Skip to main content

OctoDNS: DNS as code - Tools for managing DNS across multiple providers

Project description

octoDNS Logo

DNS as code - Tools for managing DNS across multiple providers

In the vein of infrastructure as code octoDNS provides a set of tools & patterns that make it easy to manage your DNS records across multiple providers. The resulting config can live in a repository and be deployed just like the rest of your code, maintaining a clear history and using your existing review & workflow.

The architecture is pluggable and the tooling is flexible to make it applicable to a wide variety of use-cases. Effort has been made to make adding new providers as easy as possible. In the simple case that involves writing of a single class and a couple hundred lines of code, most of which is translating between the provider's schema and octoDNS's. More on some of the ways we use it and how to go about extending it below and in the /docs directory.

Table of Contents

Getting started


Running through the following commands will install the latest release of octoDNS and set up a place for your config files to live. To determine if provider specific requirements are necessary see the providers table below.

$ mkdir dns
$ cd dns
$ python -m venv env
$ source env/bin/activate
# provider-specific-requirements would be things like: octodns-route53 octodns-azure
$ pip install octodns <provider-specific-requirements>
$ mkdir config

Installing a specific commit SHA

If you'd like to install a version that has not yet been released in a repeatable/safe manner you can do the following. In general octoDNS is fairly stable in between releases thanks to the plan and apply process, but care should be taken regardless.

$ pip install -e git+<SHA>#egg=octodns


We start by creating a config file to tell octoDNS about our providers and the zone(s) we want it to manage. Below we're setting up a YamlProvider to source records from our config files and both a Route53Provider and DynProvider to serve as the targets for those records. You can have any number of zones set up and any number of sources of data and targets for records for each. You can also have multiple config files, that make use of separate accounts and each manage a distinct set of zones. A good example of this this might be ./config/staging.yaml & ./config/production.yaml. We'll focus on a config/production.yaml.

Dynamic Zone Config

octoDNS supports dynamically building the list of zones it will work with when source providers support it. The most common use of this would be with YamlProvider and a single dynamic entry to in effect use the files that exist in the provider's directory as the source of truth. Other providers may support the list_zones method and be available to populate zones dynamically as well. This can be especially useful when using octodns-dump to create an initial setup from an existing provider.

An example config would look something like:

providers: config: class: octodns.provider.yaml.YamlProvider directory: ./config default_ttl: 3600 enforce_order: True ns: class: octodns_ns1.Ns1Provider api_key: env/NS1_API_KEY route53: class: octodns_route53.Route53Provider access_key_id: env/AWS_ACCESS_KEY_ID secret_access_key: env/AWS_SECRET_ACCESS_KEY


This is a dynamic zone config. The source(s), here config, will be

queried for a list of zone names and each will dynamically be set up to

match the dynamic entry.

'*': sources: - config targets: - ns1 - route53

Static Zone Config

In cases where finer grained control is desired and the configuration of individual zones varies zones can be an explicit list with each configured zone listed along with its specific setup. As exemplified below alias zones can be useful when two zones are exact copies of each other, with the same configuration and records. YAML anchors are also helpful to avoid duplication where zones share config, but not records.

manager: include_meta: True max_workers: 2

providers: config: class: octodns.provider.yaml.YamlProvider directory: ./config default_ttl: 3600 enforce_order: True ns: class: octodns_ns1.Ns1Provider api_key: env/NS1_API_KEY route53: class: octodns_route53.Route53Provider access_key_id: env/AWS_ACCESS_KEY_ID secret_access_key: env/AWS_SECRET_ACCESS_KEY

zones: &dual_target sources: - config targets: - ns1 - route53

these have the same setup as, but will have their own files

in the configuration directory for records. *dual_target *dual_target # is an exact copy of, there will not be an # file in the config directory as alias includes # duplicating the records of the aliased zone along with its config. alias: lenient: True sources: - config targets: - ns1

General Configuration Concepts

class is a special key that tells octoDNS what python class should be loaded. Any other keys will be passed as configuration values to that provider. In general any sensitive or frequently rotated values should come from environmental variables. When octoDNS sees a value that starts with env/ it will look for that value in the process's environment and pass the result along.

Further information can be found in the docstring of each source and provider class.

The include_meta key in the manager section of the config controls the creation of a TXT record at the root of a zone that is managed by octoDNS. If set to True, octoDNS will create a TXT record for the root of the zone with the value provider=<target-provider>. If not specified, the default value for include_meta is False.

The max_workers key in the manager section of the config enables threading to parallelize the planning portion of the sync.

Quick Example Record

Now that we have something to tell octoDNS about our providers & zones we need to tell it about our records. We'll keep it simple for now and just create a single A record at the top-level of the domain.


