Here’s a DNS resolution and reverse proxy issue that I often run into.
I’m not sure how things work in other countries or regions, but where I am, the IPv6 addresses provided by ISPs can and do change fairly often. So we have to use DDNS to keep uploading the current IPv6 address to the DDNS provider.
If you’re like me and use second-, third-, or even fourth-level subdomains to reverse proxy different services (e.g. music.mydomain.com , jellyfin.mydomain.com etc.), then when doing DDNS updates, never use a wildcard (*) for all domains!
If you do, after the IP refreshes, the DNS for your subdomains can stay outdated for a very long time — sometimes hours, days, or worse.
From what I asked an AI and tested myself, the principle is roughly like this:
-
You upload a wildcard * record with the current IP to the DDNS provider.
-
When a client accesses one of your subdomains (say music.mydomain.com), their recursive DNS (ISP DNS, public resolver, etc.) has no cached record yet, so it queries your authoritative nameserver (the DDNS provider).
-
The DDNS provider returns the * wildcard’s IP (since the specific subdomain matches it).
-
Crucially: the recursive resolver caches the answer under the specific queried name (music.mydomain.com), not under the wildcard *.
-
The next time anyone queries that same exact subdomain, the resolver hits its own cache for music.mydomain.com directly — it never goes back to ask the authoritative server for the * record again.
-
Meanwhile you’ve already updated * to a new IP, but the recursive caches are happily serving the old IP for each concrete subdomain because the specific-name cache has higher priority and a normal TTL (often several hours to days).
That’s what causes the DNS cache to become stale and seemingly “stuck” forever.
I was troubled by this for a very long time. I even registered multiple completely separate domains, thinking the chance of two domains having the problem at the same time would be lower — but in reality it didn’t help at all.
Eventually I learned the hard way: when doing DDNS updates, don’t use the wildcard * at all for your AAAA records. Instead, explicitly write out and update the subdomain for each individual service you actually use.
For example, make sure your DDNS script/client updates:
-
music.mydomain.com → current IPv6
-
jellyfin.mydomain.com → current IPv6
-
…and so on for every real subdomain
Most DDNS clients support updating multiple records in one go anyway.
Up to now, since I switched to updating each actual subdomain individually (no wildcard for dynamic IPv6), I haven’t run into this “IP changed but everything is still resolving to the old address” problem anymore.
If you’re running dynamic IPv6 with lots of subdomains and reverse proxies, and you’ve been dealing with mysteriously stale resolutions that refuse to refresh even after DDNS updates — try dropping the wildcard entirely for your dynamic records. And go to your DDNS provider’s control panel (or API) and delete the wildcard * record entirely (both A and AAAA if you have them)! It’s the simplest and most reliable workaround I’ve found so far.