20 changed files with 343 additions and 19 deletions
@ -108,4 +108,6 @@ Listen for dnstap messages on port 6000\.
.IP "" 0
dnstap\.info \fIhttp://dnstap\.info\fR\.
@ -37,7 +37,7 @@ If you want to \fBround robin\fR A and AAAA responses look at the \fBloadbalance
etcd [ZONES\.\.\.] {
fallthrough [ZONES\.\.\.]
path PATH
endpoint ENDPOINT\.\.\.
upstream ADDRESS\.\.\.
@ -52,7 +52,7 @@ etcd [ZONES\.\.\.] {
\fBstubzones\fR enables the stub zones feature\. The stubzone is \fIonly\fR done in the etcd tree located under the \fIfirst\fR zone specified\.
.IP "\(bu" 4
\fBfallthrough\fR If zone matches but no record can be generated, pass request to the next plugin\.
\fBfallthrough\fR If zone matches but no record can be generated, pass request to the next plugin\. If \fB[ZONES\.\.\.]\fR is omitted, then fallthrough happens for all zones for which the plugin is authoritative\. If specific zones are listed (for example \fBin\-addr\.arpa\fR and \fBip6\.arpa\fR), then only queries for those zones will be subject to fallthrough\.
.IP "\(bu" 4
\fBPATH\fR the path inside etcd\. Defaults to "/skydns"\.
@ -184,4 +184,6 @@ reverse\.skydns\.local\.
.IP "" 0
Only the etcdv2 protocol is supported\.
@ -4,9 +4,12 @@
.TH "COREDNS\-FEDERATION" "7" "January 2018" "CoreDNS" "CoreDNS plugins"
\fIfederation\fR \- enables federated \fIhttps://kubernetes\.io/docs/tasks/federation/federation\-service\-discovery/\fR queries to be resolved via the kubernetes plugin\.
\fIfederation\fR \- enables federated queries to be resolved via the kubernetes plugin\.
Enabling this plugin allows Federated \fIhttps://kubernetes\.io/docs/tasks/federation/federation\-service\-discovery/\fR queries to be resolved via the kubernetes plugin\.
Enabling \fIfederation\fR without also having \fIkubernetes\fR is a noop\.
@ -15,7 +15,7 @@ The hosts plugin is useful for serving zones from a /etc/hosts file\. It serves
hosts [FILE [ZONES\.\.\.]] {
fallthrough [ZONES\.\.\.]
@ -30,7 +30,7 @@ hosts [FILE [ZONES\.\.\.]] {
\fBINLINE\fR the hosts file contents inlined in Corefile\. If there are any lines before fallthrough then all of them will be treated as the additional content for hosts file\. The specified hosts file path will still be read but entries will be overrided\.
.IP "\(bu" 4
\fBfallthrough\fR If zone matches and no record can be generated, pass request to the next plugin\.
\fBfallthrough\fR If zone matches and no record can be generated, pass request to the next plugin\. If \fB[ZONES\.\.\.]\fR is omitted, then fallthrough happens for all zones for which the plugin is authoritative\. If specific zones are listed (for example \fBin\-addr\.arpa\fR and \fBip6\.arpa\fR), then only queries for those zones will be subject to fallthrough\.
.IP "" 0
@ -40,7 +40,7 @@ kubernetes [ZONES\.\.\.] {
upstream ADDRESS\.\.\.
ttl TTL
fallthrough [ZONES\.\.\.]
@ -87,7 +87,7 @@ kubernetes [ZONES\.\.\.] {
\fBttl\fR allows you to set a custom TTL for responses\. The default (and allowed minimum) is to use 5 seconds, the maximum is capped at 3600 seconds\.
.IP "\(bu" 4
\fBfallthrough\fR If a query for a record in the cluster zone results in NXDOMAIN, normally that is what the response will be\. However, if you specify this option, the query will instead be passed on down the plugin chain, which can include another plugin to handle the query\.
\fBfallthrough\fR \fB[ZONES\.\.\.]\fR If a query for a record in the zones for which the plugin is authoritative results in NXDOMAIN, normally that is what the response will be\. However, if you specify this option, the query will instead be passed on down the plugin chain, which can include another plugin to handle the query\. If \fB[ZONES\.\.\.]\fR is omitted, then fallthrough happens for all zones for which the plugin is authoritative\. If specific zones are listed (for example \fBin\-addr\.arpa\fR and \fBip6\.arpa\fR), then only queries for those zones will be subject to fallthrough\.