'': ttl: 60 type: A values: - -

Further information can be found in Records Documentation.


We're ready to do a dry-run with our new setup to see what changes it would make. Since we're pretending here we'll act like there are no existing records for in our accounts on either provider.

$ octodns-sync --config-file=./config/production.yaml
* route53 (Route53Provider)
*   Create <ARecord A 60,, [u'', '']>
*   Summary: Creates=1, Updates=0, Deletes=0, Existing Records=0
* dyn (DynProvider)
*   Create <ARecord A 60,, [u'', '']>
*   Summary: Creates=1, Updates=0, Deletes=0, Existing Records=0

There will be other logging information presented on the screen, but successful runs of sync will always end with a summary like the above for any providers & zones with changes. If there are no changes a message saying so will be printed instead. Above we're creating a new zone in both providers so they show the same change, but that doesn't always have to be the case. If, to start, one of them had a different state, you would see the changes octoDNS intends to make to sync them up.

Making changes

WARNING: octoDNS assumes ownership of any domain you point it to. When you tell it to act it will do whatever is necessary to try and match up states including deleting any unexpected records. Be careful when playing around with octoDNS. It's best to experiment with a fake zone or one without any data that matters until you're comfortable with the system.

Now it's time to tell octoDNS to make things happen. We'll invoke it again with the same options and add a --doit on the end to tell it this time we actually want it to try and make the specified changes.

$ octodns-sync --config-file=./config/production.yaml --doit

The output here would be the same as before with a few more log lines at the end as it makes the actual changes. After which the config in Route53 and Dyn should match what's in the yaml file.


In the above case we manually ran octoDNS from the command line. That works and it's better than heading into the provider GUIs and making changes by clicking around, but octoDNS is designed to be run as part of a deploy process. The implementation details are well beyond the scope of this README, but here is an example of the workflow we use at GitHub. It follows the way GitHub itself is branch deployed.

The first step is to create a PR with your changes.

GitHub user interface of a pull request

Assuming the code tests and config validation statuses are green the next step is to do a noop deploy and verify that the changes octoDNS plans to make are the ones you expect.

Output of a noop deployment command

After that comes a set of reviews. One from a teammate who should have full context on what you're trying to accomplish and visibility into the changes you're making to do it. The other is from a member of the team here at GitHub that owns DNS, mostly as a sanity check and to make sure that best practices are being followed. As much of that as possible is baked into octodns-validate.

After the reviews it's time to branch deploy the change.

Output of a deployment command

If that goes smoothly, you again see the expected changes, and verify them with dig and/or octodns-report you're good to hit the merge button. If there are problems you can quickly do a .deploy dns/main to go back to the previous state.

Bootstrapping config files

Very few situations will involve starting with a blank slate which is why there's tooling built in to pull existing data out of providers into a matching config file.

$ octodns-dump --config-file=config/production.yaml --output-dir=tmp/ route53
2017-03-15T13:33:34  INFO  Manager __init__: config_file=tmp/production.yaml
2017-03-15T13:33:34  INFO  Manager dump:, sources=('route53',)
2017-03-15T13:33:36  INFO  Route53Provider[route53] populate:   found 64 records
2017-03-15T13:33:36  INFO  YamlProvider[dump] plan:
2017-03-15T13:33:36  INFO  YamlProvider[dump] plan:   Creates=64, Updates=0, Deletes=0, Existing Records=0
2017-03-15T13:33:36  INFO  YamlProvider[dump] apply: making changes

The above command pulled the existing data out of Route53 and placed the results into tmp/ That file can be inspected and moved into config/ to become the new source. If things are working as designed a subsequent noop sync should show zero changes.

Note that a Dynamic Zone Config and be really powerful in combination with octodns-dump allowing you to quickly create a set of octoDNS zone files for all the zones configured in your sources.

$ octodns-dump --config-file=config/production.yaml --output-dir=tmp/ '*' route53

It is important to review any WARNING log lines printed out during an octodns-dump invocation as it will give you information about records that aren't supported fully or at all by octoDNS and thus won't be exact matches or included in the dumps. Generally records that cannot be converted are either of a type that octoDNS does not support or those that include "dynamic" functionality that doesn't match octoDNS's behaviors.


The table below lists the providers octoDNS supports. They are maintained in their own repositories and released as independent modules.

