DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD

Recorded: May 26, 2026, 1:15 p.m.

Original

Summarized

DynIP — Dynamic DNS for homelabs and infrastructure

Dynamic DNS that actually works.

60-second updates. Generous free tier. RFC 2136 TSIG. Bring your own domain. DNSSEC. For homelabs, edge routers, and infrastructure teams.

See how it works

Updates in seconds, not minutes

Most DDNS providers cache for 30 minutes. DynIP propagates in under a minute end-to-end. Your router sends an update, your hostname resolves correctly worldwide within ~60 seconds.

60s TTL · NOTIFY-driven · Multi-region nameservers

Built on real DNS standards

RFC 2136 TSIG means your FortiGate, MikroTik, OPNsense, OpenWRT, or any router that speaks DNS UPDATE works out of the box. No proprietary clients. No vendor lock-in.

RFC 2136 TSIG · REST API · UDP/53 native

IPv6 done right

Modern ISPs increasingly give you native IPv6 alongside CGNATed IPv4. DynIP supports both: update A and AAAA records side-by-side, run IPv6-only zones, or both. Built for the network you have today and the network you'll have tomorrow.

AAAA records · Dual-stack · IPv6-only support · DNSSEC by default

dynip.dev
Set New Password
Password Recovery
Two-Factor Authentication
Access Control

Your account has been deleted. Thank you for using dynip.dev.

Enter New Password

At least 12 characters.

Back to Sign In

Email Address

Back to Sign In

{{ auth.twoFactorType === 'totp' ? '📱 Open Google Authenticator' : '✉️ Check your email' }}

{{ auth.twoFactorType === 'totp' ? 'Enter the 6-digit code from your app.' : 'We sent a 6-digit code to your inbox.' }}

Account temporarily locked
Too many incorrect attempts. Please try again in {{ lockoutDisplay }}.

Cancel

Email Address

Password
Forgot?

At least 12 characters.

Too many incorrect attempts. Please try again in {{ lockoutDisplay }}.

{{ loading ? 'Processing...' : (auth.isRegister ? 'Complete Sign Up' : 'Sign In') }}

Missed the email? Click here to resend.

{{ auth.isRegister ? 'Return to Sign In' : 'Create New Account' }}

Configuration Snippets
×

RFC 2136 / TSIG updates available in {{ tsigSecondsRemaining }} seconds

We're propagating this zone to our nameservers. FortiGate and MikroTik (RFC 2136 / TSIG) need to wait — they're disabled below until propagation completes. HTTP API updates (cURL, PowerShell, Python, MikroTik HTTP, etc.) work right now.

Device Type

Docker Compose (Container)
Generic cURL (HTTP API)
Windows PowerShell (HTTP API)
Python Script (HTTP API)

Arduino / ESP32 (C++)
Minimal C Script (libcurl)

FortiGate CLI (Native DNS){{ tsigPropagating ? ' (propagating)' : '' }}
Palo Alto PAN-OS (GUI)
Cisco IOS Router (CLI)
Cisco ASA Firewall (CLI)
MikroTik RouterOS (HTTP API)
MikroTik RouterOS (RFC 2136 / TSIG){{ tsigPropagating ? ' (propagating)' : '' }}

pfSense / OPNsense (GUI)
Ubiquiti UniFi (GUI)
OpenWrt CLI (ddns-scripts)
Teltonika CLI (Native DNS)
DD-WRT / Netgear / Linksys (GUI)
Synology DSM NAS (GUI)
Fritz!Box (GUI)

Target IP Address

Domain
{{ snippetData.domain }}

TSIG Key

{{ snippetData.key }}
Copy

Configuration Snippet

{{ generatedSnippet }}
Copy

{{ subscription.tier }} Plan

×

⚠ {{ subscription.locked_zones_count }} zone(s) locked
Your plan was downgraded. The oldest {{ subscription.max_domains }} zone(s) stay active; the rest are locked and can't receive IP updates. Subscribe again or delete excess zones to unlock.

