Domains DDNS Settings Logout
Two-factor authentication
Enter an authenticator code or a recovery code to finish signing in.
Loading…
Initial Setup
No users exist yet. Create the first administrator account to finish setup.
Minimum 12 characters.
Settings
Platform & tenant management
Manage tenants, modules, and DDNS mode via the inline controls below.
TenantControlsActions
Loading...
Users
Scoped to the active tenant from the sidebar. Switch tenants via the sidebar to manage a different tenant's users.
EmailRoleStatusVerifiedTOTPActions
Loading...
Pending Invites
EmailRoleExpiresActions
Loading...
Manage the platform-wide DDNS service. Assign domains from the default (global) tenant as DDNS service domains. Subscribers create hosts under these domains.
Public DDNS URL
Select which assigned DDNS service domain is used as the public DDNS endpoint. All DDNS update URLs and client instructions will use this domain.
Global DDNS Service Domains
Select a domain from the default tenant to use as a DDNS service domain. The domain will be marked as consumed and cannot be used for other purposes.
DomainStatusActions
Loading...
Tenant DDNS Domains
Per-tenant DDNS zone assignments. Controlled by the tenant's DDNS slider (off / entry-based / own domains).
DomainEnabledActions
Loading...
DNS Zone Template
Default DNS records applied to every newly created domain zone. Use variables: {{domain}}, {{server_ipv4}}, {{server_ipv6}}, {{hostname}} (ns1 FQDN). Records are applied on zone creation. Modified records in a zone will not be overwritten unless forced.
Name Type Content TTL
Loading...
Accept Invite
You were invited to this DDNS instance. Set a password to create your account.
This invite is bound to an email address.
Minimum 8 characters.
Reset Password

Home (default)

This will be filled later.

Domains

Manage domains for the active tenant. Each domain can have DNS, Web, Mail, and Database modules.
Domain DNS Web Mail DB Status Actions
Loading...

Domain

Back to Domains
Modules
Status
Module toggles
DNS Records
.example.com.
NameTypeContentTTLActions
Loading...
Web Hosting Configuration
SSL / TLS Certificates
Upload Certificate
A Let's Encrypt certificate will be requested automatically. The domain must resolve to this server.
SourceStatusSubjectExpiresAuto-renewActions
Loading...
Nginx Configuration
Config History
VersionTypePresetActiveCreated
Loading...
Git Deployment
Deploy History
CommitMessageStatusStartedFinished
No deployments yet.
Database Management
DatabaseEngineUserSizeStatusActions
No databases configured for this domain.
Database Users
Manage database users and their privileges for this domain.
UsernameEnginePrivilegesStatusActions
No database users configured.

My Hosts

FQDN Last IP TTL Wildcard Updated Actions
No hosts yet.
DDNS client setup (quick start)
Use these values in routers and DDNS clients. Derived from the DDNS service URL (fallback: current origin).
Update URL
Example
Check IP URL

Recommended authentication
Create a per-host token in the UI (My Hosts → Token) and use it as the password where possible.
dyndns2-style request (example)
Many routers and clients call /nic/update. Some send myip, some don’t.
Copy/paste and replace USER, PASS, and hostname.

Use this for most router Dynamic DNS implementations (DynDNS2 / custom provider).
Update URL:
Hostname / Domain: your host FQDN (e.g. home.example.net)
Username: your email (or configured basic user)
Password: per-host token (recommended) or basic password

Use the Dynamic DNS client (Services → Dynamic DNS) and choose a DynDNS2-compatible type if available. OPNsense commonly expects the base host without https://.
Base host (no scheme):
Update path:
Check IP:
Tenant Users
Tenant-scoped user management (tenant admin only).
EmailNameRoleStatusActions
Loading...
Invite tenant user
Create a link or send an invite email (SMTP required).
EmailRoleExpiresStatus
Loading...

