alt Hacker NewsI'm Daniel, network engineer in Sweden. Built DynIP because every DDNS service I tried was designed around 2010-era networks: proprietary HTTP-only update protocols, poor IPv6, no DNSSEC, little support for actuallymodern devices.
What's in it:
- RFC 2136 / TSIG updates as a first-class path. FortiGate genericDDNS and MikroTik's /tool dns-update work natively — no custom client needed. HTTP API is also available for everything else.
- IPv6 end-to-end. Authoritative nameservers reachable over IPv6 (with AAAA glue published at the parent .dev zone), customer zones publish A and AAAA, and the platform works for IPv6-only clients.
- DNSSEC available on selected zones. With a single toggle.
- Bring your own domain via subdomain delegation. Point subdomain.yourcompany.com at our nameservers, manage normally.
- Hidden primary architecture: two geographically distributed secondaries (Sweden + Switzerland) verify TSIG locally and forward updates to a primary that doesn't take public traffic.
- Private-APN-friendly: we accept RFC 1918 and CGNAT addresses in records, which means cellular fleets on private APNs can use public DNS for stable hostnames pointing at internal IPs. Described in the fleet ops guide.
- A small Docker container (ghcr.io/33k-org/dynip-updater) for any docker-compose / Kubernetes / Coolify / Dokploy setup.
Background: 25 years of managed networking. DDNS was the part that broke or required tricks. Wanted one that didn't.
Stack: PowerDNS 4.8 authoritative, FastAPI backend, Postgres, Postfix for transactional mail, Cloudflare for the external surface and as a tunnel for the API. Live on dynip.dev. Paddle for billing. Free tier exists.
Happy to dig into architecture, the TSIG sync mechanism, per-zone DNSSEC handling, the hidden primary approach, or anything else.
Replies
FYI: Site does not work in firefox focus (android) unless i turn off tracking protection (which is default on).
Which was a bit confusing when I clicked the confirm-your-email link. No confirmation or status or anything.
Do you mind supporting L402 so that agents can potentially purchase the service?
Trying to set it up with HOVER as a registrar - I get:
Nameserver [ns1.dynip.dev] doesn't exist at the registry (Code 480)
How do the geo distributed secondaries work? How do they sync?
Also, is there anycasting?
Thanks for sharing!
How did you set up PowerDNS? Single/multiple instances? One DB shared by many or multiple authoritative with one hidden primary?
Well done. Would be nice to remove a bit more five eyes tracking from your stack, e.g. remove includes from 3rd party domains such as unpkg / tailwindcss.com and of course get rid of cloudflare.
> we accept RFC 1918 and CGNAT addresses in records
Doesn't that cause security issues by making it possible to put other people's private servers (that you want to do XSS-type attacks against) into your domains or something? I have a vague memory of it being a security no-no somehow.
Skål! Looks like a huge effort-reliever, excited to try it out.
Even if you've otherwise put in a lot of effort, presenting it with slop on the home page really sends a bad signal. My eye caught "No proprietary clients. No vendor lock-in." as an AI pattern and I'm immediately drawn to wonder whether the service will still be around even just a few weeks from now.
My first impression was "oh no, not another generic, vibe-coded service clone". But this is actually really good stuff under hood, and it's clearly coming from someone who has a deep understanding of networking.
Nice work, good luck.
[dead]
> because every DDNS service I tried was designed around 2010-era networks
I am not an expert in the domain of DDNS. Wanted to bring your attention to desec.io, in case you didn't knew about them. They offer a similar feature set like you mentioned (IPv6, DNSSEC, BYOD, ...). It is an open source project and they offer a very reliable free hosted service. As you said, they originated from the 2010-era (2014). I've used them for several years now and they bring everything to the table that I need.
For inspiration: They even have a feature that I use which I haven't spotted in your documentation (but maybe I just didn't looked close enough): Support for IPv6 prefix delegation. Routers that get assigned an IPv6 prefix from the ISP, can update the IPv6 prefix of arbitrary domains. In Europe this prefix is not static and rotated each time a new connection to the ISP is established. This feature allows the router to automatically update the IPv6 _prefix_ of selected domains. The host part of the IP is left untouched, but the network part is updated.
e.g.: /update?myipv6:nas.home.mydomain.tld=2003:e6:bee:affe::/56