Required when Two-factor authentication (TOTP) is enabled.
Loading…
Initial Setup
No users exist yet. Create the first administrator account to finish setup.
Minimum 12 characters.
Accept Invite
You were invited to this DDNS instance. Set a password to create your account.
This invite is bound to an email address.
Minimum 8 characters.
Reset Password

My Hosts

FQDN Last IP TTL Wildcard Updated Actions
No hosts yet.
DDNS client setup (quick start)
Use these values in routers and DDNS clients. Derived from public.base_url (fallback: current origin).
Update URL
Check IP URL

Recommended authentication
Create a per-host token in the UI (My Hosts → Token) and use it as the password where possible.
dyndns2-style request (example)
Many routers and clients call /nic/update. Some send myip, some don’t.
Copy/paste and replace USER, PASS, and hostname.

Use this for most router Dynamic DNS implementations (DynDNS2 / custom provider).
Update URL:
Hostname / Domain: your host FQDN (e.g. home.example.net)
Username: your email (or configured basic user)
Password: per-host token (recommended) or basic password

Use the Dynamic DNS client (Services → Dynamic DNS) and choose a DynDNS2-compatible type if available. OPNsense commonly expects the base host without https://.
Base host (no scheme):
Update path:
Check IP:

Admin

Unsaved changes
Changes are local until you press Save.
Used for email links (verify, invites) and OIDC defaults. Example: https://ddns.example.com
PowerDNS Topology
Configure whether local PowerDNS is master or slave and manage additional remote slave targets.
Used as the masters list when creating Slave zones (local slave mode and/or remote slave targets). Leave empty if not using slaves.
When set, the server will ensure ns1.<zone> has an A record. Leave empty if your nameservers are external.
When set, the server will ensure ns1.<zone> has an AAAA record for IPv6 nameserver propagation validation.
Fallback when a remote slave refuses NOTIFY. When enabled, the server will call each configured slave target's axfr-retrieve endpoint after zone changes.
This is used by docker compose port mapping (PDNS_DNS_BIND_IP). Changing it requires a container restart.
Remote slave targets
Name API URL Server ID Master IP override Actions
Removing a target will first delete all known zones from that target to avoid configuration leftovers.
Slave setup helper
Generates copy/paste commands to enable PowerDNS slave support on each remote slave server (based on your current settings). Secrets are shown as placeholders.
SMTP / Email
Optional. Required for sending verification and invite emails.
Optional. Used to format emails as "Display Name" <from@example.com>.
Registration & Recovery
Controls public self-registration and the guarded admin recovery flow.
Controls whether the Register tab is available. Endpoint: POST /v1/auth/register.
Used by /v1/public/admin-recover. Only works when there are 0 admins. Store a long random token here.
Rates
Global defaults and system-wide throttles.
Applies only to non-admin users. Admins are always unlimited.
Recommended: 1/minute per host; bursting allowed.
TOTP
Global Two-factor authentication defaults (applies to enrollment and verification).
Allowed drift in steps (±window).
How many health issue entries to retain (min 10, max 500).
Delete consumed/expired invites older than this many days.
Delete unverified non-admin users older than this many days. Set to 0 to delete immediately.
Delete consumed/expired email change tokens older than this many days. Set to 0 to delete immediately.
Comma or whitespace separated list of IPs/CIDRs allowed to AXFR the zone. Empty denies all transfers.
Health Overview
Live status plus a short history window for operational troubleshooting.
Current status
Not checked yet.
Recent issues
Only shown when a component was unhealthy (newest first).
Time Overall DB PowerDNS Actions
Domains
Multiple DDNS domains are supported. Hosts can be created under any configured domain.
New domain
Selected: 0
Domain Created Actions
No domains yet.
Keycloak setup guide (client + groups)
Hidden by default. Use when configuring a new realm/client.
This guide assumes Keycloak and standard OIDC. The values below are derived from public.base_url.
Client setup hints (copy/paste)
Root URL
Home URL
Admin URL
Web Origins
Valid Redirect URI
1) Create the client
  1. Realm: choose your realm.
  2. Clients → Create client.
  3. Client type: OpenID Connect.
  4. Client ID: set to the value in Client ID below.
  5. Root URL / Home URL / Redirect URI / Web Origins: use the values in Client setup hints above.
2) Create admin group (optional)
  1. Groups → Create group:
All Keycloak users can use dyndns by default (when Auto-create users is enabled). Only users in the admin group get admin privileges.
3) Ensure group claim is present
  1. Client scopes → groups (or create a new scope).
  2. Mappers → Add mapper → Group Membership.
  3. Token claim name: groups
  4. Full group path: off (recommended) or adjust your Group claim setting accordingly.
  5. Add the scope to your client (Default or Optional scopes).
dyndns maps admin privileges when the configured group claim contains the configured admin group (default: groups contains admin).
4) Assign users
  1. Users → select user → Groups → Join: admin (only if they should be admin in dyndns)
Default redirect URI is shown above in Client setup hints. Use override only if you need a non-standard callback URL.
If discovery works but token exchange fails, set this to match your IdP client configuration.
Only enable for self-signed / internal IdP TLS certificates. Prefer fixing CA trust.
User Management
Selected: 0
UID Email Role Status Verified Created 2FA Limits Actions
Loading...
Invites
Create invite links for controlled onboarding. Invites can be emailed (if SMTP is configured) or copied manually.
Selected: 0
Email Role Status Expires Consumed Created Actions
No invites yet.
Hosts
Selected: 0
FQDN IP TTL Wildcard Owner Created Actions
No hosts yet.
Logs
Search
Idle
TimeLevelMessage
No logs yet.