This is an old revision of the document!
Recent firmware on the USG (I used 4.5.3dev but should work on recent 4.4x also) allows for native configuration of CloudFlare DDNS without a third party service (like the ever popular DNS-O-Matic). The only catch is [for now] you have to use config.gateway.json (this file is on/needs to be created on the controller in the applicable site) to accomplish this (as of Controller 5.9.4). Below is the config.gateway.json portion needed to make this work:
{ "service": { "dns": { "dynamic": { "interface": { "<WAN interface eg eth0": { "service": { "cloudflare": { "host-name": [ "<insert A record name here eg. usg.example.com>" ], "login": "<CloudFlare E-Mail>", "options": [ "zone=<DNS Zone eg. example.com>" ], "password": "<CloudFlare Global API Key>", "protocol": "cloudflare", "server": "www.cloudflare.com" } } } } } } } }