I'm Daniel, network engineer in Sweden. Built DynIP because every DDNS service I tried was designed around 2010-era networks: proprietary HTTP-only update protocols, poor IPv6, no DNSSEC, little support for actuallymodern devices.
What's in it:
- RFC 2136 / TSIG updates as a first-class path. FortiGate genericDDNS and MikroTik's /tool dns-update work natively — no custom client needed. HTTP API is also available for everything else.
- IPv6 end-to-end. Authoritative nameservers reachable over IPv6 (with AAAA glue published at the parent .dev zone), customer zones publish A and AAAA, and the platform works for IPv6-only clients.
- DNSSEC available on selected zones. With a single toggle.
- Bring your own domain via subdomain delegation. Point subdomain.yourcompany.com at our nameservers, manage normally.
- Hidden primary architecture: two geographically distributed secondaries (Sweden + Switzerland) verify TSIG locally and forward updates to a primary that doesn't take public traffic.
- Private-APN-friendly: we accept RFC 1918 and CGNAT addresses in records, which means cellular fleets on private APNs can use public DNS for stable hostnames pointing at internal IPs. Described in the fleet ops guide.
- A small Docker container (ghcr.io/33k-org/dynip-updater) for any docker-compose / Kubernetes / Coolify / Dokploy setup.
Background: 25 years of managed networking. DDNS was the part that broke or required tricks. Wanted one that didn't.
Stack: PowerDNS 4.8 authoritative, FastAPI backend, Postgres, Postfix for transactional mail, Cloudflare for the external surface and as a
tunnel for the API. Live on dynip.dev. Paddle for billing. Free tier exists.
Happy to dig into architecture, the TSIG sync mechanism, per-zone DNSSEC handling, the hidden primary approach, or anything else.
> because every DDNS service I tried was designed around 2010-era networks
I am not an expert in the domain of DDNS. Wanted to bring your attention to desec.io, in case you didn't knew about them. They offer a similar feature set like you mentioned (IPv6, DNSSEC, BYOD, ...). It is an open source project and they offer a very reliable free hosted service. As you said, they originated from the 2010-era (2014). I've used them for several years now and they bring everything to the table that I need.
For inspiration:
They even have a feature that I use which I haven't spotted in your documentation (but maybe I just didn't looked close enough): Support for IPv6 prefix delegation. Routers that get assigned an IPv6 prefix from the ISP, can update the IPv6 prefix of arbitrary domains. In Europe this prefix is not static and rotated each time a new connection to the ISP is established. This feature allows the router to automatically update the IPv6 _prefix_ of selected domains. The host part of the IP is left untouched, but the network part is updated.
Hi, doing on mobile so short answer. To my knowledge they don't do RFC 2146 but rather base everything around a good api that they have. Like you say different types of records etc.
And really, dynip came to be from fortinet/fortigate that have excellent support via their genericDDNS setup and things keep of of grew from there to what you see today.
And the subnet ipv6 sounds really interesting. Will need to check that out, sounds like that could be a feature request
i can vouch for desec.io for having the option to have TXT, NS, CNAME, etc dns entries on their free tier! (limited to 1 domain, up to 50 entries)
i really had a bad time trying to get a letsencrypt certificate through the regular auth because it does require ports 80 and 443 tcp that by ISP blocks.
(you can get a letsencrypt cert through a TXT entry too, but most free DDNS´s providers dont seem to offer that)
Very minor UX nit. Clicking "change password" in the dashboard sends an email with a reset link, but the reset page only shows up in a logged-out session.
If you're logged in, the link just redirects to the dashboard homepage. Since users will typically still be logged in when the email arrives (they just clicked the change password button from inside the dashboard), they'll need to logout first.
Either a "log out first" line in the email, or having the link end the current session before serving the reset page, would smooth this over.
---
Thanks for building this, useful for some home projects.
Well done. Would be nice to remove a bit more five eyes tracking from your stack, e.g. remove includes from 3rd party domains such as unpkg / tailwindcss.com and of course get rid of cloudflare.
Yes, I have been thinking about that as well and have unpkg / tailwindcss.com in the backlog. good point, appreciated. Cloudflare is a bigger backlog item because of the current infrastructure build.
Its unfortunate you didn't go for a EU-native stack right away. Bunny.net offers similar compute/serverless on the edge, close to Cloudflares offerings.
you can scan your site with cloudflares tool https://isitagentready.com/ for all that new agent / web mcp type of goodness. love your service btw. I think im going to make the swap. there is one domain that I rely on for ddns and the service I use, while reliable, just really sucks for reasons you have already outlined
This looks interesting, I run PTRDNS https://www.ptrdns.net/ and some of the features I offer overlap with DynIP's.
I decided to use MariaDB as backend and replicate the data with Galera, I also built a proxy that sits in front of PowerDNS and allows per-account API keys (and hopefully someday per-zone API keys).
I'm curious to understand the rationale behind your architecture choices.
Your stuff also looks interesting for sure, you have some things that I have on my backlog. regarding my API keys I use python for the per-account access in bearer style and the TSIG keys work as per zone directly to PowerDNS. I only use the powerdns api on the hidden primary setup so the secondaries can run individual zone cleanup, tsig replicatio, axfr meta data etc as sidecars and forward replication for dns updates.
was there anything in particular you were thinking?