Provider Module Notes
Akamai Edge DNS octodns_edgedns
Amazon Route 53 octodns_route53
Azure DNS octodns_azure
BIND, AXFR, RFC-2136 octodns_bind
Cloudflare DNS octodns_cloudflare
Constellix octodns_constellix
DigitalOcean octodns_digitalocean
DNS Made Easy octodns_dnsmadeeasy
DNSimple octodns_dnsimple
Dyn (deprecated) octodns_dyn
easyDNS octodns_easydns
EdgeCenter DNS octodns_edgecenter
/etc/hosts octodns_etchosts
Gandi octodns_gandi
G-Core Labs DNS octodns_gcore
Google Cloud DNS octodns_googlecloud
Hetzner DNS octodns_hetzner
Mythic Beasts DNS octodns_mythicbeasts
NS1 octodns_ns1
OVHcloud DNS octodns_ovh
PowerDNS octodns_powerdns
Rackspace octodns_rackspace
Scaleway octodns_scaleway
Selectel octodns_selectel
SPF Value Management octodns_spf
TransIP octodns_transip
UltraDNS octodns_ultra
YamlProvider built-in Supports all record types and core functionality

Updating to use extracted providers

  1. Include the extracted module in your python environment, e.g. if using Route53 that would require adding the octodns_route53 module to your requirements.txt,, or similar.
  2. Update the class value for your provider to the new path, e.g. again for Route53 that would be replacing octodns.provider.route53.Route53Provider with octodns_route53.Route53Provider

The module required and provider class path for extracted providers can be found in the table above.


Similar to providers, but can only serve to populate records into a zone, cannot be synced to.

Source Record Support Dynamic Notes
EnvVarSource TXT No read-only environment variable injection
AxfrSource A, AAAA, CAA, CNAME, LOC, MX, NS, PTR, SPF, SRV, TXT No read-only
ZoneFileSource A, AAAA, CAA, CNAME, MX, NS, PTR, SPF, SRV, TXT No read-only
TinyDnsFileSource A, CNAME, MX, NS, PTR No read-only


  • ALIAS support varies a lot from provider to provider care should be taken to verify that your needs are met in detail.
    • Dyn's UI doesn't allow editing or view of TTL, but the API accepts and stores the value provided, this value does not appear to be used when served
    • Dnsimple's uses the configured TTL when serving things through the ALIAS, there's also a secondary TXT record created alongside the ALIAS that octoDNS ignores
  • octoDNS itself supports non-ASCII character sets, but in testing Cloudflare is the only provider where that is currently functional end-to-end. Others have failures either in the client libraries or API calls


Processor Description
AcmeMangingProcessor Useful when processes external to octoDNS are managing acme challenge DNS records, e.g. LetsEncrypt
AutoArpa See Automatic PTR generation below
EnsureTrailingDots Processor that ensures ALIAS, CNAME, DNAME, MX, NS, PTR, and SRVs have trailing dots
ExcludeRootNsChanges Filter that errors or warns on planned root/APEX NS records changes.
IgnoreRootNsFilter Filter that IGNORES root/APEX NS records and prevents octoDNS from trying to manage them (where supported.)
MetaProcessor Adds a special meta record with timing, UUID, providers, and/or version to aid in debugging and monitoring.
NameAllowlistFilter Filter that ONLY manages records that match specified naming patterns, all others will be ignored
NameRejectlistFilter Filter that IGNORES records that match specified naming patterns, all others will be managed
ValueAllowlistFilter Filter that ONLY manages records that match specified value patterns based on rdata_text, all others will be ignored
ValueRejectlistFilter Filter that IGNORES records that match specified value patterns based on rdata_text, all others will be managed
OwnershipProcessor Processor that implements ownership in octoDNS so that it can manage only the records in a zone in sources and will ignore all others.
SpfDnsLookupProcessor Processor that checks SPF values for violations of DNS query limits
TtlRestrictionFilter Processor that restricts the allow TTL values to a specified range or list of specific values
TypeAllowlistFilter Filter that ONLY manages records of specified types, all others will be ignored
TypeRejectlistFilter Filter that IGNORES records of specified types, all others will be managed
octodns-spf SPF Value Management for octoDNS

Automatic PTR generation

octoDNS supports automatically generating PTR records from the A/AAAA records it manages. For more information see the auto-arpa documentation.

Compatibility and Compliance


lenient mostly focuses on the details of Records and standards compliance. When set to true octoDNS will allow non-compliant configurations & values where possible. For example CNAME values that don't end with a ., label length restrictions, and invalid geo codes on dynamic records. When in lenient mode octoDNS will log validation problems at WARNING and try and continue with the configuration or source data as it exists. See Lenience for more information on the concept and how it can be configured.


strict_supports is a Provider level parameter that comes into play when a provider has been asked to create a record that it is unable to support. The simplest case of this would be record type, e.g. SSHFP not being supported by AzureProvider. If such a record is passed to an AzureProvider as a target the provider will take action based on the strict_supports. When true it will throw an exception saying that it's unable to create the record, when set to false it will log at WARNING with information about what it's unable to do and how it is attempting to work around it. Other examples of things that cannot be supported would be dynamic records on a provider that only supports simple or the lack of support for specific geos in a provider, e.g. Route53Provider does not support NA-CA-*.

