DNS
DNS providers
DNS Providers with API integration:
- letsencrypt go lib
- Cert-manager native DNS provider integrations
- Cert-manager webhook supported DNS providers
- cert-manager-webhook-gandi With good instructions
- Cert-manager webhook supported DNS providers
- Traefik Acme providers
Options to consider:
- Gandi
- https://www.inwx.de
- Terraform Provider
- No API keys, API auth with user/password
- OTP needed on each API call
Hetzner
- cert-manager-webhook-hetzner
- Actively developed
- Works !
njal.la
- cert-manager-webhook-njalla
- Couldn't make it work (
unable to check TXT record: code: 403, message: Permission denied.) - Stale ?
- Couldn't make it work (
- Terraform njal.la providers
Other tf provider options:
njal.la dyndns
-
❯ export TOKEN=$(gopass show --password token/njal.la/dyndns/varac.net)
Manual update from inside of webserver network:
❯ curl "https://njal.la/update/?h=varac.net&auto&k=$TOKEN"
{"status": 200, "message": "record updated", "value": {"A": "93.221.19.99"}}
Update from outside:
Update:
❯ export IP=93.221.16.69
❯ curl "https://njal.la/update/?h=varac.net&auto&k=${TOKEN}&a=$IP"
Verify:
host varac.net
systemd-resolved
see [[systemd/resolved.md]] (also how to enable DNSSEC resolver)
Privacy preserving DNS servers
DNS proxies with ad-blocking
DNS encryption
DNS over HTTPS (DoH)
DNS over TLS (DoT)
DNS over Quic (DoQ)
DNSCrypt
DNSSEC
- Arch wiki: DNSSEC support in systemd-resolve
- DNSSEC Resolver Test
- https://dnsviz.net/d/systemli.org/dnssec/
Test DNS
/usr/lib/nagios/plugins/check_dns -H varac-test.openappstack.net -a 213.108.108.134 -s 1.1.1.1
dnsdiag tools
sudo apt install dnsdiag
dnsping -c 5 -s 10.27.13.1 varac.net