Using git to deploy DNS changes and treating DNS like code (Part 3: Advanced DNS tricks)

tankerkiller125

If you haven't already at minimum looked at part one you should start there before attempting to continue with anything else on this post.

Quick Recap

I just want to quickly recap what we've already talked about in the previous two parts of this guide. In part one we discussed getting started with DNSControl and the very basics of using it. In part two we discussed using CI/CD tooling to automatically deploy DNS changes from git.

Overview

OK, so I've said that you can do some "advanced" stuff with DNSControl in the past. So just what are these advanced functionalities and features. Well for started simplified CAA, DMARC, and SPF records! But on top of that you can also do split horizon DNS, and some other cool advanced things.

Regular Records

So let's get started with some of these advanced record types and learn about what they can do.

SPF

The very first and possibly most valuable advanced record type is the SPF Builder. This function allows you to add comments to your SPF record in git, and it will also automatically take care of breaking up your SPF record when it's too long.

SPF_BUILDER({
    label: "@",
    overflow: "_spf%d",
    raw: "_rawspf",
    parts: [
        'v=spf1',
        'include:spf.protection.outlook.com', // Office 365
        '~all'
    ],
    flatten: [ // Use this area for records that you can safely import the IPv4 records for (reducing DNS lookups)
        'spf-old.company.tld', // Rationale: Being deprecated. Low risk if it breaks.
    ]
}),

So now that you know what it looks like. What is it doing? To start label is defining the domain/sub-domain that the SPF record is applying to. overflow defines the template it will use when your SPF record goes past the 255 recommended length. raw defines where it will store a "raw" SPF record without splitting. parts defines the actual SPF record pieces such as ipv4 records and inclusions. flatten is a special area in which any SPF domain you put there will get turned into ipv4 and/or ipv6 static entries. This is useful for older SPF inclusion you can safely potentially break.

DMARC

DMARC is a bit more complex, but once again thanks to a builder it's amazingly easy to comment on the information in the DMARC record and quickly change policies.

DMARC_BUILDER({
    policy: 'reject', // Main domain policy
    subdomainPolicy: 'reject', // Sub-domain policy
    percent: 100, // Reporting rate 
    alignmentSPF: 'relaxed', // SPF Alignment
    alignmentDKIM: 'relaxed', // DKIM Alignment
    rua: [ // Aggregate reports (optional)
        'mailto:[email protected]', 
    ],
    ruf: [ // Failure reports (optional)
        'mailto:[email protected]',
    ],
}),

Note the comments in the above code for what each section does. This is a way easier way of writing a DMARC record over trying to build it manually, or using a website and then copy pasting it each time you need to make a change.

CAA Records

If you don't already know what a CAA record is, it's a DNS record that Certificate Authorities will check before issuing an SSL certificate. A CAA record can be used to restrict the CAs that will issue certificates to only the ones you have authorized. And if you choose to do so, you can receive a report from CAs that detect an attempted issuance without proper CAA authorization.

CAA_BUILDER({
  label: "@", // Root Domain
  iodef: "mailto:[email protected]", // How CAs will report violations
  iodef_critical: true, // Force reporting of all violations
  issue: [ // Allow issuing regular certs (domain.tld, sub.domain.tld, etc.)
    "letsencrypt.org",
    "comodoca.com",
  ], 
  issuewild: [ // Allow issue wildcard certs (*.domain.tld)
    "letsencrypt.org",
  ],
})

More Advanced Stuff

There are a lot more advanced things we can do with DNSControl, I'll only go over a couple of more things (because this post is getting long). But you can always read the DNSControl documentation to get an idea of just how advanced you can potentially get. It is after all, JavaScript.

Splitting into multiple files

OK, so you have a lot of domains, and you don't want them all in one single giant file. Totally understandable, I don't like huge files either, so let's break it up shall we?

To start, let's change the top of the main file.
dnscontrol.js

require_glob("./domains/", false) // Pulls all top level JS files (no sub-directories)

From here, create a folder called domains, and then for each domain create a new file. (e.g sysadmins.zone.js). Once you've created the file, cut and paste the Domain information from the original main dnscontrol.js file. Then copy and paste the registration and DNS provider information from the top of the main file. Each domain file should end up looking something like this.
sysadmins.zone

var DSP_CLOUDFLARE = NewDnsProvider("cloudflare", "CLOUDFLAREAPI");
var REG_NONE = NewRegistrar("none");

D("example.com", REG_NONE,
	DnsProvider(DSP_CLOUDFLARE),
	DefaultTTL(1),
	ALIAS('@', 'someplace.tld.', CF_PROXY_ON),
	CNAME('www', 'somplace.tld.', CF_PROXY_ON),
	TXT('@', 'v=spf1 -all'),
	TXT('_dmarc', 'v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;'),
	TXT('*._domainkey', 'v=DKIM1; p=')
);

Microsoft 365

OK, so far we've talked about standard records, but if you use Microsoft 365 services you can also massively cut down on the DNS setup there too using DNSControls' built in M365 helper. Below is a code snippet that enables all of the M365 products.

M365_BUILDER({
    label: "@", // Root domain
    mx: true, // Enable the MX record creation (turn off if using 3rd party spam filtering)
    autodiscover: true, // Enable the autodiscovery record for Outlook
    dkim: true, // Publish M365 DKIM records
    mdm: true, // Enabled Intune/MDM
    initialDomain: "example.onmicrosoft.com", // Your .onmicrosoft.com domain (used to generate the records)
});

And using just that little tiny bit of code, all of the MX, DKIM, and CNAME records are created automatically for you.

Final Thoughts

I hope that you've enjoyed the 3 part guide on converting your records into something you can store as code. And I hope it helps you out a lot. If you have any questions feel free to task them and I'll try to assist.