If you are using the FreePBX Distro, the built-in firewall will monitor dynamic DNS automatically. The instructions on the Networks tab say: “You may also enter hostnames here (including Dynamic DNS hosts), which will be automatically monitored and updated.”
However, DuckDNS or similar would be near the bottom of my list of solutions.
First, consider setting up a routed VPN at each branch that connects to headquarters. This is useful for file sharing, centralized back-end and many other things unrelated to phones. With luck, the existing routers/firewalls have this capability built in. Once set up, all phones are effectively on the HQ LAN and can connect to FreePBX directly.
Assuming that the branch has internet connectivity, just connect to a PC there with TeamViewer or similar, so you can access their router and fix the problem.
If branch-wide VPN is not feasible, try the Responsive Firewall, which will likely do the job automatically.
Next, if you need dynamic DNS, your domain registrar likely offers this service at no extra cost. Popular ones such as Google, GoDaddy and NameCheap all have dynamic DNS.
If you must use a separate dynamic DNS provider, choose a reputable paid one. You don’t want your business depending on a free service with no support.
When / how often do these addresses change? What kind of internet service (fiber, cable, DSL, 4G, etc.)? There may be ways to greatly reduce the frequency of changes, or force them to occur at night when the office is unoccupied.