I'm Daniel, network engineer in Sweden. Built DynIP because every DDNS service I tried was designed around 2010-era networks: proprietary HTTP-only update protocols, poor IPv6, no DNSSEC, little support for actuallymodern devices.
What's in it:
- RFC 2136 / TSIG updates as a first-class path. FortiGate genericDDNS and MikroTik's /tool dns-update work natively — no custom client needed. HTTP API is also available for everything else.
- IPv6 end-to-end. Authoritative nameservers reachable over IPv6 (with AAAA glue published at the parent .dev zone), customer zones publish A and AAAA, and the platform works for IPv6-only clients.
- DNSSEC available on selected zones. With a single toggle.
- Bring your own domain via subdomain delegation. Point subdomain.yourcompany.com at our nameservers, manage normally.
- Hidden primary architecture: two geographically distributed secondaries (Sweden + Switzerland) verify TSIG locally and forward updates to a primary that doesn't take public traffic.
- Private-APN-friendly: we accept RFC 1918 and CGNAT addresses in records, which means cellular fleets on private APNs can use public DNS for stable hostnames pointing at internal IPs. Described in the fleet ops guide.
- A small Docker container (ghcr.io/33k-org/dynip-updater) for any docker-compose / Kubernetes / Coolify / Dokploy setup.
Background: 25 years of managed networking. DDNS was the part that broke or required tricks. Wanted one that didn't.
Stack: PowerDNS 4.8 authoritative, FastAPI backend, Postgres, Postfix for transactional mail, Cloudflare for the external surface and as a
tunnel for the API. Live on dynip.dev. Paddle for billing. Free tier exists.
Happy to dig into architecture, the TSIG sync mechanism, per-zone DNSSEC handling, the hidden primary approach, or anything else.
Very minor UX nit. Clicking "change password" in the dashboard sends an email with a reset link, but the reset page only shows up in a logged-out session.
If you're logged in, the link just redirects to the dashboard homepage. Since users will typically still be logged in when the email arrives (they just clicked the change password button from inside the dashboard), they'll need to logout first.
Either a "log out first" line in the email, or having the link end the current session before serving the reset page, would smooth this over.
---
Thanks for building this, useful for some home projects.
This looks interesting, I run PTRDNS https://www.ptrdns.net/ and some of the features I offer overlap with DynIP's.
I decided to use MariaDB as backend and replicate the data with Galera, I also built a proxy that sits in front of PowerDNS and allows per-account API keys (and hopefully someday per-zone API keys).
I'm curious to understand the rationale behind your architecture choices.
Your stuff also looks interesting for sure, you have some things that I have on my backlog. regarding my API keys I use python for the per-account access in bearer style and the TSIG keys work as per zone directly to PowerDNS. I only use the powerdns api on the hidden primary setup so the secondaries can run individual zone cleanup, tsig replicatio, axfr meta data etc as sidecars and forward replication for dns updates.
was there anything in particular you were thinking?
I'm interested to know the rationale behind the choice of AXFR to replicate zones, as opposed to database replication. Has this been always reliable enough for you?
Also, is the AXFR latency an issue or it stays always within your acceptable parameters?
Would love to know what it is and what it is doing that others are doing wrong. I don't touch dns for anything other then pointing a domain to a server.
Bonus points for rfc 2136, works easily with [external-dns](https://github.com/kubernetes-sigs/external-dns). I've been using k8s+external-dns on-prem with a selfhosted minimal BIND server on a public host for years now.
Back again, "works easily" was a bit of an understatement :D at least when securiting the zones with TSIG sha256 and moving keys around in a secure maner (I had previously used md5 because of compability with fortigate) there is full support now to the extent that I can test with rfc 2136, there is a guide and docs available at https://dynip.dev/docs#integration-external-dns and https://dynip.dev/guides/external-dns and a complete snippet generator. Read the notes as there are a few considerations on policy and depending on mode.
Please have a go if you can and report back if you feel like it
Just as a warning however the vibe coded website doesn't inspire confidence this isn't low quality auto generated AI slop and/or AI managed infra.
Looking into it of course this seems to not be the case, but just wanted to say, don't use generic looking theming that is default of all LLM-generating websites :)
I have fond memories of playing with dyndns and having cool domains like <mynick>.homeunix.net … and having downtime because my home dns connection went down and came back up with a different ip address.
This will be great for my homelab. Currently I have some hacky scripts to update he.net records whenever my ISP sends me a new ipv6 prefix but I'd prefer to reuse existing tooling.
I usually set up a wireguard tunnel from my home box serving content on nginx to my linux server hosted on a virtual cloud server and have that virtual cloud server pass traffic via the wireguard tunnel back to my home box when people view my content.
I like the 2000 era HTTP(S) only updates. All you need is curl/wget/fetch and it works. Add a token if you like. I think duckdns can still do this. No client needed, works almost anywhere. --
Refreshing to see competition entering this space.
However, if you want to self-host, not caring for reliability or ease of use: bind9 supports RFC 2136 DNS UPDATE and DNSSEC, too (haven't figured that out yet, though). For my setup I also wrote a small Go executable that translates HTTP requests, because my home router does not talk DNS UPDATE.
Is it right that the free-tier auth tokens expire in 24 hours (saw the JWT exp claim)? I would like to know this before investing too much time in migrating, even just to try it out. Trying to answer: is the free tier sustainable?
My domain registrar also hosts DNS, and supports dynamic DNS entries. Ticking a box gives me an update URL and a username, which I can then enter into my UniFi router. How is this different?
