Skip to content

refactor: DNS backend #876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
iyashnov wants to merge 40 commits into
base: dev
Choose a base branch
from
Open

refactor: DNS backend #876

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
45a1f21
add: add PowerDNS authoritative and recursor services with Docker sup…
iyashnov Dec 24, 2025
c31aa76
refactor: update DNS service adapter and router for improved zone man…
iyashnov Dec 24, 2025
4472cec
refactor: add PDNS_API_KEY to local environment configuration
iyashnov Dec 24, 2025
aa09101
refactor: restructure DNS module with PowerDNS integration and enhanc…
iyashnov Dec 24, 2025
db5e368
refactor: update DNS settings and add PowerDNS client support
iyashnov Dec 24, 2025
7b24a73
refactor: enhance DNS management with PowerDNS integration and DTO up…
iyashnov Dec 24, 2025
6d6dd7b
refactor: remove SelfHostedDNSManager class and associated methods
iyashnov Dec 24, 2025
d038b3d
refactor: remove unused DNS entrypoint script and zone templates
iyashnov Dec 24, 2025
4feaf48
refactor: remove obsolete bind9 Dockerfile
iyashnov Dec 24, 2025
6a4ff47
refactor: remove SelfHostedDNSManager import and clean up exception h…
iyashnov Dec 24, 2025
1daafbd
refactor: update DNS adapter and use cases for improved zone manageme…
iyashnov Dec 24, 2025
cdd6cb9
test: update DNS DTOs and improve test cases for DNS record and zone …
iyashnov Dec 24, 2025
59d109a
refactor: implement get_zones method in StubDNSManager to return an e…
iyashnov Dec 24, 2025
fbcebe3
refactor: add DEFAULT_NAMESERVER and PDNS_API_KEY to md-test service …
iyashnov Dec 24, 2025
a6ceb1c
refactor: remove SelfHostedDNSManager from exports in DNS module
iyashnov Dec 24, 2025
0e722a2
refactor: update DNS error handling to use DNSError for consistency
iyashnov Dec 24, 2025
39d12cd
refactor: fix codestyle and naming
iyashnov Dec 24, 2025
7e5146d
refactor: simplify client selection logic by introducing _get_client_…
iyashnov Dec 24, 2025
275b920
refactor: simplify client selection logic in _get_client_by_zone_kind…
iyashnov Dec 24, 2025
4631882
refactor: improve code readability by simplifying select statement an…
iyashnov Dec 24, 2025
7657feb
refactor: enhance DNS error handling by adding DNSRecordGetError and …
iyashnov Dec 24, 2025
66ee513
refactor: add missing line breaks for improved readability in DNS exc…
iyashnov Dec 24, 2025
ac8ceb9
refactor: rename bind9 to pdns_auth and update related configurations…
iyashnov Dec 24, 2025
943f442
fix: codestyle
iyashnov Dec 24, 2025
5b717b9
add: added docker network to set static IP on DNS containers
iyashnov Jan 16, 2026
8c6087d
add: added dnsdist-console lib
iyashnov Jan 16, 2026
50c7f94
add: added libsodium-dev package to multidirectory docker image
iyashnov Jan 16, 2026
45bc73c
add: added pdnsdist config
iyashnov Jan 16, 2026
bc1948f
add: added envs for pdnsdist
iyashnov Jan 16, 2026
36c99b5
add: added unconditional forward DNS to recursor config
iyashnov Jan 16, 2026
2dcda51
refactor: removed PDNS recursor from traefik
iyashnov Jan 16, 2026
0def50b
add: added dnsdist client to manage dnsdist
iyashnov Jan 16, 2026
baed459
add: added dnsdist to prod docker-compose.yml
iyashnov Jan 16, 2026
434d144
refactor: added api key generation for PDNS
iyashnov Jan 16, 2026
8bd9a0e
add: added windows script to generate DNS API keys
iyashnov Jan 19, 2026
839fb40
fix: codestyle
iyashnov Jan 20, 2026
0aaf3cb
add: added libsodium package to test image
iyashnov Jan 20, 2026
a2573aa
fix: changed workflow to build pdns auth image instead of bind for dev
iyashnov Jan 20, 2026
afd8575
fix: fixed tests
iyashnov Jan 20, 2026
d2d4c3a
add: added env to remote docker-compose for tests
iyashnov Jan 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,395 changes: 0 additions & 1,395 deletions .dns/dns_api.py
View file
Open in desktop

This file was deleted.