.IP "" 0
@ -4,7 +4,7 @@
.TH "COREDNS\-LOG" "7" "January 2018" "CoreDNS" "CoreDNS plugins"
\fIlog\fR enables query logging to standard output\.
\fIlog\fR \- enables query logging to standard output\.
By just using \fIlog\fR you dump all queries (and parts for the reply) on standard output\. Options exist to tweak the output a little\.
@ -98,4 +98,6 @@ Or via an enviroment variable (this is supported throughout the Corefile): \fBex
.IP "" 0
When reloading, we keep the handler running, meaning that any changes to the handler\'s address aren\'t picked up\. You\'ll need to restart CoreDNS for that to happen\.
@ -67,4 +67,6 @@ Listen on an all addresses on port 6060:
.IP "" 0
See Go\'s pprof documentation \fIhttps://golang\.org/pkg/net/http/pprof/\fR and Profiling Go Programs \fIhttps://blog\.golang\.org/profiling\-go\-programs\fR\.
@ -271,4 +271,6 @@ example\.org {
.IP "" 0
When using the \fBgoogle_https\fR protocol the health checking will health check the wrong endpoint\. See \fIhttps://github\.com/coredns/coredns/issues/1202\fR for some background\.
@ -16,7 +16,7 @@ If a request matches a regular expression (see Template Syntax below) this plugi
reverse NETWORK\.\.\. {
hostname TEMPLATE
[ttl TTL]
[fallthrough [ZONES\.\.\.]]
@ -31,7 +31,7 @@ reverse NETWORK\.\.\. {
\fBttl\fR defaults to 60
.IP "\(bu" 4
\fBfallthrough\fR if zone matches and no record can be generated, pass request to the next plugin\.
\fBfallthrough\fR if zone matches and no record can be generated, pass request to the next plugin\. If \fB[ZONES\.\.\.]\fR is omitted, then fallthrough happens for all zones for which the plugin is authoritative\. If specific zones are listed (for example \fBin\-addr\.arpa\fR and \fBip6\.arpa\fR), then only queries for those zones will be subject to fallthrough\.
.IP "\(bu" 4
\fBwildcard\fR allows matches to catch all subdomains as well\.
@ -87,4 +87,6 @@ Or re\-export the retrieved zone to other secondaries\.
.IP "" 0
Only AXFR is supported and the retrieved zone is not committed to disk\.
Normal file
Normal file
@ -0,0 +1,307 @@
.\" generated with Ronn/v0.7.3
.TH "COREDNS\-TEMPLATE" "7" "January 2018" "CoreDNS" "CoreDNS plugins"
\fItemplate\fR \- allows for dynamic responses based on the incoming query\.
The \fItemplate\fR plugin allows you to dynamically repond to queries by just writing a (Go) template\.
template CLASS TYPE [ZONE\.\.\.] {
[match REGEX\.\.\.]
[answer RR]
[additional RR]
[authority RR]
[rcode CODE]
[fallthrough [ZONE\.\.\.]]
.IP "\(bu" 4
\fBCLASS\fR the query class (usually IN or ANY)\.
.IP "\(bu" 4
\fBTYPE\fR the query type (A, PTR, \.\.\. can be ANY to match all types)\.
.IP "\(bu" 4
\fBZONE\fR the zone scope(s) for this template\. Defaults to the server zones\.
.IP "\(bu" 4
\fBREGEX\fR Go regexp \fIhttps://golang\.org/pkg/regexp/\fR that are matched against the incoming question name\. Specifying no regex matches everything (default: \fB\.*\fR)\. First matching regex wins\.
.IP "\(bu" 4
\fBanswer|additional|authority\fR \fBRR\fR A RFC 1035 \fIhttps://tools\.ietf\.org/html/rfc1035#section\-5\fR style resource record fragment build by a Go template \fIhttps://golang\.org/pkg/text/template/\fR that contains the reply\.
.IP "\(bu" 4
\fBrcode\fR \fBCODE\fR A response code (\fBNXDOMAIN, SERVFAIL, \.\.\.\fR)\. The default is \fBSUCCESS\fR\.
.IP "\(bu" 4
\fBfallthrough\fR Continue with the next plugin if the zone matched but no regex did not match\. If specific zones are listed (for example \fBin\-addr\.arpa\fR and \fBip6\.arpa\fR), then only queries for those zones will be subject to fallthrough\.
