Mongo backed DNS server
This repository has been archived on 2023-08-14. You can view files and clone it, but cannot push or open issues or pull requests.
Go to file
2021-07-05 15:09:14 +03:00
.gitignore Moved attributes to dns. namespace 2021-04-03 19:39:56 +00:00
docker-compose.yml Moved attributes to dns. namespace 2021-04-03 19:39:56 +00:00
Dockerfile Bump module versions 2021-06-04 10:06:27 +03:00
go.mod Add preliminary Prometheus metrics endpoint 2021-06-14 22:10:26 +03:00
go.sum Add preliminary Prometheus metrics endpoint 2021-06-14 22:10:26 +03:00
main.go Fix indent 2021-07-05 15:09:14 +03:00
overnode.yml Moved attributes to dns. namespace 2021-04-03 19:39:56 +00:00
README.md Update README.md 2021-05-30 08:45:06 +03:00
replica1.yml Moved attributes to dns. namespace 2021-04-03 19:39:56 +00:00
replica2.yml Moved attributes to dns. namespace 2021-04-03 19:39:56 +00:00

Background

GoreDNS is MongoDB backed authoritative DNS server. GoreDNS does not have notion of zones as such. Whatever is found in MongoDB is returned.

We evaluated Bind, CoreDNS and other existing tooling for our usecases described below, but none of the existing tools covered the needs on a satisfactory level.

Name resolution mechanism

Queries hostnames are looked up from dns.fqdn and dns.san attributes in collection specified by GOREDNS_COLLECTION. IP addresses listed in ips attribute are returned, IPv6 is handled correctly. MongoDB target is read from MONGO_URI.

Usecases

GoreDNS is used in Pinecrypt Gateway to resolve IP addresses of the VPN clients and also to return IP addresses of the gateway itself. In the upper level domain subdomain is delegated to GoreDNS. Each VPN client and gateway replica gets unique hostname assigned under that subdomain. Whenever VPN client connects, it's internal IP address is recorded in MongoDB using the OpenVPN and Strongswan helpers. GoreDNS then starts resolving those DNS records.

GoreDNS is used at K-SPACE MTÜ to resolve internal IP addresses assigned by DHCP in a highly available manner. MongoDB is run on 3-node replica set and there are two instances of GoreDNS serving the records.

Why not ...?

Bind configuration is complex and error prone. DHCP added records must be submitted to primary instance. Configuration for secondary servers differs from the primary one. Whenever primary instance is down DHCP records can't be updated. Zone files updated due to DHCP or Let's Encrypt DNS validation using the TSIG mechanism are mangled and reformatted.

CoreDNS with etcd plugin nearly covers the usecases here, however issue 3861 makes it useless for any general purpose DNS resolution. Additionally it introduces dependency on etcd and data duplication if records are already primarily stored in MongoDB.