diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 7cbfbb7..83c17dd 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -37,7 +37,7 @@ global_credentials_directory: "credentials"
 global_public_key_directory: "public_keys"
 
 global_dns_list_directory: "{{ global_public_key_directory }}/dns"
-global_dns_changes_directory: "{{ global_public_key_directory }}/dns_changes" # TODO merge with global_dns_list_directory
+global_dns_changes_directory: "{{ global_configuration_environment_directory }}/dns_changes"
 global_dns_session_key_name: "local-ddns"
 global_dns_session_key_path: "/var/run/named/session.key"
 global_dns_session_key_algorithm: "hmac-sha512"
diff --git a/playbooks/local.yml b/playbooks/local.yml
index 2c68bb2..eb7a1e2 100644
--- a/playbooks/local.yml
+++ b/playbooks/local.yml
@@ -16,7 +16,6 @@
         - "{{ global_credentials_directory }}"
         - "{{ global_public_key_directory }}"
         - "{{ global_dns_list_directory }}"
-        - "{{ global_dns_changes_directory }}"
         - "{{ global_ssh_key_directory }}"
         - "{{ global_ssh_host_key_directory }}"
         - "{{ global_wireguard_private_directory }}"
diff --git a/roles/dns/application/tasks/main.yml b/roles/dns/application/tasks/main.yml
index 93c8a3a..4eac1b7 100644
--- a/roles/dns/application/tasks/main.yml
+++ b/roles/dns/application/tasks/main.yml
@@ -38,6 +38,24 @@
     mode: "u=rw,g=r,o=r"
   notify: reload bind9
 
+- name: Create directory for dynamic DNS changes
+  file:
+    path: "{{ global_dns_changes_directory }}"
+    state: directory
+    owner: root
+    group: root
+    mode: u=rwx,g=r,o=
+  tags: dns_debug
+
+- name: Store makefile for dynamic DNS changes
+  template:
+    src: nsupdate.makefile
+    dest: "{{ global_dns_changes_directory }}/makefile"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=
+  tags: dns_debug
+
 - name: Enable bind9 service
   systemd:
     name: "{{ global_bind_service_name }}"
diff --git a/roles/dns/entries/defaults/main.yml b/roles/dns/entries/defaults/main.yml
index 333c218..97b2e4e 100644
--- a/roles/dns/entries/defaults/main.yml
+++ b/roles/dns/entries/defaults/main.yml
@@ -4,8 +4,8 @@
 dns_zone_domain: "{{ lookup('pipe', global_public_key_directory|quote + '/dns_zone.py ' + domain|quote) }}" # domain of dns zone
 dns_system_domain: "{{ lookup('file', global_dns_list_directory + '/' + dns_zone_domain) }}" # domain of dns authority server
 
-entries_name: "server:{{ domain }}" # Name for zone part file
-local_file: "{{ global_dns_changes_directory }}/{{ entries_name }}"
+entries_name: "server~{{ domain }}" # Name for zone part file
+entries_file: "{{ global_dns_changes_directory }}/{{ entries_name }}~update"
 
 ttl_default: "{{ global_dns_ttl }}" # TTL for all entries where none was given
 
diff --git a/roles/dns/entries/tasks/main.yml b/roles/dns/entries/tasks/main.yml
index feb5cc6..0ded437 100644
--- a/roles/dns/entries/tasks/main.yml
+++ b/roles/dns/entries/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: Store changes in dns entries locally
+- name: Store changes in dns entries on the remote
   copy:
     content: |
       #jinja2:trim_blocks: False
@@ -15,20 +15,19 @@
       {% if not entry|regex_search('^(update )?(add|del(ete)?) ') %}update add {% endif %}{{ entry }}
       {% endif %}{% endfor %}
       send
-    dest: "{{ local_file }}"
+    dest: "{{ entries_file }}"
     owner: "{{ global_local_user }}"
     group: "{{ global_local_user }}"
     mode: u=rw,g=r,o=r
-  delegate_to: localhost
+  delegate_to: "{{ dns_system_domain }}"
   register: entries_changes_file
   tags:
     - dns_entries
 
 - name: Update dns entries at dns host
-  command:
-    cmd: nsupdate -l # local mode
-    stdin: "{{ lookup('file', local_file) }}\n"
+  make:
+    chdir: "{{ global_dns_changes_directory }}"
+    target: "{{ entries_file | basename }}~DONE"
   delegate_to: "{{ dns_system_domain }}"
-  when: entries_changes_file.changed and not ansible_check_mode
   tags:
     - dns_entries