Status
Free tier
Active
Cancelled
Past Due
{{ subscription.status || '—' }}

{{ subscription.status === 'cancelled' ? 'Access ends' : 'Renews on' }}

Billing cycle
{{ subscription.cycle }}

Payment failed. Please update your payment method to keep access.

Zones
{{ subscription.zones_in_use }} of {{ subscription.max_domains }}

Upgrade →

Enable DNSSEC for this zone?
×

Issuing a Let's Encrypt certificate for
{{ dnssecPrompt.zone }}
requires DNSSEC to be active on this zone.

We'll automatically:

Generate signing keys
Publish them in the parent zone ({{ dnssecPrompt.parentZone }})
Sign all DNS records

This is a one-time setup. Your zone stays signed afterward, which is recommended anyway.

Estimated time: 30 seconds.

Enabling DNSSEC{{ dnssecPrompt.parentZone ? ' and publishing DS in ' + dnssecPrompt.parentZone : '' }}...

Cancel

{{ dnssecPrompt.busy ? 'Enabling…' : 'Enable DNSSEC and continue' }}

dynip.dev
Authoritative Control Plane

{{ activeUser.two_factor_enabled ? 'Email 2FA: ON' : 'Email 2FA: OFF' }}

⚠ {{ subscription.tier }}
{{ subscription.tier }}

Refresh
Admin
Logout

Security
Change Password

Quick Start Guide
{{ showHelp ? 'Hide' : 'Show' }}

1. Create a Zone: Type your device name, select your preferred base domain, and click Create Zone.
2. Get the Config: Click the Snippets button next to your new domain.
3. Deploy: Select your device type and copy the generated configuration block directly into your router's CLI.
Note: IPv4 and IPv6 (Dual-Stack) are detected and updated automatically based on the incoming connection.

{{ dom }}{{ deprecatedBaseDomains.includes(dom) ? ' ⚠ (deprecated)' : '' }}

Create Zone

Domain & Tools
Current IP
TSIG Secret
DNSSEC
SSL Cert

{{ zone.name }}
⚠

Locked

Snippets
Delete
Notify

Sync: {{ formatSyncTime(zone.last_sync) }}

Download

No domains registered. Create one above to get started.

Custom Namespaces (BYOD)
{{ showByod ? 'Hide' : 'Show' }}

Bring your own domain to DynIP. Once added, you can provision dynamic subdomains under your own namespace.

{{ dom.domain }}
Remove

{{ dom.verifyStatus === 'success' ? 'Delegation Active:' : 'Required Registrar Action:' }}

{{ dom.verifyStatus === 'success' ? 'Your namespace is successfully secured and routing traffic to DynIP.' : 'To activate this namespace, create BOTH NS (Name Server) records at your domain registrar. Single-NS delegation will be rejected:' }}

{{ dom.domain }}. IN NS ns1.dynip.dev.
{{ dom.domain }}. IN NS ns2.dynip.dev.

{{ dom.isVerifying ? 'Checking...' : (dom.verifyStatus === 'success' ? 'Re-Verify Setup' : 'Verify Setup') }}

✅ {{ dom.verifyMessage }}
❌ {{ dom.verifyMessage }}

Quick Sync
{{ showSync ? 'Hide' : 'Show' }}

Instantly update your selected zones to match this device's current external IP address.

📡

Detected Network IP
{{ mobileIp || 'Detecting...' }}

🔄

No zones available. Create one above.

API Automation
{{ showApi ? 'Hide' : 'Show' }}

Quick test (uses your session — expires when you log out)
Programmatically register new zones with your current session token. Send a POST request to the /register endpoint.

curl -X POST "{{ backendUrl }}/register?subdomain=my-new-router&base_domain={{ baseDomains[0] }}" \
-H "Authorization: Bearer {{ token }}"
Copy

Session tokens expire on logout — use an API token below for long-running automation.

API tokens (Pro+)
+ New Token

API tokens are a Pro feature
Long-lived tokens for automation: monitoring scripts, CI pipelines, MSP integrations. Tokens don't expire when you log out.
Upgrade to Pro →

Long-lived tokens for automation. Each token can be scoped read-only or full access, and revoked at any time.
Loading tokens…

No API tokens yet. Create one to get started.

