This page covers comprehensive DNSControl configuration using the JavaScript DSL. DNSControl uses a dnsconfig.js file for DNS records and a creds.json file for provider credentials.
DNSControl uses two main configuration files:
dnsconfig.js - Defines DNS zones and records using JavaScript DSLcreds.json - Stores provider API credentials (keep this secure!)// Define registrars and DNS providers
var REG_NONE = NewRegistrar("none");
var REG_NAMEDOTCOM = NewRegistrar("name.com");
var DSP_CLOUDFLARE = NewDnsProvider("cloudflare");
var DSP_ROUTE53 = NewDnsProvider("route53");
// Define DNS zones
D("example.com", REG_NONE, DnsProvider(DSP_CLOUDFLARE),
// A records
A("@", "192.0.2.1"),
A("www", "192.0.2.1"),
// AAAA records
AAAA("@", "2001:db8::1"),
// MX records
MX("@", 10, "mail1.example.com."),
MX("@", 20, "mail2.example.com."),
// TXT records
TXT("@", "v=spf1 mx -all"),
// NS records
NS("@", "ns1.example.com."),
NS("@", "ns2.example.com."),
// CNAME records
CNAME("blog", "example.github.io."),
// SRV records
SRV("_sip._tcp", 10, 60, 5060, "sip.example.com.")
);
// Additional zone
D("example.net", REG_NAMEDOTCOM, DnsProvider(DSP_ROUTE53),
A("@", "192.0.2.100")
);
{
"cloudflare": {
"TYPE": "CLOUDFLARE",
"apitoken": "YOUR_CLOUDFLARE_API_TOKEN"
},
"route53": {
"TYPE": "ROUTE53",
"access_key": "YOUR_AWS_ACCESS_KEY",
"secret_key": "YOUR_AWS_SECRET_KEY"
},
"name.com": {
"TYPE": "NAMEDOTCOM",
"username": "your_username",
"token": "YOUR_NAMECOM_TOKEN"
},
"bind": {
"TYPE": "BIND",
"directory": "./zones"
}
}
| Record Type | Function | Example |
|---|---|---|
| A | IPv4 address | A("@", "192.0.2.1") |
| AAAA | IPv6 address | AAAA("@", "2001:db8::1") |
| CNAME | Canonical name | CNAME("www", "example.com.") |
| MX | Mail exchange | MX("@", 10, "mail.example.com.") |
| TXT | Text record | TXT("@", "v=spf1 mx -all") |
| NS | Name server | NS("@", "ns1.example.com.") |
| PTR | Pointer (reverse DNS) | PTR("1", "host1.example.com.") |
| SRV | Service record | SRV("_sip._tcp", 10, 60, 5060, "sip.example.com.") |
| CAA | Certificate Authority Auth | CAA("@", 0, "issue", "letsencrypt.org") |
| TLSA | TLSA record (DANE) | TLSA("_443._tcp", 3, 1, 1, "certdata") |
| SSHFP | SSH fingerprint | SSHFP("@", 1, 1, "fingerprint") |
| DMARC | DMARC policy | DMARC("_dmarc", "v=DMARC1; p=reject") |
| DKIM | DKIM selector | DKIM("selector", "v=DKIM1; k=rsa; p=...") |
var DSP_CLOUDFLARE = NewDnsProvider("cloudflare");
D("example.com", REG_NONE, DnsProvider(DSP_CLOUDFLARE),
A("@", "192.0.2.1"),
// Enable Cloudflare proxy
A("www", "192.0.2.1", CF_PROXY_ON),
// Disable proxy
A("api", "192.0.2.2", CF_PROXY_OFF)
);
{
"cloudflare": {
"TYPE": "CLOUDFLARE",
"apitoken": "YOUR_API_TOKEN"
}
}
var DSP_ROUTE53 = NewDnsProvider("route53");
D("example.com", REG_NONE, DnsProvider(DSP_ROUTE53),
A("@", "192.0.2.1")
);
{
"route53": {
"TYPE": "ROUTE53",
"access_key": "AKIAIOSFODNN7EXAMPLE",
"secret_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
}
var DSP_BIND = NewDnsProvider("bind");
D("example.com", REG_NONE, DnsProvider(DSP_BIND),
A("@", "192.0.2.1"),
A("www", "192.0.2.1"),
MX("@", 10, "mail.example.com.")
);
{
"bind": {
"TYPE": "BIND",
"directory": "./zones"
}
}
var DSP_GCP = NewDnsProvider("gcp");
D("example.com", REG_NONE, DnsProvider(DSP_GCP),
A("@", "192.0.2.1")
);
{
"gcp": {
"TYPE": "GCLOUD",
"projectname": "my-gcp-project",
"keyfile": "/path/to/service-account.json"
}
}
var DSP_AZURE = NewDnsProvider("azure");
D("example.com", REG_NONE, DnsProvider(DSP_AZURE),
A("@", "192.0.2.1")
);
{
"azure": {
"TYPE": "AZURE_DNS",
"subscriptionid": "YOUR_SUBSCRIPTION_ID",
"tenantid": "YOUR_TENANT_ID",
"clientid": "YOUR_CLIENT_ID",
"clientsecret": "YOUR_CLIENT_SECRET"
}
}
var environments = ["dev", "staging", "prod"];
var ips = {
"dev": "192.0.2.10",
"staging": "192.0.2.20",
"prod": "192.0.2.30"
};
D("example.com", REG_NONE,
environments.map(function(env) {
return A(env, ips[env]);
})
);
D("example.com", REG_NONE,
// TTL modifier
A("@", "192.0.2.1", TTL(300)),
// Multiple IPs
A("www", "192.0.2.1"),
A("www", "192.0.2.2"),
// Wildcard records
A("*.api", "192.0.2.100"),
// Disable record (comment out)
// A("old", "192.0.2.50")
);
D("example.com", REG_NONE,
// SPF record
TXT("@", "v=spf1 mx ip4:192.0.2.0/24 -all"),
// DMARC record
DMARC("_dmarc", "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"),
// DKIM record (example for Google Workspace)
TXT("google._domainkey", "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQU...")
);
# Preview changes (dry-run)
dnscontrol preview
# Push changes to providers
dnscontrol push
# Print zone file (for BIND)
dnscontrol print-ir
# Check configuration syntax
dnscontrol check
# Format dnsconfig.js
dnscontrol fmt
dnsconfig.js in Git (but NOT creds.json)creds.jsondnscontrol preview firstREG_NONE - For DNS-only management (no registrar changes)Instead of hardcoding credentials in creds.json, use environment variables:
// dnsconfig.js
var DSP_CLOUDFLARE = NewDnsProvider("cloudflare");
# Set environment variables
export CLOUDFLARE_API_TOKEN="your_token_here"
# Run DNSControl
dnscontrol preview