I'm Daniel, network engineer in Sweden. Built DynIP because every DDNS service I tried was designed around 2010-era networks: proprietary HTTP-only update protocols, poor IPv6, no DNSSEC, little support for actuallymodern devices.
What's in it:
- RFC 2136 / TSIG updates as a first-class path. FortiGate genericDDNS and MikroTik's /tool dns-update work natively — no custom client needed. HTTP API is also available for everything else.
- IPv6 end-to-end. Authoritative nameservers reachable over IPv6 (with AAAA glue published at the parent .dev zone), customer zones publish A and AAAA, and the platform works for IPv6-only clients.
- DNSSEC available on selected zones. With a single toggle.
- Bring your own domain via subdomain delegation. Point subdomain.yourcompany.com at our nameservers, manage normally.
- Hidden primary architecture: two geographically distributed secondaries (Sweden + Switzerland) verify TSIG locally and forward updates to a primary that doesn't take public traffic.
- Private-APN-friendly: we accept RFC 1918 and CGNAT addresses in records, which means cellular fleets on private APNs can use public DNS for stable hostnames pointing at internal IPs. Described in the fleet ops guide.
- A small Docker container (ghcr.io/33k-org/dynip-updater) for any docker-compose / Kubernetes / Coolify / Dokploy setup.
Background: 25 years of managed networking. DDNS was the part that broke or required tricks. Wanted one that didn't.
Stack: PowerDNS 4.8 authoritative, FastAPI backend, Postgres, Postfix for transactional mail, Cloudflare for the external surface and as a
tunnel for the API. Live on dynip.dev. Paddle for billing. Free tier exists.
Happy to dig into architecture, the TSIG sync mechanism, per-zone DNSSEC handling, the hidden primary approach, or anything else.
schanz 1 days ago [-]
> because every DDNS service I tried was designed around 2010-era networks
I am not an expert in the domain of DDNS. Wanted to bring your attention to desec.io, in case you didn't knew about them. They offer a similar feature set like you mentioned (IPv6, DNSSEC, BYOD, ...). It is an open source project and they offer a very reliable free hosted service. As you said, they originated from the 2010-era (2014). I've used them for several years now and they bring everything to the table that I need.
For inspiration:
They even have a feature that I use which I haven't spotted in your documentation (but maybe I just didn't looked close enough): Support for IPv6 prefix delegation. Routers that get assigned an IPv6 prefix from the ISP, can update the IPv6 prefix of arbitrary domains. In Europe this prefix is not static and rotated each time a new connection to the ISP is established. This feature allows the router to automatically update the IPv6 _prefix_ of selected domains. The host part of the IP is left untouched, but the network part is updated.
Hi, doing on mobile so short answer. To my knowledge they don't do RFC 2146 but rather base everything around a good api that they have. Like you say different types of records etc.
And really, dynip came to be from fortinet/fortigate that have excellent support via their genericDDNS setup and things keep of of grew from there to what you see today.
And the subnet ipv6 sounds really interesting. Will need to check that out, sounds like that could be a feature request
aruametello 1 days ago [-]
i can vouch for desec.io for having the option to have TXT, NS, CNAME, etc dns entries on their free tier! (limited to 1 domain, up to 50 entries)
i really had a bad time trying to get a letsencrypt certificate through the regular auth because it does require ports 80 and 443 tcp that by ISP blocks.
(you can get a letsencrypt cert through a TXT entry too, but most free DDNS´s providers dont seem to offer that)
dynip 1 days ago [-]
Dynip.dev solves with dns challenge and you can download the full chain and key either via api or the dashboard. Check /docs
tjoff 1 days ago [-]
FYI: Site does not work in firefox focus (android) unless i turn off tracking protection (which is default on).
Which was a bit confusing when I clicked the confirm-your-email link. No confirmation or status or anything.
dynip 1 days ago [-]
Thanks, I will put it on my issues list to look into.
8cvor6j844qw_d6 23 hours ago [-]
Very minor UX nit. Clicking "change password" in the dashboard sends an email with a reset link, but the reset page only shows up in a logged-out session.
If you're logged in, the link just redirects to the dashboard homepage. Since users will typically still be logged in when the email arrives (they just clicked the change password button from inside the dashboard), they'll need to logout first.
Either a "log out first" line in the email, or having the link end the current session before serving the reset page, would smooth this over.
---
Thanks for building this, useful for some home projects.
dynip 23 hours ago [-]
Thanks, will look into what the best path would be. adding to the bugs list :)
dynip 22 hours ago [-]
Marking as fixed, was a prior html change that i overlooked
please have a go but right now it should not matter if you are logged in or not, the reset_token takes precedence.
Thanks for reporting!
siwatanejo 1 days ago [-]
Do you mind supporting L402 so that agents can potentially purchase the service?
dynip 1 days ago [-]
Wow, that sounds like a great idea. I wanted it to be easy with the paddle integration but even that was a pain. Will look into it for sure, thanks!