You could just as easily ask "what's the use case of a VPN when you can expose the service over the Internet?". Yes, publicly exposing a service and using a VPN cover similar use cases. But one isn't inherently better than the other, nor does one make the other obsolete.
Thanks for all the excellent comments and questions, I will be bringing my daughter for swimming lessons for a few hours and will continue looking at the threads when I return.
Pitch sounds really good. I don't have the time to try it out right now.
However had I not read your comment pitching it here, I'd have closed the tab on the landing page immediately. Sorry to be so direct, but it just looks like any vibe sloped page out there. I'm not saying it is, I haven't tried yet and your description here sounds good, but you might consider setting your page apart by putting some personality in it.
On another note, please don't create project specific HackerNews accounts.
> Don't have your username be that of your company or project. It creates a feeling of using HN for promotion and of not really participating as a person. You don't have to use your real name, just something to indicate that you're here as a human, not a brand. If you'd like to change your username, email hn@ycombinator.com.
Good points, don't be sorry. At this point in time there are knowns and unknowns, hopes and dreams and a big chunk of tech knowledge. Not as big on the design part but I think its ok for now
I have a few domains parked at freedns.afraid.org for dyndns usage by others, though I've been considering DIYing my own solution using DigitalOcean's DNS services.
Mostly around classic BBS usage, namely bbs.io ... I do hope that .io is officially extended beyond what would normally be end of life.
Nice! Do you plan to provide secondaries? I would love to have a primary on my home IP and a secondary available from outside in case my connection is down.
37 comments
[ 4.5 ms ] story [ 69.4 ms ] threadWhat's in it:
- RFC 2136 / TSIG updates as a first-class path. FortiGate genericDDNS and MikroTik's /tool dns-update work natively — no custom client needed. HTTP API is also available for everything else.
- IPv6 end-to-end. Authoritative nameservers reachable over IPv6 (with AAAA glue published at the parent .dev zone), customer zones publish A and AAAA, and the platform works for IPv6-only clients.
- DNSSEC available on selected zones. With a single toggle.
- Bring your own domain via subdomain delegation. Point subdomain.yourcompany.com at our nameservers, manage normally.
- Hidden primary architecture: two geographically distributed secondaries (Sweden + Switzerland) verify TSIG locally and forward updates to a primary that doesn't take public traffic.
- Private-APN-friendly: we accept RFC 1918 and CGNAT addresses in records, which means cellular fleets on private APNs can use public DNS for stable hostnames pointing at internal IPs. Described in the fleet ops guide.
- A small Docker container (ghcr.io/33k-org/dynip-updater) for any docker-compose / Kubernetes / Coolify / Dokploy setup.
Background: 25 years of managed networking. DDNS was the part that broke or required tricks. Wanted one that didn't.
Stack: PowerDNS 4.8 authoritative, FastAPI backend, Postgres, Postfix for transactional mail, Cloudflare for the external surface and as a tunnel for the API. Live on dynip.dev. Paddle for billing. Free tier exists.
Happy to dig into architecture, the TSIG sync mechanism, per-zone DNSSEC handling, the hidden primary approach, or anything else.
Nameserver [ns1.dynip.dev] doesn't exist at the registry (Code 480)
If you're logged in, the link just redirects to the dashboard homepage. Since users will typically still be logged in when the email arrives (they just clicked the change password button from inside the dashboard), they'll need to logout first.
Either a "log out first" line in the email, or having the link end the current session before serving the reset page, would smooth this over.
---
Thanks for building this, useful for some home projects.
I decided to use MariaDB as backend and replicate the data with Galera, I also built a proxy that sits in front of PowerDNS and allows per-account API keys (and hopefully someday per-zone API keys).
I'm curious to understand the rationale behind your architecture choices.
was there anything in particular you were thinking?
Also, is the AXFR latency an issue or it stays always within your acceptable parameters?
Please have a go if you can and report back if you feel like it
Thanks!
Just as a warning however the vibe coded website doesn't inspire confidence this isn't low quality auto generated AI slop and/or AI managed infra.
Looking into it of course this seems to not be the case, but just wanted to say, don't use generic looking theming that is default of all LLM-generating websites :)
Fun times :)
Looking into switching today :D
However, if you want to self-host, not caring for reliability or ease of use: bind9 supports RFC 2136 DNS UPDATE and DNSSEC, too (haven't figured that out yet, though). For my setup I also wrote a small Go executable that translates HTTP requests, because my home router does not talk DNS UPDATE.
Then Tailscale came out and I stopped caring about DDNS or CGNAT ever since.
Again, this guy <- happy
Have you considered something like https://github.com/hickory-dns/hickory-dns? Not that everything has to be built in Rust.
However had I not read your comment pitching it here, I'd have closed the tab on the landing page immediately. Sorry to be so direct, but it just looks like any vibe sloped page out there. I'm not saying it is, I haven't tried yet and your description here sounds good, but you might consider setting your page apart by putting some personality in it.
On another note, please don't create project specific HackerNews accounts.
> Don't have your username be that of your company or project. It creates a feeling of using HN for promotion and of not really participating as a person. You don't have to use your real name, just something to indicate that you're here as a human, not a brand. If you'd like to change your username, email hn@ycombinator.com.
https://news.ycombinator.com/item?id=22336638
See also https://news.ycombinator.com/showhn.html
Mostly around classic BBS usage, namely bbs.io ... I do hope that .io is officially extended beyond what would normally be end of life.