[HOWTO] - DynDNS with deSEC using preserve (A + AAAA without overwriting)

Started by skywalker007, February 14, 2026, 11:12:12 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 14, 2026, 11:12:12 AM Last Edit: February 14, 2026, 11:13:59 AM by skywalker007 Reason: better subject
Problem
When using OPNsense DynDNS with deSEC, updating IPv4 (A) and IPv6 (AAAA) separately can overwrite the other record.
This is confirmed behavior and documented in the deSEC API. The fix is to use the preserve parameter and the custom updater.

IPv4 DynDNS Configuration (A Record)

Create a DynDNS entry:

Service: custom
Protocol: Custom GET
Server:
Code Select
https://update.dedyn.io/?hostname=<FQDN>&myip=__MYIP__&myipv6=preserveUsername: <FQDN>
Password: <DESEC_TOKEN>
Hostname(s):<FQDN>
Check IP Method: Interface IPv4
Interface: WAN

Important Notes

__MYIP__ must be included in the URL.
OPNsense only inserts the detected IP if the placeholder exists.
myipv6=preserve ensures the AAAA record is not deleted during IPv4 updates.

IPv6 should be configured as a separate DynDNS entry using:
Code Select
https://update6.dedyn.io/?hostname=<FQDN>&myipv6=__MYIP__&myipv4=preserveCheck IP Method: Interface IPv6
Interface: <one of your internal v6 assigned interfaces>
System1: Qotom Q310G4 (died recently)
System1: Supermicro A2SDi-4C-HLN4F,  64GB RAM, ZFS mirrored boot drive
System2: APU2C4
Today at 10:40:01 AM #1
I ran into a slightly different deSEC/OPNsense case that may help others.

My goal was not dual-stack, but intentionally A-only for a WireGuard endpoint. With the native OPNsense backend and `desec-v4`, `allowipv6=0` was already set, but AAAA could still reappear over time.

I checked the local OPNsense code path and found that `desec-v4` maps to `update.dedyn.io` and uses a generic `myip` style update, not explicit `myipv4` / `myipv6`. For deSEC, that is relevant because A and AAAA handling is special.

What worked reliably for me was switching the account to `custom` and using this URL:

`https://update.dedyn.io/?hostname=__HOSTNAME__&myipv4=__MYIP__&myipv6=`

Username: the full hostname
Password: deSEC token

Result:
A is updated correctly, and AAAA stays absent.

So this is not the right solution for dual-stack. But for intentional A-only hosts, especially WireGuard endpoints where broken IPv6 endpoint selection is a problem, this seems to be the correct workaround.
Print
Go Up Pages1
User actions