BorisMelnik 1 days ago [-]
you can scan your site with cloudflares tool https://isitagentready.com/ for all that new agent / web mcp type of goodness. love your service btw. I think im going to make the swap. there is one domain that I rely on for ddns and the service I use, while reliable, just really sucks for reasons you have already outlined
lmm 1 days ago [-]
> we accept RFC 1918 and CGNAT addresses in records
Doesn't that cause security issues by making it possible to put other people's private servers (that you want to do XSS-type attacks against) into your domains or something? I have a vague memory of it being a security no-no somehow.
dynip 1 days ago [-]
There are a few things to think about yes, I actually post in the fleet guide parts of it that it should be considered before posting. the dns rebind issue but that should be controlled by host header validation, CSRF, same-site cookies etc. Internal topology disclosure — real. but we dont post it. You can do the same in Cloudflare for example.
akerl_ 1 days ago [-]
Basically any DNS provider allows this (plus anybody can buy a domain and run their own DNS server).
The defense against this has to happen either on the resource you want to protect or in the browser.
ghoshbishakh 1 days ago [-]
How do the geo distributed secondaries work? How do they sync?
Also, is there anycasting?
dynip 1 days ago [-]
The geo sync updates are handled with distributed keys over internal api, here is the documentation for powerdns around it: https://doc.powerdns.com/authoritative/dnsupdate.html#dnsupd... so the updates are pushed and updated to primaries if the update is done over DNS and if done via API there is a normal replication function.
right now there is no anycast available, possible in the future
ghoshbishakh 1 days ago [-]
Thanks for the answer. I use DB replicas (so all dns servers have a common backend), but only one accepts writes.
I still can not figure out any economical way to roll out anycast.
tapland 1 days ago [-]
Skål! Looks like a huge effort-reliever, excited to try it out.
dynip 1 days ago [-]
Skål!
RyJones 1 days ago [-]
Trying to set it up with HOVER as a registrar - I get:
Nameserver [ns1.dynip.dev] doesn't exist at the registry (Code 480)
dynip 1 days ago [-]
Interesting, will do some digging on what sets them apart from the x amount of byod already precent. Thanks for letting me know!
dynip 1 days ago [-]
It has to do with the .dev root zone that needs to have these as records, I am on it but it might take a few days to get those records up. Or it could be fast. Glad that you reported and I will report back when we expect it to work
RyJones 1 days ago [-]
thanks. shoot me an email ry@walledcity.org if you need a test subject
dynip 1 days ago [-]
For sure!
hfristedt 1 days ago [-]
Thanks for sharing!
How did you set up PowerDNS? Single/multiple instances? One DB shared by many or multiple authoritative with one hidden primary?
dynip 1 days ago [-]
There are multiple multiples :) both (hidden) primary and secondaries are multiple, snapshots every 20 minutes and forward-update functionality from the secondaries with replicated tsig over powerdns api every 120 seconds. since they are static they only need to replicate once.
if you register a zone and open the snippets quickly, there is a green notification saying tsig replication underway for x amount of seconds and until that happens RFC 2136 updates are not possible but the ones that use api are available right off the bat.
ericpauley 1 days ago [-]
Really cool stuff. Out of curiosity what made you select PowerDNS (and in general a commodity DNS server) vs. developing a custom DNS server integrating your logic (using https://github.com/miekg/dns for instance).
hfristedt 1 days ago [-]
Cool! How did you scale-out the hidden primary? Multiple instances communicating with a single postgres?
dynip 1 days ago [-]
The hidden primary has a passive node, so saying multiple multiple maybe is an overstatement :) and yes, using a single postgres container
bflesch 1 days ago [-]
Well done. Would be nice to remove a bit more five eyes tracking from your stack, e.g. remove includes from 3rd party domains such as unpkg / tailwindcss.com and of course get rid of cloudflare.
dynip 1 days ago [-]
Yes, I have been thinking about that as well and have unpkg / tailwindcss.com in the backlog. good point, appreciated. Cloudflare is a bigger backlog item because of the current infrastructure build.
sparkling 1 days ago [-]
Its unfortunate you didn't go for a EU-native stack right away. Bunny.net offers similar compute/serverless on the edge, close to Cloudflares offerings.
dynip 1 days ago [-]
Something to look into for sure. thnks
100ms 1 days ago [-]
Even if you've otherwise put in a lot of effort, presenting it with slop on the home page really sends a bad signal. My eye caught "No proprietary clients. No vendor lock-in." as an AI pattern and I'm immediately drawn to wonder whether the service will still be around even just a few weeks from now.
dynip 1 days ago [-]
Thanks for that, My intentions are to stick around for sure. It is genuinely difficult to get a point across in a very short amount of time that people that people will actually recognize. its like doom scrolling where you just get boored of it. Happy to take suggestions.
