DNS Synchronization Service for BIND9
Bindizr is a Rust-based daemon and HTTP API that synchronizes DNS records between bind9 and a database (MySQL, PostgreSQL, or SQLite).
-
It reads and writes zone configurations from a bind config directory.
-
Changes made via HTTP API are stored in the database and written to zone files.
-
After updates, bindizr sends RNDC commands to bind9 to reload zone data.
Β
$ sudo apt-get update
$ sudo apt-get install sudo ufw dnsutils bind9
$ sudo ufw allow 953/tcp$ sudo yum install bind bind-utils
$ sudo firewall-cmd --add-port=953/tcp --permanent
$ sudo firewall-cmd --reloadYou can download the latest bindizr binary from Release.
For building from source, see the packaging documentation.
For Debian-based systems (Ubuntu, Debian, etc.), you can install Bindizr using the .deb package:
# Install using dpkg
$ sudo dpkg -i bindizr_0.1.0_amd64.deb
# Verify installation
$ bindizrFor Red Hat-based systems (Fedora, CentOS, RHEL, etc.), you can install Bindizr using the .rpm file:
# Install the .rpm package
$ sudo rpm -i bindizr_0.1.0_amd64.rpm
# Verify installation
$ bindizrWe provide two methods for configuring BIND and RNDC: a recommended automated script and a manual setup.
This script automatically detects your BIND configuration directory, generates an RNDC key if needed, and updates your named.conf file.
# Download and run the setup script
$ wget -qO- https://raw.githubusercontent.com/kweonminsung/bindizr/main/scripts/setup_bind_rndc.sh | sudo bash
# Restart bind service
$ sudo systemctl restart bind9 # For Debian-based systems
$ sudo systemctl restart named # For Red Hat-based systemsAlternative: Manual Setup
First, set variables for your BIND configuration. The paths vary depending on your operating system.
- For Debian-based systems (e.g., Ubuntu):
$ BIND_CONF_FILE=/etc/bind/named.conf $ RNDC_KEY_FILE=/etc/bind/rndc.key
- For Red Hat-based systems (e.g., Fedora, CentOS):
$ BIND_CONF_FILE=/etc/named.conf $ RNDC_KEY_FILE=/etc/rndc.key
Next, create the necessary directories and files.
$ sudo mkdir -p "/etc/bindizr/zones"
$ sudo touch "/etc/bindizr/zones/named.conf"Now, generate the RNDC configuration and key using the variable:
# Generate RNDC configuration and key
$ sudo rndc-confgen -a
# View the generated key (example below)
$ cat $RNDC_KEY_FILE
# Output:
key "rndc-key" {
algorithm hmac-sha256; # The algorithm used for RNDC authentication (must match on both sides)
secret "RNDC_SECRET_KEY"; # Shared secret key (base64 encrypted)
};Now, update your main BIND configuration file ($BIND_CONF_FILE) by adding the following lines. This ensures that BIND loads both the Bindizr configuration and the RNDC key.
# Append the include statements to named.conf
echo "
include \"/etc/bindizr/zones/named.conf\";
include \"$RNDC_KEY_FILE\";
" | sudo tee -a "$BIND_CONF_FILE"You also need to add a controls block to allow rndc to connect. If you don't have one, add the following:
controls {
# Listens on all interfaces (0.0.0.0) using port 953 (default RNDC port)
# Adjust IP and port as needed for your environment.
inet 0.0.0.0 port 953
allow { any; } keys { "rndc-key"; };
# For example, to restrict RNDC to localhost only:
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# Or to allow only specific internal network:
# inet 192.168.1.10 port 953
# allow { 192.168.1.0/24; } keys { "rndc-key"; };
};
After saving the changes, restart the BIND service:
# Restart bind service
$ sudo systemctl restart bind9 # For Debian-based systems
$ sudo systemctl restart named # For Red Hat-based systemsCreate a configuration file for Bindizr:
$ vim /etc/bindizr/bindizr.conf.toml # or use any text editor you preferAdd the following configuration, adjusting values to match your environment:
[api]
host = "127.0.0.1" # HTTP API host
port = 3000 # HTTP API port
require_authentication = true # Enable API authentication (true/false)
[database]
type = "mysql" # Database type: mysql, sqlite, postgresql
[database.mysql]
server_url = "mysql://user:password@hostname:port/database" # Mysql server configuration
[database.sqlite]
file_path = "bindizr.db" # SQLite database file path
[database.postgresql]
server_url = "postgresql://user:password@hostname:port/database" # PostgreSQL server configuration
[bind]
rndc_server_url = "127.0.0.1:953" # RNDC server address
rndc_algorithm = "sha256" # RNDC authentication algorithm
rndc_secret_key = "RNDC_SECRET_KEY" # RNDC secret key
[logging]
log_level = "debug" # Log level: error, warn, info, debug, trace# Start Bindizr service
$ sudo systemctl enable bindizr
$ sudo systemctl start bindizr
# Create an API token for authentication
$ bindizr token createBindizr provides a command-line interface for managing the DNS synchronization service and API tokens.
# Start bindizr on foreground
$ bindizr start
# Start with a custom configuration file
$ bindizr start -c <FILE>
# Check the current status of bindizr service
$ bindizr status
# Overwrite DNS configuration file
$ bindizr dns write
# Reload DNS configuration
$ bindizr dns reload
# Show help information
$ bindizr --helpBindizr uses API tokens for authentication. You can manage these tokens using the following commands:
# Create a new API token
$ bindizr token create --description "API access for monitoring"
# Create a token with expiration
$ bindizr token create --description "Temporary access" --expires-in-days 30
# List all API tokens
$ bindizr token list
# Delete an API token by ID
$ bindizr token delete <TOKEN_ID>
# Show token command help
$ bindizr token --helpThe full HTTP API documentation is available at:
π https://kweonminsung.github.io/bindizr/
When making API requests, include the token in the Authorization header:
$ curl -H "Authorization: Bearer YOUR_TOKEN" http://localhost:3000/zonesThis project relies on the following core dependencies:
axumβ A web application framework for building fast and modular APIs in Rust.sqlx- An async, pure Rust SQL crate featuring compile-time checked queries without a DSL.rndcβ A library for interacting with BIND's Remote Name Daemon Control (RNDC) protocol.
This project is licensed under the Apache License 2.0.