19 changes: 0 additions & 19 deletions .dns/entrypoint.sh
View file
Open in desktop

This file was deleted.

11 changes: 0 additions & 11 deletions .dns/templates/zone.template
View file
Open in desktop

This file was deleted.

10 changes: 0 additions & 10 deletions .dns/templates/zone_options.template
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion .docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ ENV VIRTUAL_ENV=/venvs/.venv \
VERSION=${VERSION:-beta}


RUN set -eux; apk add --no-cache krb5-libs curl openssl netcat-openbsd
RUN set -eux; apk add --no-cache krb5-libs curl openssl netcat-openbsd libsodium-dev
COPY app /app
COPY pyproject.toml /

Expand Down
45 changes: 0 additions & 45 deletions .docker/bind9.Dockerfile
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion .docker/dev.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ ENV VIRTUAL_ENV=/venvs/.venv \
PATH="/venvs/.venv/bin:$PATH" \
VERSION=${VERSION:-beta}

RUN set -eux; apk add --no-cache krb5-libs curl openssl netcat-openbsd
RUN set -eux; apk add --no-cache krb5-libs curl openssl netcat-openbsd libsodium-dev

COPY app /app
COPY pyproject.toml /
Expand Down
66 changes: 66 additions & 0 deletions .docker/pdns_auth.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
FROM alpine:3.20 AS builder

RUN apk add --no-cache --virtual .build-deps \
build-base \
lmdb-dev \
openssl-dev \
boost-dev \
autoconf automake libtool \
git ragel bison flex \
lua5.4-dev \
curl-dev

RUN apk add --no-cache \
lua \
lua-dev \
lmdb \
boost-libs \
openssl-libs-static \
curl \
libstdc++

RUN git clone https://github.com/PowerDNS/pdns.git /pdns
WORKDIR /pdns

RUN git submodule init &&\
git submodule update &&\
git checkout auth-5.0.1

RUN autoreconf -vi

RUN mkdir /build && \
./configure \
--sysconfdir=/etc/powerdns \
--enable-option-checking=fatal \
--with-dynmodules='lmdb' \
--with-modules='' \
--with-unixodbc-lib=/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE) && \
make clean && \
make $MAKEFLAGS -C ext &&\
make $MAKEFLAGS -C modules &&\
make $MAKEFLAGS -C pdns && \
make -C pdns install DESTDIR=/build &&\
make -C modules install DESTDIR=/build &&\
make clean && \
strip /build/usr/local/bin/* /build/usr/local/sbin/* /build/usr/local/lib/pdns/*.so

FROM alpine:3.20 AS runtime

COPY --from=builder /build /

RUN apk add --no-cache \
lua \
lua-dev \
lmdb \
boost-libs \
openssl-libs-static \
curl \
libstdc++

RUN mkdir -p /etc/powerdns/pdns.d /var/run/pdns /var/lib/powerdns /etc/powerdns/templates.d /var/lib/pdns-lmdb

COPY ./.package/pdns.conf /etc/powerdns/pdns.conf

EXPOSE 8082/tcp

CMD ["/usr/local/sbin/pdns_server"]
2 changes: 1 addition & 1 deletion .docker/test.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ RUN --mount=type=cache,target=/root/.cache/uv \
FROM python:3.13.7-alpine3.21 AS runtime

WORKDIR /app
RUN set -eux; apk add --no-cache openldap-clients openssl curl krb5-libs
RUN set -eux; apk add --no-cache openldap-clients openssl curl krb5-libs libsodium-dev