< is there anything else you would like me to answer or is that good enough - GenericAI answer>
But jokes aside, words are difficult and also not my first language
100ms 1 days ago [-]
I don't think any value would be lost in that case by simply deleting the text and not replacing it with anything. AI is particularly bad at inserting this kind of filler, it can sometimes be really hard to spot even though it's right in front of your eyes.
Just more hidden cost of AI.. it's sufficiently hard to avoid these kinds of structural smells that I've gone back to just writing my own copy everywhere.
smilespray 1 days ago [-]
I also write my own copy. (You're absolutely right!) But this trend on HN of calling out everything as AI slop is a bit tiring.
kay_o 1 days ago [-]
Reading so much of it on HN is presumably equally as tiring.
smilespray 1 days ago [-]
I think the problem is that half the time the callouts are incorrect (edgelords trying to be clever) or irrelevant (non-native speakers using AI to translate or clarify).
100ms 1 days ago [-]
Sustained pushback helps define how the tool is used, and if it only takes a few years of complaints to permanently establish good social norms around it, I think we're better for it. At least, I much prefer this than a world where everyone is too polite to complain about slop until slop is all that is left..
smilespray 1 days ago [-]
I agree. However, it's gotten so bad that people are calling out AI slop on things they just don't care for — or mistake human writing for AI — which paradoxically becomes its own red flag to ignore the comment, even if there are valid points within.
I just used the em dash twice, and have been doing so for 35 years. This is now supposedly a dead give-away for slop.
Call it slop when it's slop. When it's not total garbage, give it a rest.
denkquer 1 days ago [-]
[dead]
nik282000 16 hours ago [-]
Honestly I would prefer to see text written in your own words, in your first language, and then translate it myself.
AI is a hot button topic and generally a good indicator of bad practice lately :/
Regardless, your project looks fantastic, good luck!
sparkling 1 days ago [-]
My first impression was "oh no, not another generic, vibe-coded service clone". But this is actually really good stuff under hood, and it's clearly coming from someone who has a deep understanding of networking.
Nice work, good luck.
Aransentin 1 days ago [-]
I mean, the comment you are replying to is absolutely AI-generated; I wouldn't say being able to prompt that is any direct evidence of deep understanding of networking.
The website is also vibecoded; at least partially - it has the exact same design choices like that purpleish blue colour scheme that Claude likes to spit out by default.
dynip 1 days ago [-]
Thanks, appreciate it!
imcritic 1 days ago [-]
[dead]
basilikum 1 days ago [-]
Pitch sounds really good. I don't have the time to try it out right now.
However had I not read your comment pitching it here, I'd have closed the tab on the landing page immediately. Sorry to be so direct, but it just looks like any vibe sloped page out there. I'm not saying it is, I haven't tried yet and your description here sounds good, but you might consider setting your page apart by putting some personality in it.
On another note, please don't create project specific HackerNews accounts.
> Don't have your username be that of your company or project. It creates a feeling of using HN for promotion and of not really participating as a person. You don't have to use your real name, just something to indicate that you're here as a human, not a brand. If you'd like to change your username, email hn@ycombinator.com.
Good points, don't be sorry. At this point in time there are knowns and unknowns, hopes and dreams and a big chunk of tech knowledge. Not as big on the design part but I think its ok for now
tngranados 21 hours ago [-]
I'm not sure if the copy is also AI generated but I felt the same as the other commenter when reading it, although maybe I was influenced by the looks.
Aransentin 1 days ago [-]
His large comment here is blatantly LLM slop as well. 100% on Pangram, but it's not like one need it to realize that. Just a bleak situation in general how few people here can tell.
jmusall 1 days ago [-]
Refreshing to see competition entering this space.
However, if you want to self-host, not caring for reliability or ease of use: bind9 supports RFC 2136 DNS UPDATE and DNSSEC, too (haven't figured that out yet, though). For my setup I also wrote a small Go executable that translates HTTP requests, because my home router does not talk DNS UPDATE.
dynip 1 days ago [-]
Thanks! Hope there is room for something fresh and flexible!
And yes, BIND allows for a lot of different things, RFC 2136 being one of them and I have been looking at multiple options before settling down on the current structure. I built a few test cases from my Fortigate (dynip came to be initially fortigate only with simple copy paste over dns internally)
And there are a few code examples that can be used internally on various hosts, windows or linux, there is even an arduino example if you have any iOT devcices lying around in your home lab. and Writing a Go executable is a good idea, look out under /docs for updates :)
hbogert 1 days ago [-]
Bonus points for rfc 2136, works easily with [external-dns](https://github.com/kubernetes-sigs/external-dns). I've been using k8s+external-dns on-prem with a selfhosted minimal BIND server on a public host for years now.
dynip 1 days ago [-]
Thanks — external-dns + RFC 2136 is a great call. Honestly that's a
guide we should write; we already have one for fleet operations and the
k8s pattern is the natural extension.
yuvadam 1 days ago [-]
I used to set up my own OpenWrt DDNS scripts that update AWS Route 53 or Cloudflare DNS which solved enough of that problem for me.