It is worth noting that these errors will happen during the plan phase of things so that problems will be visible without having to make changes.

This concept is currently a work in progress and only partially implemented. While work is on-going strict_supports will default to false. Once the work is considered complete & ready the default will change to true as it's a much safer and less surprising default as what you configure is what you'll get unless an error is thrown telling you why it cannot be done. You will then have the choice to explicitly request that things continue with work-arounds with strict_supports set to false. In the meantime it is encouraged that you manually configure the parameter to true in your provider configs.

Configuring strict_supports

The strict_supports parameter is available on all providers and can be configured in YAML as follows:

providers: someprovider: class: whatever.TheProvider ... strict_supports: true

Custom Sources and Providers

You can check out the source and provider directory to see what's currently supported. Sources act as a source of record information. AxfrSource and TinyDnsFileSource are currently the only OSS sources, though we have several others internally that are specific to our environment. These include something to pull host data from gPanel and a similar provider that sources information about our network gear to create both A & PTR records for their interfaces. Things that might make good OSS sources might include an ElbSource that pulls information about AWS Elastic Load Balancers and dynamically creates CNAMEs for them, or Ec2Source that pulls instance information so that records can be created for hosts similar to how our GPanelProvider works.

Most of the things included in octoDNS are providers, the obvious difference being that they can serve as both sources and targets of data. We'd really like to see this list grow over time so if you use an unsupported provider then PRs are welcome. The existing providers should serve as reasonable examples. Those that have no GeoDNS support are relatively straightforward. Unfortunately most of the APIs involved to do GeoDNS style traffic management are complex and somewhat inconsistent so adding support for that function would be nice, but is optional and best done in a separate pass.

The class key in the providers config section can be used to point to arbitrary classes in the python path so internal or 3rd party providers can easily be included with no coordination beyond getting them into PYTHONPATH, most likely installed into the virtualenv with octoDNS.

For examples of building third-party sources and providers, see Related Projects & Resources.

Other Uses

Syncing between providers

While the primary use-case is to sync a set of yaml config files up to one or more DNS providers, octoDNS has been built in such a way that you can easily source and target things arbitrarily. As a quick example the config below would sync from Route53 to Dyn.

providers: route53: class: octodns.provider.route53.Route53Provider access_key_id: env/AWS_ACCESS_KEY_ID secret_access_key: env/AWS_SECRET_ACCESS_KEY dyn: class: octodns.provider.dyn.DynProvider customer: env/DYN_CUSTOMER username: env/DYN_USERNAME password: env/DYN_PASSWORD

zones: sources: - route53 targets: - dyn

Dynamic sources

Internally we use custom sources to create records based on dynamic data that changes frequently without direct human intervention. An example of that might look something like the following. For hosts this mechanism is janitorial, run periodically, making sure the correct records exist as long as the host is alive and ensuring they are removed after the host is destroyed. The host provisioning and destruction processes do the actual work to create and destroy the records.

providers: gpanel-site: class: github.octodns.source.gpanel.GPanelProvider host: '' token: env/GPANEL_SITE_TOKEN powerdns-site: class: octodns.provider.powerdns.PowerDnsProvider host: '' api_key: env/POWERDNS_SITE_API_KEY

zones: sources: - gpanel-site targets: - powerdns-site


Please see our contributing document if you would like to participate!

Getting help

If you have a problem or suggestion, please open an issue in this repository, and we will do our best to help. Please note that this project adheres to the Contributor Covenant Code of Conduct.

Related Projects and Resources

If you know of any other resources, please do let us know!


octoDNS is licensed under the MIT license.

The MIT license grant is not for GitHub's trademarks, which include the logo designs. GitHub reserves all trademark and copyright rights in and to all GitHub trademarks. GitHub's logos include, for instance, the stylized designs that include "logo" in the file title in the following folder:

GitHub® and its stylized versions and the Invertocat mark are GitHub's Trademarks or registered Trademarks. When using GitHub's logos, be sure to follow the GitHub logo guidelines.


octoDNS was designed and authored by Ross McFarland and Joe Williams. See for a complete list of people who've contributed.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

octodns-1.6.1.tar.gz (569.2 kB view hashes)

Uploaded Source

Built Distribution

octodns-1.6.1-py3-none-any.whl (98.0 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page