.IP "" 0
At least one \fBanswer\fR or \fBrcode\fR directive is needed (e\.g\. \fBrcode NXDOMAIN\fR)\.
\fIAlso see\fR contains an additional reading list\.
Each resource record is a full\-featured Go template \fIhttps://golang\.org/pkg/text/template/\fR with the following predefined data * \fB\.Zone\fR the matched zone string (e\.g\. \fBexample\.\fR)\. * \fB\.Name\fR the query name, as a string (lowercased)\. * \fB\.Class\fR the query class (usually \fBIN\fR)\. * \fB\.Type\fR the RR type requested (e\.g\. \fBPTR\fR)\. * \fB\.Match\fR an array of all matches\. \fBindex \.Match 0\fR refers to the whole match\. * \fB\.Group\fR a map of the named capture groups\. * \fB\.Message\fR the complete incoming DNS message\. * \fB\.Question\fR the matched question section\.
The output of the template must be a RFC 1035 \fIhttps://tools\.ietf\.org/html/rfc1035\fR style resource record line (commonly refered to as a "zone file")\.
\fBWARNING\fR there is a syntactical problem with Go templates and CoreDNS config files\. Expressions like \fB{{$var}}\fR will be interpreted as a reference to an environment variable by CoreDNS (and Caddy) while \fB{{ $var }}\fR will work\. See \fIBugs\fR and corefile(5)\.
If monitoring is enabled (via the \fIprometheus\fR directive) then the following metrics are exported: \- \fBcoredns_template_matches_total{regex}\fR the total number of matched requests by regex\. \- \fBcoredns_template_template_failures_total{regex,section,template}\fR the number of times the Go templating failed\. Regex, section and template label values can be used to map the error back to the config file\. \- \fBcoredns_template_rr_failures_total{regex,section,template}\fR the number of times the templated resource record was invalid and could not be parsed\. Regex, section and template label values can be used to map the error back to the config file\.
Both failure cases indicate a problem with the template configuration\.
The most simplistic template is
.IP "" 4
\&\. {
template ANY ANY {
.IP "" 0
.IP "1." 4
This template uses the default zone (\fB\.\fR or all queries)
.IP "2." 4
All queries will be answered (no \fBfallthrough\fR)
.IP "3." 4
The answer is always NXDOMAIN
.IP "" 0
The \fB\.invalid\fR domain is a reserved TLD (see RFC\-2606 Reserved Top Level DNS Names \fIhttps://tools\.ietf\.org/html/rfc2606#section\-2\fR) to indicate invalid domains\.
.IP "" 4
\&\. {
proxy \. 8\.8\.8\.8
template ANY ANY invalid {
answer "invalid\. 60 {{ \.Class }} SOA a\.invalid\. b\.invalid\. (1 60 60 60 60)"
.IP "" 0
.IP "1." 4
A query to \.invalid will result in NXDOMAIN (rcode)
.IP "2." 4
A dummy SOA record is send to hand out a TTL of 60s for caching
.IP "3." 4
Querying \fB\.invalid\fR of \fBCH\fR will also cause a NXDOMAIN/SOA response
.IP "4." 4
The default regex is \fB\.*\fR
.IP "" 0
Imagine you run \fBexample\.com\fR with a datacenter \fBdc1\.example\.com\fR\. The datacenter domain is part of the DNS search domain\. However \fBsomething\.example\.com\.dc1\.example\.com\fR would indicates a fully qualified domain name (\fBsomething\.example\.com\fR) that inadvertely has the default domain or search path (\fBdc1\.example\.com\fR) added\.
.IP "" 4
\&\. {
proxy \. 8\.8\.8\.8
template IN ANY example\.com\.dc1\.example\.com {
answer "{{ \.Zone }} 60 IN SOA a\.{{ \.Zone }} b\.{{ \.Zone }} (1 60 60 60 60)"
.IP "" 0
A more verbose regex based equivalent would be
.IP "" 4
\&\. {
proxy \. 8\.8\.8\.8
template IN ANY example\.com {
match "(example\.com\.dc1\.example\.com)$"
answer "{{ index \.Match 1 }} 60 IN SOA a\.{{ index \.Match 1 }} b\.{{ index \.Match 1 }} (1 60 60 60 60)"
.IP "" 0
The regex based version can do more complex matching/templating while zone based templating is easier to read and use\.