Then Tailscale came out and I stopped caring about DDNS or CGNAT ever since.
dynip 1 days ago [-]
Tailscale is awesome, and Netbird is awesome, and Wireguard is awesome. It is a great time to be alive for sure. I have a guide that I wrote https://dynip.dev/guides/tailscale where I explain how and why they can exist
Agree that the OpenWrt DDNS scripts are a bit of a pain with keys secrets but the snippets function actually take the guess / how-does-it-work work out of the equation so I am pretty happy with that
Your guide sounds obviously written by an LLM. I think that's okay, and you might have directed the LLM's work, but don't say you wrote it; this misrepresents the guide as more carefully crafted and authoritative than it really is.
dynip 1 days ago [-]
point taken
silasdavis 1 days ago [-]
I would have been all over this a few months ago but I've recently been an enthusiastic convert to netbird recently. I had a look at your guide. I am using netbird reverse proxy to expose a few services and it's been pretty much flawless. It saves me from needing to set up port forwards or worry about a firewall.
Do you see an advantage or alternative benefits to also having a public dynamic DNS, because for me I am struggling to see any?
silasdavis 1 days ago [-]
Okay well I guess we are still dealing with someone else's proxy in the way (also providing TLS termination which was a big thing I was after). So you share fates with that service. It's not just a case of hole punching via a relay.
It would be nice to get something like that also with easy TLS setup.
silasdavis 1 days ago [-]
Okay you've convinced me. This is how I self host my own netbird instance and get a stable relay DNS and use the reverse proxy via that.
Procrasticus...
dynip 1 days ago [-]
So many self replies :) happy to dive in a bit more at a later time to get your take on how the services work together. hope you found the /guide helpful
smilespray 1 days ago [-]
I now use both. DynIP for public-facing services (yeah I still have a few), and Tailscale for what only I need to access. Drastically reduced my attack surface.
Luckily I don't have to deal with CGNAT.
dynip 1 days ago [-]
This makes me really happy, like really really. It is the exact part of the /guide where things work together and not agaist or replace, synergy and happiness.
smilespray 1 days ago [-]
Reminds me to put Tautulli on Tailscale now. Just reviewed my port openings.
defanor 15 hours ago [-]
Attempted to register, but the verification message does not arrive. I did not see anything resembling it in the mail server logs right after registration, and there is still nothing in the mailbox after 6-7 hours, with a few requests to resend it.
dynip 12 hours ago [-]
I triggered a resend on all emails that was not verified so possibly you have a new validation token available.
dynip 13 hours ago [-]
Give me you address and I will have a look
defanor 2 hours ago [-]
Thanks; it is the same login as here, at steady.mooo.com.
secret-noun 1 days ago [-]
Is it right that the free-tier auth tokens expire in 24 hours (saw the JWT exp claim)? I would like to know this before investing too much time in migrating, even just to try it out. Trying to answer: is the free tier sustainable?
dynip 1 days ago [-]
"Long-lived token" means API tokens for the management API (creating/
deleting zones, listing them, automating via Terraform-style flows),
not the TSIG keys for actual DNS updates. Every zone on every tier gets
its TSIG key — that's what powers the updates themselves. Free tier
manages zones via the dashboard; paid tiers add API tokens for
programmatic management.
So no. the auth token is just for the API and can be used as a bearer for the api, the TSIG are always valid unless the domain is deleted
the free tier allows for 5 zones and all get individual tsig keys and they are always active. no need to pay unless you start handling 100s of new zones, updates, delete etc. so there is a split between the two types of tokens. hope it is clear
SadTrombone 1 days ago [-]
I would maybe amend that to the pricing page, I also thought "long-lived API tokens" referred to the DNS updater functionality, not the management API.
dynip 1 days ago [-]
Thanks for looking out and letting me know!
dynip 1 days ago [-]
Thanks for all the excellent comments and questions, I will be bringing my daughter for swimming lessons for a few hours and will continue looking at the threads when I return.
Have not come in contact with Hickory DNS before, looks pretty solid
gskate11 1 days ago [-]
This does look interesting, I do use DDNS to host various services from my home server to remote clients, but I currently use NO-IP DDNS. They have a pretty generous free tier, but my current gripe is they don't support using Let's encrypt or anything like that. I am borderline about to buy a domain from cloudfare, but curious on what makes DynIP stand out specifically?
dynip 22 hours ago [-]
Well, if your current gripe is no Let's encrypt with NO-IP, then you have just found something that stands out for you :)
dizhn 1 days ago [-]
I like the 2000 era HTTP(S) only updates. All you need is curl/wget/fetch and it works. Add a token if you like. I think duckdns can still do this. No client needed, works almost anywhere. --
dynip 1 days ago [-]
Yep, this is also true for dyndns curl/wget/fetch, have a look at the /docs on other special things that we can do except those. there is a larger functionality base here that I try to cover and not only (but including) curl/wget/fetch.
