diff --git a/lib/ddns/index.js b/lib/ddns/index.js
index e69d4ed..5dbcd2b 100644
--- a/lib/ddns/index.js
+++ b/lib/ddns/index.js
@@ -12,7 +12,7 @@ module.exports.create = function (deps, conf) {
       if (conf.ddns.loopback.type === 'tunnel@oauth3.org' && conf.ddns.loopback.domain) {
         loopbackDomain = conf.ddns.loopback.domain;
       } else {
-        console.warn('invalid loopback configuration: bad type or missing domain');
+        console.error('invalid loopback configuration: bad type or missing domain');
       }
     }
   }
@@ -101,37 +101,14 @@ module.exports.create = function (deps, conf) {
     }
   }
 
-  async function getSession() {
-    var sessions = await deps.storage.owners.all();
-    var session = sessions.filter(function (sess) {
-      return sess.token.scp.indexOf('dns') >= 0;
-    })[0];
-
-    if (!session) {
-      throw new Error('no sessions with DNS grants');
-    }
-
-    // The OAUTH3 library stores some things on the root session object that we usually
-    // just leave inside the token, but we need to pull those out before we use it here
-    session.provider_uri = session.provider_uri || session.token.provider_uri || session.token.iss;
-    session.client_uri = session.client_uri || session.token.azp;
-    session.scope = session.scope || session.token.scp;
-    return session;
-  }
-
   var publicAddress;
   async function recheckPubAddr() {
-    if (!conf.ddns.enabled) {
-      return;
-    }
-
     await checkNetworkEnv();
     if (tunnelActive) {
       return;
     }
-    var session = await getSession();
-    var addr = await loopback.checkPublicAddr(loopbackDomain);
 
+    var addr = await loopback.checkPublicAddr(loopbackDomain);
     if (publicAddress === addr) {
       return;
     }
@@ -139,9 +116,48 @@ module.exports.create = function (deps, conf) {
     if (conf.debug) {
       console.log('previous public address',publicAddress, 'does not match current public address', addr);
     }
-
-    await dnsCtrl.setDeviceAddress(session, addr, conf.ddns.domains);
     publicAddress = addr;
+
+    var sessionCache = {};
+    async function getSession(id) {
+      if (!sessionCache.hasOwnProperty(id)) {
+        sessionCache[id] = await deps.storage.tokens.get(conf.ddns.tunnel.tokenId);
+      }
+      if (!sessionCache[id]) {
+        throw new Error('no user token with ID "'+id+'"');
+      }
+      return sessionCache[id];
+    }
+
+    conf.domains.forEach(function(dom) {
+      if (dom.modules && Array.isArray(dom.modules.ddns)) {
+        dom.modules.ddns.some(function (mod) {
+          if (mod.type !== 'dns@oauth3.org' || mod.disabled) {
+            return false;
+          }
+
+          return getSession(mod.token_id).then(function (session) {
+            return dnsCtrl.setDeviceAddress(session, addr, dom.names);
+          }).catch(function (err) {
+            console.log('error setting DNS records for', dom.names.join(', '));
+            console.log(err);
+          });
+        });
+      }
+    });
+
+    conf.ddns.modules.forEach(function (mod) {
+      if (mod.type !== 'dns@oauth3.org' || mod.disabled) {
+        return;
+      }
+
+      getSession(mod.token_id).then(function (session) {
+        return dnsCtrl.setDeviceAddress(session, addr, mod.domains);
+      }).catch(function (err) {
+        console.log('error setting DNS records for', mod.domains.join(', '));
+        console.log(err);
+      });
+    });
   }
 
   recheckPubAddr();