Name
Token
Scope
Last used
Expires
Action

{{ t.last_used_at ? formatPlanDate(t.last_used_at) : 'Never' }}
{{ t.expires_at ? formatPlanDate(t.expires_at) : 'Never' }}

Revoke

New API Token
Tokens are shown once at creation — store them in a password manager or secrets vault.

Name

Scope

Read-only

Full access

Expires

Never
30 days
90 days
1 year

Cancel

⚠ Save this token now
This token won't be shown again. Store it somewhere secure (1Password, Bitwarden, your CI's secrets manager).

{{ apiTokenModal.created.token }}
Copy

I've Saved It

Account security

TOTP Enabled
This overrides email 2FA.

Remove App

Upgrade your account security by requiring a time-based code from Google Authenticator or another TOTP app when you sign in.

Setup Authenticator App

1. Scan the QR Code
Open Google Authenticator, Authy, or your preferred 2FA app and scan this code.

2. Verify & Save

Verify

Cancel Setup

Danger zone
{{ showDangerZone ? 'Hide' : 'Show' }}

Delete account

Permanently delete your account, all DNS zones you have created, and any TLS certificates issued to them. This cannot be undone or reversed by support.

Delete account

Permanently delete your account?

This action cannot be undone. Deletion will:

Remove all your DNS zones immediately
Cancel any active TLS certificates
Cannot be reversed by support
Your data will be deleted; billing records retained per Swedish law (7 years)

If you have an active paid subscription, please cancel it first via your account billing area.

Enter your password to confirm

Cancel

Documentation
Guides
Contact
Pricing

DynIP provides a solution for Dynamic DNS specifically designed for homelabs, edge routers, and infrastructure teams, focusing on reliable, rapid, and standards-compliant domain name resolution. The service emphasizes superior performance by offering updates in under one minute, contrasting with traditional DNS providers that often cache updates for up to thirty minutes, achieving propagation through a NOTIFY-driven mechanism with multi-region nameservers.

The platform is built upon established DNS standards, notably adhering to RFC 2136 TSIG, which allows routers from various vendors, such as FortiGate, MikroTik, OPNsense, and OpenWRT, to facilitate DNS UPDATE operations natively without proprietary clients or vendor lock-in. This framework integrates standard protocols like the REST API and utilizes native UDP/53 communication. Furthermore, DynIP addresses the complexities of modern networking by fully supporting IPv6, allowing users to manage A and AAAA records simultaneously, configure IPv6-only zones, and implement DNSSEC by default.

The system is engineered to accommodate diverse network topologies, supporting both traditional IPv4 and modern Dual-stack environments, as well as IPv6-only setups. This flexibility ensures compatibility with current network setups and future advancements, accommodating conditions like Carrier-Grade NATed IPv4.

For configuration and deployment, DynIP offers extensive configuration snippets tailored for various device types, including Docker Compose containers, generic cURL/HTTP API calls, Python scripts, Arduino/ESP32 platforms, and command-line interfaces for major routers like FortiGate, Cisco IOS, MikroTik RouterOS, pfSense, and OpenWrt. This means that users can automatically deploy dynamic DNS functionality directly onto their existing routing infrastructure.

The platform also supports advanced features for domain management, including the option to use Bring Your Own Domain (BYOD) namespaces, enabling users to provision dynamic subdomains under their own registered domains. To ensure security and long-term stability, the service incorporates features like Two-Factor Authentication using Time-based One-Time Passwords (TOTP) and the ability to manage API tokens for full automation of monitoring or integration tasks.

Security and accountability are maintained through tiered subscriptions, which govern the number of zones a user can actively manage, with policies dictating how excess zones are handled upon downgrades or subscription status changes. Additionally, the system provides granular control, allowing users to activate DNSSEC for zones, which involves an automated, one-time process of generating signing keys and publishing them in the parent zone to ensure authenticated DNS records. Data privacy is reinforced by providing an option for permanent account deletion, which removes all associated DNS zones and certificates.