I'm interested to know the rationale behind the choice of AXFR to replicate zones, as opposed to database replication. Has this been always reliable enough for you?
Also, is the AXFR latency an issue or it stays always within your acceptable parameters?
There are multiple multiples :) both (hidden) primary and secondaries are multiple, snapshots every 20 minutes and forward-update functionality from the secondaries with replicated tsig over powerdns api every 120 seconds. since they are static they only need to replicate once.
if you register a zone and open the snippets quickly, there is a green notification saying tsig replication underway for x amount of seconds and until that happens RFC 2136 updates are not possible but the ones that use api are available right off the bat.
Really cool stuff. Out of curiosity what made you select PowerDNS (and in general a commodity DNS server) vs. developing a custom DNS server integrating your logic (using https://github.com/miekg/dns for instance).
> we accept RFC 1918 and CGNAT addresses in records
Doesn't that cause security issues by making it possible to put other people's private servers (that you want to do XSS-type attacks against) into your domains or something? I have a vague memory of it being a security no-no somehow.
There are a few things to think about yes, I actually post in the fleet guide parts of it that it should be considered before posting. the dns rebind issue but that should be controlled by host header validation, CSRF, same-site cookies etc. Internal topology disclosure — real. but we dont post it. You can do the same in Cloudflare for example.
The geo sync updates are handled with distributed keys over internal api, here is the documentation for powerdns around it: https://doc.powerdns.com/authoritative/dnsupdate.html#dnsupd... so the updates are pushed and updated to primaries if the update is done over DNS and if done via API there is a normal replication function.
right now there is no anycast available, possible in the future
It has to do with the .dev root zone that needs to have these as records, I am on it but it might take a few days to get those records up. Or it could be fast. Glad that you reported and I will report back when we expect it to work
Even if you've otherwise put in a lot of effort, presenting it with slop on the home page really sends a bad signal. My eye caught "No proprietary clients. No vendor lock-in." as an AI pattern and I'm immediately drawn to wonder whether the service will still be around even just a few weeks from now.
Thanks for that, My intentions are to stick around for sure. It is genuinely difficult to get a point across in a very short amount of time that people that people will actually recognize. its like doom scrolling where you just get boored of it. Happy to take suggestions.
< is there anything else you would like me to answer or is that good enough - GenericAI answer>
But jokes aside, words are difficult and also not my first language
I don't think any value would be lost in that case by simply deleting the text and not replacing it with anything. AI is particularly bad at inserting this kind of filler, it can sometimes be really hard to spot even though it's right in front of your eyes.
Just more hidden cost of AI.. it's sufficiently hard to avoid these kinds of structural smells that I've gone back to just writing my own copy everywhere.
I think the problem is that half the time the callouts are incorrect (edgelords trying to be clever) or irrelevant (non-native speakers using AI to translate or clarify).
Sustained pushback helps define how the tool is used, and if it only takes a few years of complaints to permanently establish good social norms around it, I think we're better for it. At least, I much prefer this than a world where everyone is too polite to complain about slop until slop is all that is left..
I agree. However, it's gotten so bad that people are calling out AI slop on things they just don't care for — or mistake human writing for AI — which paradoxically becomes its own red flag to ignore the comment, even if there are valid points within.
I just used the em dash twice, and have been doing so for 35 years. This is now supposedly a dead give-away for slop.
Call it slop when it's slop. When it's not total garbage, give it a rest.
My first impression was "oh no, not another generic, vibe-coded service clone". But this is actually really good stuff under hood, and it's clearly coming from someone who has a deep understanding of networking.
I mean, the comment you are replying to is absolutely AI-generated; I wouldn't say being able to prompt that is any direct evidence of deep understanding of networking.
The website is also vibecoded; at least partially - it has the exact same design choices like that purpleish blue colour scheme that Claude likes to spit out by default.
What's in it:
- RFC 2136 / TSIG updates as a first-class path. FortiGate genericDDNS and MikroTik's /tool dns-update work natively — no custom client needed. HTTP API is also available for everything else.
- IPv6 end-to-end. Authoritative nameservers reachable over IPv6 (with AAAA glue published at the parent .dev zone), customer zones publish A and AAAA, and the platform works for IPv6-only clients.
- DNSSEC available on selected zones. With a single toggle.
- Bring your own domain via subdomain delegation. Point subdomain.yourcompany.com at our nameservers, manage normally.
- Hidden primary architecture: two geographically distributed secondaries (Sweden + Switzerland) verify TSIG locally and forward updates to a primary that doesn't take public traffic.
- Private-APN-friendly: we accept RFC 1918 and CGNAT addresses in records, which means cellular fleets on private APNs can use public DNS for stable hostnames pointing at internal IPs. Described in the fleet ops guide.
- A small Docker container (ghcr.io/33k-org/dynip-updater) for any docker-compose / Kubernetes / Coolify / Dokploy setup.
Background: 25 years of managed networking. DDNS was the part that broke or required tricks. Wanted one that didn't.
Stack: PowerDNS 4.8 authoritative, FastAPI backend, Postgres, Postfix for transactional mail, Cloudflare for the external surface and as a tunnel for the API. Live on dynip.dev. Paddle for billing. Free tier exists.
Happy to dig into architecture, the TSIG sync mechanism, per-zone DNSSEC handling, the hidden primary approach, or anything else.