dizhn 1 days ago [-]
You are dynip yes? Did you mean the old guard dyndns has it or dynip?
dynip 1 days ago [-]
I run dynip.dev, there are like dynip . com that is retired, then there is dyndns and 100 different players i am sure, I am looking out to see if this is good, can be better or useless to the general public.
arianvanp 1 days ago [-]
This will be great for my homelab. Currently I have some hacky scripts to update he.net records whenever my ISP sends me a new ipv6 prefix but I'd prefer to reuse existing tooling.
Looking into switching today :D
dynip 1 days ago [-]
Best use case!
Check the snippets after you create a zone, hopefully less hacky scripts :D
tracker1 1 days ago [-]
I have a few domains parked at freedns.afraid.org for dyndns usage by others, though I've been considering DIYing my own solution using DigitalOcean's DNS services.
Mostly around classic BBS usage, namely bbs.io ... I do hope that .io is officially extended beyond what would normally be end of life.
fcpk 1 days ago [-]
This is great! and and amazing idea.
Just as a warning however the vibe coded website doesn't inspire confidence this isn't low quality auto generated AI slop and/or AI managed infra.
Looking into it of course this seems to not be the case, but just wanted to say, don't use generic looking theming that is default of all LLM-generating websites :)
dynip 1 days ago [-]
One of my things are that I am an engineer and I build functionality for engineers, this has always been the case. I am bad with visualizing this so the vue framework has helped tremendously with that.
With that said, I hope as well that it is a amazing idea, I am really happy with how it works and performs.
fcpk 1 days ago [-]
oh absolutely, but go with the simple look. ask the LLM to make the page simple and not decorated with "material designs"
alex_suzuki 1 days ago [-]
Even though I agree with other commenters that calling out websites as AI slop based on the copywriting and "generic LLM-generated look" is getting tiring, I can't deny that this was my immediate reaction to it as well.
On the other hand, you being on this comment thread and answering questions competently is a huge boost to the project's credibility in my eyes! But once the link disappears from the front page, only one of these things will remain. :-)
pelagicAustral 1 days ago [-]
It looks alright, I have no issue with it. People just like to hate on things that have zero relevance to the actual product.
It's not like pre-LLM you wouldnt go to Themeforest and see hundreds of designs that were all the same. Now they just call it AI slop, before it was just slop.
dynip 1 days ago [-]
I know right, and you would try different themes, go into the code, try to delete footer information that pointed back to the theme maker only to break the structure of everything.
justassimplex 1 days ago [-]
I usually set up a wireguard tunnel from my home box serving content on nginx to my linux server hosted on a virtual cloud server and have that virtual cloud server pass traffic via the wireguard tunnel back to my home box when people view my content.
dynip 1 days ago [-]
yep sounds valid, keeps the internet traffic nice and secure
1 days ago [-]
tcfhgj 1 days ago [-]
Free tier says without long lived token - how would you use dyndns without one?
dynip 1 days ago [-]
"Long-lived token" means API tokens for the management API (creating/
deleting zones, listing them, automating via Terraform-style flows),
not the TSIG keys for actual DNS updates. Every zone on every tier gets
its TSIG key — that's what powers the updates themselves. Free tier
manages zones via the dashboard; paid tiers add API tokens for
programmatic management.
postepowanieadm 1 days ago [-]
That really needs clarification, llms do get that wrong.
dynip 23 hours ago [-]
Hi, just wanted to check in again to clarify this a bit. TSIG keys are used for both the api and the direct dns update, this is what authenticates the request and tied to a specific domain. the bearer (long and short) are for the account and is tied to you rather than a specific domain. https://dynip.dev/docs#api-register - you can also list current keys etc for the different domains.
TSIG Keys: Used strictly for updating DNS records (/update). These are 44-character Base64 encoded strings generated per-zone.
JWT Bearer Tokens: Used for account management and programmatic zone registration (/register). Generated upon user login.
Hope this helps to clear it up, I might link the documentation from the pricing section so that at least there is clarification on it.
ryanshrott 1 days ago [-]
You generate a short-lived token, update, then rotate it. For most home setups, a cron job every 5 minutes with a 10-minute token window is fine. The RFC 2136 path is the real reason to use this instead of the HTTP update protocols most DDNS services use.
alex_suzuki 1 days ago [-]
My domain registrar also hosts DNS, and supports dynamic DNS entries. Ticking a box gives me an update URL and a username, which I can then enter into my UniFi router. How is this different?
dynip 1 days ago [-]
It is not, the functionality is the same. I am trying to expand on the functionality to not only support a single setup. we support multiple update paths, validation, DNSSEC, Letsencrypt, byod domain etc. fleet management. It could be a battery powered esp node that you send to another country. there are multiple ways of doing the same thing and what I hope I am doing is making it accessible, easy and good looking.
