browser address bar remains on the original domain and the target URL content appears in an iframe. The page title, meta description, and meta keywords match the configured values.
- Stealth flags used count increases by one when a stealth forward is created and decreases by one when deleted.
Unexpected or worth investigating
- Stealth forward displays a blank page or error message: The target website is blocking iframe embedding through frame-breaking JavaScript or HTTP headers. Use a redirect forward instead or choose a different target URL.
- Forward is "Inactive": The forward configuration exists but DNS has not been updated or the domain is inactive. Verify the domain's status and DNS records.
- Available Flags shows negative number: This indicates a data inconsistency. Contact support for assistance.
- DNS does not point to forwarding servers: Verify that the domain's A and AAAA records match the web server IPs. If the forward was recently created, DNS propagation may still be in progress.
Common interpretation mistakes
- Expecting HTTPS on the source domain: Web forwarding operates on HTTP only. The CertaDNS forwarding service does not provide SSL/TLS certificates for the source domain. If HTTPS is required, the target URL can be HTTPS, but the initial request to the source domain must be HTTP.
- Confusing stealth flag limits with forward limits: Redirect forwards are unlimited. Only stealth forwards consume stealth flags. The "Total Forwards" count includes both redirect and stealth forwards.
- Expecting stealth forwarding to work with all sites: Many major websites block iframe embedding. The system blocks known frame-breaking domains from stealth forwarding at creation time, but additional sites may still fail at runtime.
10. Common Issues and Explanations
"Stealth forwarding requires Pro or Elite plan" error (HTTP 403)
Stealth forwarding requires a Plus plan or higher. Free plan users can only create redirect forwards. Upgrade to Plus, Pro, or Elite to access stealth forwarding.
"No stealth flags remaining" error (HTTP 403)
You have used all allocated stealth flags for your plan. Delete an existing stealth forward to release a flag, convert a stealth forward to a redirect forward, or upgrade to a higher plan with more stealth flags. Limits: Free=0, Plus=5, Pro=10, Elite=50, Admin=999.
"Domain not found or not owned" error (HTTP 404)
The domain specified does not exist or is not owned by your account. Verify that the domain appears in your DDNS domains list and that you have spelled the FQDN correctly.
"Domain already has forwarding configured" error (HTTP 400)
Each domain can have only one web forward. Delete the existing forward before creating a new one, or edit the existing forward to change its configuration.
"Invalid URL format" error (HTTP 400)
The target URL does not meet validation requirements. Ensure the URL does not contain ".." in the domain portion and that the domain does not have leading or trailing dots. URLs with missing protocols are automatically normalized to https://, so this error indicates a more fundamental format issue.
"Recursive forwarding detected" error (HTTP 400)
The target URL points to a CertaDNS domain (certadns.com, eliteip.vip, or premiumip.vip). Recursive forwarding is blocked to prevent infinite redirect loops. Change the target URL to a non-CertaDNS domain.
"Failed to update DNS" error (HTTP 500)
The forward was created in the database but the DNS records could not be updated. This is a server-side error. Retry the operation. If the error persists, contact support.
Stealth forward displays "This content cannot be displayed in a frame"
The target website is blocking iframe embedding. Common causes: the site sets X-Frame-Options: DENY or Content-Security-Policy: frame-ancestors 'none' headers, or the site uses frame-breaking JavaScript. Use a redirect forward instead or choose a target URL that permits iframe embedding.
Domain dropdown is empty when creating a forward
No eligible domains are available. This occurs when all your DDNS domains already have forwards configured or you have no DDNS domains. Create a new DDNS domain first, or delete an existing forward to make a domain eligible again.
Visiting the domain returns a DNS error or timeout
The DNS records may not have propagated yet or the domain's DNS is not pointing to the CertaDNS web server IPs. Wait a few minutes for DNS propagation. Verify the domain's A and AAAA records using a DNS lookup tool. The records should point to the IPs configured in WEB_SERVER_IPS.
11. Limits and Constraints
Stealth flag allocation
| Plan | Stealth Flags | Redirect Forwards |
|---|---|---|
| Free | 0 | Unlimited |
| Plus | 5 | Unlimited |
| Pro | 10 | Unlimited |
| Elite | 50 | Unlimited |
| Admin | 999 | Unlimited |
Other constraints
- One web forward per domain. A domain cannot have both a forward and a standard DNS A/AAAA record pointing to an IP at the same time.
- Target URL must not point to
certadns.com,eliteip.vip, orpremiumip.vipdomains. - Target URL domain must not contain ".." and must not have leading or trailing dots.
- Page title maximum length: 200 characters.
- Meta description maximum length: 500 characters.
- Meta keywords maximum length: 500 characters.
- Stealth forwarding is blocked for the following frame-breaking domains: Facebook, Twitter, Google, YouTube, Instagram, LinkedIn, PayPal, Stripe, GitHub, Amazon, Apple, Microsoft, Netflix.
12. Related Features
- Dynamic DNS Domains — Create a DDNS domain before configuring a web forward. Domains can either point to an IP or have a web forward, but not both simultaneously.
- Managed DNS Zones (BYOD) — Domains created under imported zones can also be forwarded. The forwarding system supports both CertaDNS public zones and user-imported zones.
- DNS Record Management — For full DNS control over a domain, use DNS record management on an imported zone instead of web forwarding.
13. Updates and Behavior Changes
- Stealth forwarding SEO fields (page title, meta description, meta keywords) were added to improve search engine indexing of stealth-forwarded domains.
- HTTP 307 and 308 status codes were added as redirect options to provide HTTP method preservation for POST and PUT requests.
- Frame-breaking domain blocklist was expanded to include additional major platforms that do not permit iframe embedding.
- DNS restoration on forward deletion was improved to handle cases where the original IP address was no longer valid or the domain had no prior IP.