ENV VIRTUAL_ENV=/venvs/.venv \
PATH="/venvs/.venv/bin:$PATH" \
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/build-beta.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ jobs:
--build-arg BUILDKIT_INLINE_CACHE=1 \
--build-arg VERSION=beta

build-bind9:
build-pdns_auth:
runs-on: ubuntu-latest
needs: [build-tests, run-ssh-test, run-tests]
steps:
Expand All @@ -173,14 +173,14 @@ jobs:

- name: Build docker image
env:
TAG: ghcr.io/${{ env.REPO }}_bind9:beta
TAG: ghcr.io/${{ env.REPO }}_pdns_auth:beta
DOCKER_BUILDKIT: '1'
run: |
echo $TAG
docker build \
--push \
--target=runtime \
-f .docker/bind9.Dockerfile . \
-f .docker/pdns_auth.Dockerfile . \
-t $TAG \
--cache-to type=gha,mode=max \
--cache-from $TAG \
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/build-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ jobs:
--build-arg BUILDKIT_INLINE_CACHE=1 \
--build-arg VERSION=dev

build-bind9:
build-pdns_auth:
runs-on: ubuntu-latest
needs: [build-tests, run-ssh-test, run-tests]
steps:
Expand All @@ -172,14 +172,14 @@ jobs:

- name: Build docker image
env:
TAG: ghcr.io/${{ env.REPO }}_bind9:dev
TAG: ghcr.io/${{ env.REPO }}_pdns_auth:dev
DOCKER_BUILDKIT: '1'
run: |
echo $TAG
docker build \
--push \
--target=runtime \
-f .docker/bind9.Dockerfile . \
-f .docker/pdns_auth.Dockerfile . \
-t $TAG \
--cache-to type=gha,mode=max \
--cache-from $TAG \
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/build-docker-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ jobs:
--build-arg BUILDKIT_INLINE_CACHE=1 \
--build-arg VERSION=latest

build-bind9:
build-pdns_auth:
runs-on: ubuntu-latest
needs: [build-tests, run-ssh-test, run-tests]
steps:
Expand All @@ -193,14 +193,14 @@ jobs:

- name: Build docker image
env:
TAG: ghcr.io/${{ env.REPO }}_bind9:latest
TAG: ghcr.io/${{ env.REPO }}_pdns_auth:latest
DOCKER_BUILDKIT: '1'
run: |
echo $TAG
docker build \
--push \
--target=runtime \
-f .docker/bind9.Dockerfile . \
-f .docker/pdns_auth.Dockerfile . \
-t $TAG \
--cache-to type=gha,mode=max \
--cache-from $TAG \
Expand Down
6 changes: 6 additions & 0 deletions .package/dnsdist.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
setLocal('0.0.0.0:53')
controlSocket('0.0.0.0:8084')
setKey('PSAag0AEziPZuBB7kdcfIEkVJOyQInRcBRAhadWDpU0=')
addConsoleACL('172.20.0.0/24')
includeDirectory('/etc/dnsdist/conf.d/')
setACL('0.0.0.0/0')
77 changes: 57 additions & 20 deletions .package/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -345,27 +345,52 @@ services:
- traefik.tcp.routers.kpasswd.service=kpasswd
- traefik.tcp.services.kpasswd.loadbalancer.server.port=464

bind_dns:
image: ghcr.io/multidirectorylab/multidirectory_bind9:${VERSION:-latest}
container_name: bind9
hostname: bind9
restart: unless-stopped
pdns_auth:
image: ghcr.io/multidirectorylab/multidirectory_pdns_auth:${VERSION:-latest}
container_name: pdns_auth
networks:
default:
dns_net:
ipv4_address: 172.20.0.4
expose:
- 8082
- 53/udp
- 53/tcp
volumes:
- dns_server_file:/opt/
- dns_server_config:/etc/bind/
tty: true
env_file:
- .env
environment:
- USE_CONFIG_FILE_LOGGING=true
depends_on:
ldap_server:
condition: service_healthy
restart: true
labels:
- traefik.enable=true
- traefik.udp.routers.bind_dns_udp.entrypoints=bind_dns_udp
- traefik.udp.services.bind_dns_udp.loadbalancer.server.port=53
- dns_lmdb:/var/lib/pdns-lmdb
- dns_config:/etc/powerdns