Fortinet for example have a similar thing, you can within their web interface register a something.fortiddns.com or float-zone.com or others. but if you upgrade the fortigate with a newer model you need to get in touch with their support because the domain is locked to the old hardware.
syncology has their own, I mean there has never been more options, what I am doing is trying to bundle, connect and provide a platform for your own domains, that can support letsencrypt out of the box, that you can use multiple update paths with ipv6 if needed.
long reply, I am genuinely happy for the "why" questions as it allows me to speak about the platform :)
alex_suzuki 1 days ago [-]
Thanks!
phil42 1 days ago [-]
What's the name of that registrar?
neals 1 days ago [-]
Would love to know what it is and what it is doing that others are doing wrong. I don't touch dns for anything other then pointing a domain to a server.
dynip 1 days ago [-]
But you do touch DNS :) and the idea here is to create as little friction or easy setup as possible with either fixed, dynamic or unknown ips.
One example I used it for just a few days ago was to set up dual ipsec tunnels for redundancy in fortigate in a remote warehouse. with the snippets I can just add a byod domain and paste the config into the cli and ship the devices. when they connect it it dials up, updates the ip in the dashboard (with notification that it has changed) and the vpn tunnels comes up automatically. it is available as road warriors as well, or dialup ipsec tunnels but I want dual initiator functionality.
Maybe this reply isnt really what the site is for but rather a subset of what can be done.
I have fond memories of playing with dyndns and having cool domains like <mynick>.homeunix.net … and having downtime because my home dns connection went down and came back up with a different ip address.
Fun times :)
dynip 1 days ago [-]
I did the same! back when DNS was new and exciting and not a full on requirement for everyhing you touch nowadays. I have been thinking about that since then really and finally thought I would bring some of that back!
Thanks for being awwesome!
cyberax 1 days ago [-]
Nice! Do you plan to provide secondaries? I would love to have a primary on my home IP and a secondary available from outside in case my connection is down.
tamimio 1 days ago [-]
What’s the use case of DDNS in 2026 when you can have vpn+reverse proxy? Or just vpn really and never expose anything
leohonexus 1 days ago [-]
Your public website / blog? Sometimes you want services that are accessible publicly, like your observability and logging servers (eliminates the VPN point of failure).
tamimio 1 days ago [-]
I have multiple public sites that are running through vpn+reverse proxy, for example, vaultwarden, and it’s more secure because in the reverse proxy I can have rules to pass the connection to specific end points so clients can access it securely but the actual webpage is locked behind SSO. I never encountered a VPN failure, if the connection is up it is up, and it’s an encrypted tunnel too. Another example, if you use something like coolify, you can pair it with another reverse proxy on top of traefic one builtin, and if you browse that service in coolify, your packet is going through an encrypted link all the way to the docker image behind coolify.
Last time I used DDNS i think was around 2012 in an NVR where I needed to access some cameras publicly.
dynip 1 days ago [-]
I like to believe that there are different use cases that play with different needs, I don't know your exact needs on the topic but it sounds like you have figured out what needs you have on a technical basis.
The idea is not really to never expose anything, almost the opposite or at least understand where on the internet different things live and be able to address them globally
raisedbyninjas 1 days ago [-]
I use it for dev & testing services hosted at home.
bigstrat2003 1 days ago [-]
You could just as easily ask "what's the use case of a VPN when you can expose the service over the Internet?". Yes, publicly exposing a service and using a VPN cover similar use cases. But one isn't inherently better than the other, nor does one make the other obsolete.
sylware 1 days ago [-]
But you still need a registrar which are all gated with whatng cartel web engines (aka they broke noscript/basic HTML browser support)
jagged-chisel 1 days ago [-]
How's that related to a dynamic DNS service? I buy a domain name, I provide dynip.dev nameservers and ... what?
sylware 7 hours ago [-]
Because in many use cases, dynamic DNS is used by normal users who have random IPs
who want to be self-hosted, namely they are trying to get some control and be
independent.
The problem is since DNS registrars are now gated with 'whatng cartel' web engines,
that level of control is more than questionable, even pointless?
fuzzfactor 1 days ago [-]
Looks interesting.
dynip 1 days ago [-]
Thanks, I am very happy with it. Reading the /guides or /docs myself actually feels good. inside the dashboard I have built a "snippets" javascript that creates the config for you. I mostly live in the cli myself so most is based on that.
openclawclub 1 days ago [-]
[dead]
embirdating 1 days ago [-]
[dead]
AlexBrooks1 1 days ago [-]
[flagged]
Rendered at 18:23:03 GMT+0000 (Coordinated Universal Time) with Vercel.
What's in it:
- RFC 2136 / TSIG updates as a first-class path. FortiGate genericDDNS and MikroTik's /tool dns-update work natively — no custom client needed. HTTP API is also available for everything else.