Admin

Unsaved changes
Changes are local until you press Save.
Used for UI branding and email templates via {{service_name}}.
Used for email links (verify, invites) and OIDC defaults. Example: https://ddns.example.com
Server IP Addresses
The server's public IP addresses. Used for DNS A/AAAA records pointing domains to this server (e.g. {{server_ipv4}}, {{server_ipv6}} in DNS templates).
Public IPv4 address of this server. Used for A records in DNS templates.
Public IPv6 address of this server. Used for AAAA records in DNS templates.
PowerDNS Topology
Configure whether local PowerDNS is master or slave and manage additional remote slave targets.
Used as the masters list when creating Slave zones (local slave mode and/or remote slave targets). Leave empty if not using slaves.
When set, the server will ensure ns1.<zone> has an A record. Leave empty if your nameservers are external.
When set, the server will ensure ns1.<zone> has an AAAA record for IPv6 nameserver propagation validation.
Fallback when a remote slave refuses NOTIFY. When enabled, the server will call each configured slave target's axfr-retrieve endpoint after zone changes.
This is used by docker compose port mapping (PDNS_DNS_BIND_IP). Changing it requires a container restart.
Remote slave targets
Name API URL Server ID Master IP override Actions
Removing a target will first delete all known zones from that target to avoid configuration leftovers.
Slave setup helper
Generates copy/paste commands to enable PowerDNS slave support on each remote slave server (based on your current settings). Secrets are shown as placeholders.
SMTP / Email
Optional. Required for sending verification and invite emails.
Optional. Used to format emails as "Display Name" <from@example.com>.
Registration & Recovery
Controls public self-registration and the guarded admin recovery flow.
Controls whether the Register tab is available. Endpoint: POST /v1/auth/register.
Used by /v1/public/admin-recover. Only works when there are 0 admins. Store a long random token here.
Rates / protection
Global defaults and system-wide limits for abuse and brute-force protection.
Applies only to non-admin users. Admins are always unlimited.
Recommended: 1/minute per host; bursting allowed.
Email verification / password reset protection
Throttles to protect verification and recovery flows from abuse.
Rate limit for /v1/public/resend-verification per email per window.
Rate limit for /v1/public/resend-verification per IP per window.
Rate limit window in seconds.
Brute-force protection (login)
Limits repeated password attempts to reduce credential stuffing.
Maximum login attempts per email per window.
Maximum login attempts per IP per window.
Rate limit window in seconds.
Sessions
Session timeout controls how long a session stays active without activity.
Session cookie/Redis TTL. Rolling refresh on activity.
DNS
DNS policy and zone transfer (AXFR) controls.
Comma or whitespace separated list of IPs/CIDRs allowed to AXFR the zone. Empty denies all transfers.
TOTP
Global Two-factor authentication defaults (applies to enrollment and verification).
Store a 32-byte base64 key. Without this, users cannot enroll in 2FA.
Allowed drift in steps (±window).
Diagnostics
Operational history and troubleshooting settings.
How many health issue entries to retain (min 10, max 500).
Delete consumed/expired invites older than this many days.
Delete unverified non-admin users older than this many days. Set to 0 to delete immediately.
Delete consumed/expired email change tokens older than this many days. Set to 0 to delete immediately.
Email templates
Templates are stored in the database. Supported variables: {{public_base_url}}, {{email}}, and the action URL: {{verify_url}} / {{accept_url}} / {{confirm_url}}.
Verification email
Invite email
Email change confirmation
Health Overview
Live status plus a short history window for operational troubleshooting.
Current status
Not checked yet.
Recent issues
Only shown when a component was unhealthy (newest first).
Time Overall DB PowerDNS Actions
Domains
Multiple DDNS domains are supported. Hosts can be created under any configured domain.
New domain
Selected: 0
Domain Created Actions
No domains yet.
Keycloak setup guide (client + groups)
Hidden by default. Use when configuring a new realm/client.
This guide assumes Keycloak and standard OIDC. The values below are derived from public.base_url.
Client setup hints (copy/paste)
Root URL
Home URL
Admin URL
Web Origins
Valid Redirect URI
1) Create the client
  1. Realm: choose your realm.
  2. Clients → Create client.
  3. Client type: OpenID Connect.
  4. Client ID: set to the value in Client ID below.
  5. Root URL / Home URL / Redirect URI / Web Origins: use the values in Client setup hints above.
2) Create admin group (optional)
  1. Groups → Create group:
All Keycloak users can use dyndns by default (when Auto-create users is enabled). Only users in the admin group get admin privileges.
3) Ensure group claim is present
  1. Client scopes → groups (or create a new scope).
  2. Mappers → Add mapper → Group Membership.
  3. Token claim name: groups
  4. Full group path: off (recommended) or adjust your Group claim setting accordingly.
  5. Add the scope to your client (Default or Optional scopes).
dyndns maps admin privileges when the configured group claim contains the configured admin group (default: groups contains admin).
4) Assign users
  1. Users → select user → Groups → Join: admin (only if they should be admin in dyndns)
Default redirect URI is shown above in Client setup hints. Use override only if you need a non-standard callback URL.
If discovery works but token exchange fails, set this to match your IdP client configuration.
Only enable for self-signed / internal IdP TLS certificates. Prefer fixing CA trust.
User Management
Selected: 0
UID Email Role Status Verified Created 2FA Limits Actions
Loading...
Invites
Create invite links for controlled onboarding. Invites can be emailed (if SMTP is configured) or copied manually.
Selected: 0
Email Role Status Expires Consumed Created Actions
No invites yet.
Hosts
Selected: 0
FQDN IP TTL Wildcard Owner Created Actions
No hosts yet.
Logs
Search
Idle
TimeLevelMessage
No logs yet.