pdns_recursor:
image: powerdns/pdns-recursor-51:5.1.7
container_name: pdns_recursor
networks:
default:
dns_net:
ipv4_address: 172.20.0.2
expose:
- 8083
- 53/udp
- 53/tcp
volumes:
- ./recursor.conf:/etc/powerdns/recursor.conf
- forward_zones:/etc/powerdns/recursor.d/

pdnsdist:
image: powerdns/dnsdist-19:1.9.11
container_name: pdnsdist
networks:
default:
dns_net:
ipv4_address: 172.20.0.3
expose:
- 8084
ports:
- "53:53/tcp"
- "53:53/udp"
volumes:
- ./dnsdist.conf:/etc/dnsdist/dnsdist.conf
- dnsdist_confd:/etc/dnsdist/conf.d

kea_dhcp4:
image: ghcr.io/multidirectorylab/multidirectory_dhcp4:${VERSION:-latest}
Expand Down Expand Up @@ -465,6 +490,14 @@ services:
environment:
HANDLER_NAME: event_sender-1

networks:
dns_net:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/24
gateway: 172.20.0.1

volumes:
postgres:
kdc:
Expand All @@ -476,3 +509,7 @@ volumes:
leases:
sockets:
dhcp:
dns_lmdb:
dns_config:
forward_zones:
dnsdist_confd:
11 changes: 11 additions & 0 deletions .package/pdns.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
launch=lmdb
lmdb-filename=/var/lib/pdns-lmdb/pdns.lmdb
daemon=no
local-address=0.0.0.0
local-port=53
api=yes
api-key=supersecretapikey
Copy link

Copilot AI Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The API key "supersecretapikey" is hardcoded in the configuration file. This is a security risk as it exposes the API key in version control. The API key should be passed as an environment variable or mounted from a secrets management system.

Suggested change
api-key=supersecretapikey
api-key=${PDNS_API_KEY}

Copilot uses AI. Check for mistakes.
Copy link
Collaborator Author

@iyashnov iyashnov Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

API не торчит наружу из сети докера. Сделано так, потому что без ключа API не работает.

webserver-allow-from=0.0.0.0/0
Copy link

Copilot AI Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The webserver is configured to allow connections from any IP address (0.0.0.0/0). This is a security risk in production environments. Consider restricting access to specific IP ranges or implementing additional authentication mechanisms.

Suggested change
webserver-allow-from=0.0.0.0/0
webserver-allow-from=127.0.0.1,::1

Copilot uses AI. Check for mistakes.
Copy link
Collaborator Author

@iyashnov iyashnov Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Здесь то же самое

webserver=yes
webserver-address=0.0.0.0
webserver-port=8082
10 changes: 10 additions & 0 deletions .package/recursor.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
local-address=0.0.0.0
webserver-allow-from=0.0.0.0/0
Copy link

Copilot AI Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The webserver is configured to allow connections from any IP address (0.0.0.0/0). This is a security risk in production environments. Consider restricting access to specific IP ranges or implementing additional authentication mechanisms.

Suggested change
webserver-allow-from=0.0.0.0/0
webserver-allow-from=127.0.0.1/32

Copilot uses AI. Check for mistakes.
Copy link
Collaborator Author

@iyashnov iyashnov Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Пока сделано так, в дальнейшем, при добавлении PowerDNS DNSdist будет переделано.

forward-zones-recurse=.=1.1.1.1;8.8.8.8
forward-zones=
api-config-dir=/etc/powerdns/recursor.d/
include-dir=/etc/powerdns/recursor.d/
webserver=yes
webserver-address=0.0.0.0
webserver-port=8083
api-key=supersecretapikey
Loading