- IPv6 end-to-end. Authoritative nameservers reachable over IPv6 (with AAAA glue published at the parent .dev zone), customer zones publish A and AAAA, and the platform works for IPv6-only clients.
- DNSSEC available on selected zones. With a single toggle.
- Bring your own domain via subdomain delegation. Point subdomain.yourcompany.com at our nameservers, manage normally.
- Hidden primary architecture: two geographically distributed secondaries (Sweden + Switzerland) verify TSIG locally and forward updates to a primary that doesn't take public traffic.
- Private-APN-friendly: we accept RFC 1918 and CGNAT addresses in records, which means cellular fleets on private APNs can use public DNS for stable hostnames pointing at internal IPs. Described in the fleet ops guide.
- A small Docker container (ghcr.io/33k-org/dynip-updater) for any docker-compose / Kubernetes / Coolify / Dokploy setup.
Background: 25 years of managed networking. DDNS was the part that broke or required tricks. Wanted one that didn't.
Stack: PowerDNS 4.8 authoritative, FastAPI backend, Postgres, Postfix for transactional mail, Cloudflare for the external surface and as a tunnel for the API. Live on dynip.dev. Paddle for billing. Free tier exists.
Happy to dig into architecture, the TSIG sync mechanism, per-zone DNSSEC handling, the hidden primary approach, or anything else.
I am not an expert in the domain of DDNS. Wanted to bring your attention to desec.io, in case you didn't knew about them. They offer a similar feature set like you mentioned (IPv6, DNSSEC, BYOD, ...). It is an open source project and they offer a very reliable free hosted service. As you said, they originated from the 2010-era (2014). I've used them for several years now and they bring everything to the table that I need.
For inspiration: They even have a feature that I use which I haven't spotted in your documentation (but maybe I just didn't looked close enough): Support for IPv6 prefix delegation. Routers that get assigned an IPv6 prefix from the ISP, can update the IPv6 prefix of arbitrary domains. In Europe this prefix is not static and rotated each time a new connection to the ISP is established. This feature allows the router to automatically update the IPv6 _prefix_ of selected domains. The host part of the IP is left untouched, but the network part is updated.
e.g.: /update?myipv6:nas.home.mydomain.tld=2003:e6:bee:affe::/56
And really, dynip came to be from fortinet/fortigate that have excellent support via their genericDDNS setup and things keep of of grew from there to what you see today.
And the subnet ipv6 sounds really interesting. Will need to check that out, sounds like that could be a feature request
i really had a bad time trying to get a letsencrypt certificate through the regular auth because it does require ports 80 and 443 tcp that by ISP blocks.
(you can get a letsencrypt cert through a TXT entry too, but most free DDNS´s providers dont seem to offer that)
Which was a bit confusing when I clicked the confirm-your-email link. No confirmation or status or anything.
If you're logged in, the link just redirects to the dashboard homepage. Since users will typically still be logged in when the email arrives (they just clicked the change password button from inside the dashboard), they'll need to logout first.
Either a "log out first" line in the email, or having the link end the current session before serving the reset page, would smooth this over.
---
Thanks for building this, useful for some home projects.
please have a go but right now it should not matter if you are logged in or not, the reset_token takes precedence.
Thanks for reporting!
Doesn't that cause security issues by making it possible to put other people's private servers (that you want to do XSS-type attacks against) into your domains or something? I have a vague memory of it being a security no-no somehow.
The defense against this has to happen either on the resource you want to protect or in the browser.
Also, is there anycasting?
right now there is no anycast available, possible in the future
I still can not figure out any economical way to roll out anycast.
Nameserver [ns1.dynip.dev] doesn't exist at the registry (Code 480)
How did you set up PowerDNS? Single/multiple instances? One DB shared by many or multiple authoritative with one hidden primary?
if you register a zone and open the snippets quickly, there is a green notification saying tsig replication underway for x amount of seconds and until that happens RFC 2136 updates are not possible but the ones that use api are available right off the bat.
< is there anything else you would like me to answer or is that good enough - GenericAI answer>
But jokes aside, words are difficult and also not my first language
Just more hidden cost of AI.. it's sufficiently hard to avoid these kinds of structural smells that I've gone back to just writing my own copy everywhere.
I just used the em dash twice, and have been doing so for 35 years. This is now supposedly a dead give-away for slop.
Call it slop when it's slop. When it's not total garbage, give it a rest.
AI is a hot button topic and generally a good indicator of bad practice lately :/
Regardless, your project looks fantastic, good luck!
Nice work, good luck.
The website is also vibecoded; at least partially - it has the exact same design choices like that purpleish blue colour scheme that Claude likes to spit out by default.
