github.com/StackExchange/dnscontrol/v3

DNSControl

DNSControl is a system for maintaining DNS zones. It has two parts: a domain specific language (DSL) for describing DNS zones plus software that processes the DSL and pushes the resulting zones to DNS providers such as Route53, Cloudflare, and Gandi. It can send the same DNS records to multiple providers. It even generates the most beautiful BIND zone files ever. It runs anywhere Go runs (Linux, macOS, Windows). The provider model is extensible, so more providers can be added.

Currently supported DNS providers:

• Akamai Edge DNS
• AutoDNS
• AWS Route 53
• AXFR+DDNS
• Azure DNS
• BIND
• Cloudflare
• ClouDNS
• deSEC
• DigitalOcean
• DNS Made Easy
• DNSimple
• Domainnameshop (Domeneshop)
• Exoscale
• Gandi
• Gcore
• Google DNS
• Hetzner
• HEXONET
• hosting.de
• Hurricane Electric DNS
• INWX
• Linode
• Loopia
• LuaDNS
• Microsoft Windows Server DNS Server
• Namecheap
• Name.com
• Netcup
• Netlify
• NS1
• Oracle Cloud
• OVH
• Packetframe
• Porkbun
• PowerDNS
• RWTH DNS-Admin
• SoftLayer
• TransIP
• Vultr

Currently supported Domain Registrars:

• AWS Route 53
• CSC Global
• DNSOVERHTTPS
• easyname
• Gandi
• HEXONET
• hosting.de
• Internet.bs
• INWX
• Namecheap
• Name.com
• OpenSRS
• OVH

At Stack Overflow, we use this system to manage hundreds of domains and subdomains across multiple registrars and DNS providers.

You can think of it as a DNS compiler. The configuration files are written in a DSL that looks a lot like JavaScript. It is compiled to an intermediate representation (IR). Compiler back-ends use the IR to update your DNS zones on services such as Route53, Cloudflare, and Gandi, or systems such as BIND.

An Example

dnsconfig.js:

// define our registrar and providers
var namecom = NewRegistrar("name.com");
var r53 = NewDnsProvider("r53")

D("example.com", namecom, DnsProvider(r53),
  A("@", "1.2.3.4"),
  CNAME("www","@"),
  MX("@",5,"mail.myserver.com."),
  A("test", "5.6.7.8")
)

Running dnscontrol preview will talk to the providers (here name.com as registrar and route 53 as the dns host), and determine what changes need to be made.

Running dnscontrol push will make those changes with the provider and my dns records will be correctly updated.

See Getting Started page on documentation site.

Benefits

• Less error-prone than editing a BIND zone file.
• More reproducible than clicking buttons on a web portal.
• Easily switch between DNS providers: The DNSControl language is vendor-agnostic. If you use it to maintain your DNS zone records, you can switch between DNS providers easily. In fact, DNSControl will upload your DNS records to multiple providers, which means you can test one while switching to another. We've switched providers 3 times in three years and we've never lost a DNS record.
• Adopt CI/CD principles to DNS! At StackOverflow we maintain our DNSControl configurations in Git and use our CI system to roll out changes. Keeping DNS information in a VCS means we have full history. Using CI enables us to include unit-tests and system-tests. Remember when you forgot to include a "." at the end of an MX record? We haven't had that problem since we included a test to make sure Tom doesn't make that mistake... again.
• Adopt PR-based updates. Allow developers to send updates as PRs, which you can review before you approve.
• Variables save time! Assign an IP address to a constant and use the variable name throughout the file. Need to change the IP address globally? Just change the variable and "recompile."
• Macros! Define your SPF records, MX records, or other repeated data once and re-use them for all domains.
• Control Cloudflare from a single source of truth. Enable/disable Cloudflare proxying (the "orange cloud" button) directly from your DNSControl files.
• Keep similar domains in sync with transforms and other features. If one domain is supposed to be a filtered version of another, this is easy to set up.
• It is extendable! All the DNS providers are written as plugins. Writing new plugins is very easy.

Installation

DNSControl can be installed via packages for macOS, Linux and Windows, or from source code. See the official instructions.

Via GitHub Actions (GHA)

See dnscontrol-action or gacts/install-dnscontrol.

Deprecation warnings (updated 2023-02-18)

• Call for new volunteer maintainers for NAMEDOTCOM and SOFTLAYER. These providers have no maintainer. Maintainers respond to PRs and fix bugs in a timely manner, and try to stay on top of protocol changes.
• ACME/Let's Encrypt support is frozen and will be removed after December 31, 2022. The get-certs command (renews certs via Let's Encrypt) has no maintainer. There are other projects that do a better job. If you don't use this feature, please do not start. If you do use this feature, please plan on migrating to something else. See discussion in issues/1400
• get-zones syntax changes in v3.16 Starting in v3.16, the command line arguments for dnscontrol get-zones changes. For backwards compatibility change provider to -. See documentation for details.

More info at our website

The website: https://docs.dnscontrol.org/

The getting started guide: https://docs.dnscontrol.org/getting-started/getting-started