\&\. {
proxy \. 8\.8\.8\.8
# ip\-a\-b\-c\-d\.example\.com A a\.b\.c\.d
template IN A example {
match (^|[\.])ip\-10\-(?P<b>[0\-9]*)\-(?P<c>[0\-9]*)\-(?P<d>[0\-9]*)[\.]example[\.]$
answer "{{ \.Name }} 60 IN A 10\.{{ \.Group\.b }}\.{{ \.Group\.c }}\.{{ \.Group\.d }}"
# d\.c\.b\.a\.in\-addr\.arpa PTR ip\-a\-b\-c\-d\.example
template IN PTR 10\.in\-addr\.arpa\. {
match ^(?P<d>[0\-9]*)[\.](?P<c>[0\-9]*)[\.](?P<b>[0\-9]*)[\.]10[\.]in\-addr[\.]arpa[\.]$
answer "{{ \.Name }} 60 IN PTR ip\-10\-{{ \.Group\.b }}\-{{ \.Group\.c }}\-{{ \.Group\.d }}\.example\.com\."
An IPv4 address consists of 4 bytes, \fBa\.b\.c\.d\fR\. Named groups make it less error prone to reverse the ip in the PTR case\. Try to use named groups to explain what your regex and template are doing\.
Note that the A record is actually a wildcard, any subdomain of the ip will resolve to the ip\.
Having templates to map certain PTR/A pairs is a common pattern\.
Fallthrough is needed for mixed domains where only some responses are templated\.
\&\. {
proxy \. 8\.8\.8\.8
template IN A example {
match "^ip\-(?P<a>10)\-(?P<b>[0\-9]*)\-(?P<c>[0\-9]*)\-(?P<d>[0\-9]*)[\.]dc[\.]example[\.]$"
match "^(?P<a>[0\-9]*)[\.](?P<b>[0\-9]*)[\.](?P<c>[0\-9]*)[\.](?P<d>[0\-9]*)[\.]ext[\.]example[\.]$"
answer "{{ \.Name }} 60 IN A {{ \.Group\.a}}\.{{ \.Group\.b }}\.{{ \.Group\.c }}\.{{ \.Group\.d }}"
Named capture groups can be used to template one response for multiple patterns\.
\&\. {
proxy \. 8\.8\.8\.8
template IN A example {
match ^ip\-10\-(?P<b>[0\-9]*)\-(?P<c>[0\-9]*)\-(?P<d>[0\-9]*)[\.]example[\.]$
answer "{{ \.Name }} 60 IN A 10\.{{ \.Group\.b }}\.{{ \.Group\.c }}\.{{ \.Group\.d }}"
template IN MX example {
match ^ip\-10\-(?P<b>[0\-9]*)\-(?P<c>[0\-9]*)\-(?P<d>[0\-9]*)[\.]example[\.]$
answer "{{ \.Name }} 60 IN MX 10 {{ \.Name }}"
additional "{{ \.Name }} 60 IN A 10\.{{ \.Group\.b }}\.{{ \.Group\.c }}\.{{ \.Group\.d }}"
\&\. {
proxy \. 8\.8\.8\.8
template IN A example {
match ^ip\-10\-(?P<b>[0\-9]*)\-(?P<c>[0\-9]*)\-(?P<d>[0\-9]*)[\.]example[\.]$
answer "{{ \.Name }} 60 IN A 10\.{{ \.Group\.b }}\.{{ \.Group\.c }}\.{{ \.Group\.d }}"
authority "example\. 60 IN NS ns0\.example\."
authority "example\. 60 IN NS ns1\.example\."
additional "ns0\.example\. 60 IN A 203\.0\.113\.8"
additional "ns1\.example\. 60 IN A 198\.51\.100\.8"
template IN MX example {
match ^ip\-10\-(?P<b>[0\-9]*)\-(?P<c>[0\-9]*)\-(?P<d>[0\-9]*)[\.]example[\.]$
answer "{{ \.Name }} 60 IN MX 10 {{ \.Name }}"
additional "{{ \.Name }} 60 IN A 10\.{{ \.Group\.b }}\.{{ \.Group\.c }}\.{{ \.Group\.d }}"
authority "example\. 60 IN NS ns0\.example\."
authority "example\. 60 IN NS ns1\.example\."