However had I not read your comment pitching it here, I'd have closed the tab on the landing page immediately. Sorry to be so direct, but it just looks like any vibe sloped page out there. I'm not saying it is, I haven't tried yet and your description here sounds good, but you might consider setting your page apart by putting some personality in it.
On another note, please don't create project specific HackerNews accounts.
> Don't have your username be that of your company or project. It creates a feeling of using HN for promotion and of not really participating as a person. You don't have to use your real name, just something to indicate that you're here as a human, not a brand. If you'd like to change your username, email hn@ycombinator.com.
https://news.ycombinator.com/item?id=22336638
See also https://news.ycombinator.com/showhn.html
However, if you want to self-host, not caring for reliability or ease of use: bind9 supports RFC 2136 DNS UPDATE and DNSSEC, too (haven't figured that out yet, though). For my setup I also wrote a small Go executable that translates HTTP requests, because my home router does not talk DNS UPDATE.
And yes, BIND allows for a lot of different things, RFC 2136 being one of them and I have been looking at multiple options before settling down on the current structure. I built a few test cases from my Fortigate (dynip came to be initially fortigate only with simple copy paste over dns internally)
And there are a few code examples that can be used internally on various hosts, windows or linux, there is even an arduino example if you have any iOT devcices lying around in your home lab. and Writing a Go executable is a good idea, look out under /docs for updates :)
Then Tailscale came out and I stopped caring about DDNS or CGNAT ever since.
Agree that the OpenWrt DDNS scripts are a bit of a pain with keys secrets but the snippets function actually take the guess / how-does-it-work work out of the equation so I am pretty happy with that
Your guide sounds obviously written by an LLM. I think that's okay, and you might have directed the LLM's work, but don't say you wrote it; this misrepresents the guide as more carefully crafted and authoritative than it really is.
Do you see an advantage or alternative benefits to also having a public dynamic DNS, because for me I am struggling to see any?
It would be nice to get something like that also with easy TLS setup.
Procrasticus...
Luckily I don't have to deal with CGNAT.
So no. the auth token is just for the API and can be used as a bearer for the api, the TSIG are always valid unless the domain is deleted
the free tier allows for 5 zones and all get individual tsig keys and they are always active. no need to pay unless you start handling 100s of new zones, updates, delete etc. so there is a split between the two types of tokens. hope it is clear
Again, this guy <- happy
Have you considered something like https://github.com/hickory-dns/hickory-dns? Not that everything has to be built in Rust.
Have not come in contact with Hickory DNS before, looks pretty solid
Looking into switching today :D
Check the snippets after you create a zone, hopefully less hacky scripts :D
Mostly around classic BBS usage, namely bbs.io ... I do hope that .io is officially extended beyond what would normally be end of life.
Just as a warning however the vibe coded website doesn't inspire confidence this isn't low quality auto generated AI slop and/or AI managed infra.
Looking into it of course this seems to not be the case, but just wanted to say, don't use generic looking theming that is default of all LLM-generating websites :)
With that said, I hope as well that it is a amazing idea, I am really happy with how it works and performs.
On the other hand, you being on this comment thread and answering questions competently is a huge boost to the project's credibility in my eyes! But once the link disappears from the front page, only one of these things will remain. :-)
It's not like pre-LLM you wouldnt go to Themeforest and see hundreds of designs that were all the same. Now they just call it AI slop, before it was just slop.
https://dynip.dev/docs#authentication
TSIG Keys: Used strictly for updating DNS records (/update). These are 44-character Base64 encoded strings generated per-zone.
JWT Bearer Tokens: Used for account management and programmatic zone registration (/register). Generated upon user login.
Hope this helps to clear it up, I might link the documentation from the pricing section so that at least there is clarification on it.
Fortinet for example have a similar thing, you can within their web interface register a something.fortiddns.com or float-zone.com or others. but if you upgrade the fortigate with a newer model you need to get in touch with their support because the domain is locked to the old hardware.
syncology has their own, I mean there has never been more options, what I am doing is trying to bundle, connect and provide a platform for your own domains, that can support letsencrypt out of the box, that you can use multiple update paths with ipv6 if needed.
long reply, I am genuinely happy for the "why" questions as it allows me to speak about the platform :)
One example I used it for just a few days ago was to set up dual ipsec tunnels for redundancy in fortigate in a remote warehouse. with the snippets I can just add a byod domain and paste the config into the cli and ship the devices. when they connect it it dials up, updates the ip in the dashboard (with notification that it has changed) and the vpn tunnels comes up automatically. it is available as road warriors as well, or dialup ipsec tunnels but I want dual initiator functionality.
Maybe this reply isnt really what the site is for but rather a subset of what can be done.
have a look at https://dynip.dev/guides/ I tried to add substantial information on what can be done
Fun times :)
Thanks for being awwesome!
Last time I used DDNS i think was around 2012 in an NVR where I needed to access some cameras publicly.
The idea is not really to never expose anything, almost the opposite or at least understand where on the internet different things live and be able to address them globally