octoDNS syncs DNS records to provider APIs. The main controls are credential scope, change review, and deployment pipeline security.
- π Use least privilege tokens - Provider tokens should have minimum required permissions per zone/account
- π Store secrets securely - Use secret managers (AWS Secrets Manager, HashiCorp Vault), never commit to repositories
- π Rotate credentials regularly - Implement credential rotation and remove stale service accounts
- π Use environment variables - Reference secrets via
env/VARIABLE_NAME syntax, not hardcoded values
- β
Enforce pull-request review - Require review for all zone config changes
- β
Use CI validation - Run
octodns-validate before sync/apply
- β
Restrict production access - Limit
--doit execution to trusted CI runners or operators
- β
Branch protection - Protect main branches with required reviews and status checks
- β
Separate environments - Use different configs for staging/production
Example GitHub Actions:
- name: Validate DNS changes
run: octodns-sync --config-file=config/production.yaml
# Dry-run by default - shows planned changes
- name: Apply DNS changes
run: octodns-sync --config-file=config/production.yaml --doit
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
# Only apply on main branch pushes
Security measures:
- Run dry-run on every PR
- Require manual approval for production changes
- Use OIDC for cloud provider authentication (no long-lived credentials)
- π Enable provider audit logs - Keep provider-side audit logs enabled
- π Record change metadata - Log actor identity, commit SHA, and timestamp for each sync
- π Alert on out-of-band changes - Monitor for DNS changes made outside octoDNS
- π Version control all configs - Store zone files in Git for full audit trail
- π Regular exports - Use
octodns-dump to backup current state periodically
When using octoDNS with self-hosted DNS servers like BIND, PowerDNS, or Knot DNS:
- π Secure API access - Use TLS and API key authentication
- π Network isolation - Restrict octoDNS access to DNS server APIs
- π Zone file permissions - Protect zone files with proper file permissions (0640)
- π TSIG keys - Use TSIG for DNS updates when supported
- π Monitor zone transfers - Log and alert on AXFR/IXFR operations
When running octoDNS in containers:
- π Donβt hardcode credentials - Use Docker secrets or environment variables
- π Restrict volume mounts - Only mount necessary config directories
- π Run as non-root - Add
USER 1000 to Dockerfile
- π Scan images - Regularly scan container images for vulnerabilities
For audited environments:
- Change management - All DNS changes tracked via Git commits
- Separation of duties - Different teams manage configs vs. deployment
- Audit trail - Full history of who changed what and when
- Rollback capability - Git enables quick rollback to previous state
- Documentation - Zone files serve as living documentation