additional "ns0\.example\. 60 IN A 203\.0\.113\.8"
additional "ns1\.example\. 60 IN A 198\.51\.100\.8"
.IP "\(bu" 4
Go regexp \fIhttps://golang\.org/pkg/regexp/\fR for details about the regex implementation
.IP "\(bu" 4
RE2 syntax reference \fIhttps://github\.com/google/re2/wiki/Syntax\fR for details about the regex syntax
.IP "\(bu" 4
RFC\-1034 \fIhttps://tools\.ietf\.org/html/rfc1034#section\-3\.6\.1\fR and RFC 1035 \fIhttps://tools\.ietf\.org/html/rfc1035#section\-5\fR for the resource record format
.IP "\(bu" 4
Go template \fIhttps://golang\.org/pkg/text/template/\fR for the template language reference
.IP "" 0
CoreDNS supports caddyfile environment variables \fIhttps://caddyserver\.com/docs/caddyfile#env\fR with notion of \fB{$ENV_VAR}\fR\. This parser feature will break Go template variables \fIhttps://golang\.org/pkg/text/template/#hdr\-Variables\fR notations like\fB{{$variable}}\fR\. The equivalent notation \fB{{ $variable }}\fR will work\. Try to avoid Go template variables in the context of this plugin\.
@ -56,4 +56,4 @@ CoreDNS Authors\.
Apache License 2\.0
Corefile(7) corendns\-debug(7) corendns\-dnssec(7) corendns\-health(7) corendns\-log(7) corendns\-file(7) corendns\-nsid(7) corendns\-autopath(7) corendns\-auto(7) corendns\-erratic(7) corendns\-chaos(7) corendns\-dnstap(7) corendns\-pprof(7) corendns\-tls(7) corendns\-loadbalance(7) corendns\-cache(7) corendns\-root(7) corendns\-whoami(7) corendns\-bind(7) corendns\-hosts(7) corendns\-proxy(7) corendns\-kubernetes(7) corendns\-secondary(7) corendns\-reverse(7) corendns\-errors(7) corendns\-metrics(7) corendns\-rewrite(7) corendns\-federation(7) corendns\-etcd(7) corendns\-trace(7)\.
Corefile(5) corendns\-debug(7) corendns\-dnssec(7) corendns\-health(7) corendns\-log(7) corendns\-file(7) corendns\-nsid(7) corendns\-auto(7) corendns\-erratic(7) corendns\-chaos(7) corendns\-dnstap(7) corendns\-pprof(7) corendns\-tls(7) corendns\-loadbalance(7) corendns\-cache(7) corendns\-root(7) corendns\-whoami(7) corendns\-bind(7) corendns\-hosts(7) corendns\-template(7) corendns\-proxy(7) corendns\-autopath(7) corendns\-kubernetes(7) corendns\-secondary(7) corendns\-reverse(7) corendns\-errors(7) corendns\-metrics(7) corendns\-rewrite(7) corendns\-federation(7) corendns\-etcd(7) corendns\-trace(7)\.
@ -64,6 +64,6 @@ Listen for dnstap messages on port 6000.
% dnstap -l
# See Also
## See Also
@ -127,6 +127,6 @@ Querying with dig:
# Bugs
## Bugs
Only the etcdv2 protocol is supported.
@ -62,7 +62,7 @@ then:
# Bugs
## Bugs
When reloading, we keep the handler running, meaning that any changes to the handler's address
aren't picked up. You'll need to restart CoreDNS for that to happen.
@ -50,7 +50,7 @@ Listen on an all addresses on port 6060:
# Also See
## Also See
See [Go's pprof documentation]( and [Profiling Go
@ -195,7 +195,7 @@ {
# Bugs
## Bugs
When using the `google_https` protocol the health checking will health check the wrong endpoint.
See <> for some background.
@ -59,6 +59,6 @@ Or re-export the retrieved zone to other secondaries.
# Bugs
## Bugs
Only AXFR is supported and the retrieved zone is not committed to disk.
@ -1,5 +1,7 @@
# template
## Name
*template* - allows for dynamic responses based on the incoming query.
## Description
@ -233,14 +235,14 @@ Named capture groups can be used to template one response for multiple patterns.
# Also see
## Also see
- [Go regexp]( for details about the regex implementation
- [RE2 syntax reference]( for details about the regex syntax
- [RFC-1034]( and [RFC 1035]( for the resource record format
- [Go template]( for the template language reference
# Bugs
## Bugs
CoreDNS supports [caddyfile environment variables](
with notion of `{$ENV_VAR}`. This parser feature will break [Go template variables]( notations like`{{$variable}}`.
Add table
Reference in a new issue