A utility to automatically generate A records for hosts behind a NAT from AAAA records in a DNS zone.
This tool was written with a rather specific scenario in mind:
So, when would this scenario ever pop up? Well, when you are hosting a dual-stack Kubernetes cluster from a residential ISP connection for example! Most ISPs hand out a single dynamic public IPv4 address, as well as a public IPv6 prefix.
Routing the Ipv6 traffic is "easy" enough:
Diagram of the above setup:
(Prefixes and config have been simplified slightly)
However, this falls apart with IPv4 addresses, as we don't have a public IPv4 network to assign to the k8s cluster. We can use an internal Ipv4 network to get service behind our NAT and then configure our NAT Router to port forward to those addresses, but external-dns has no idea how to handle this situation. It will just push the internal Ipv4 addresses into public DNS, which is of course complete nonsense.
One approach to solve this would be to write a script that gets the public IP address, then injects that into the external-dns config as a hardcoded value[^1].
Another approach (which is what this tool does) is to configure external-dns to only publish AAAA records, then look for AAAA records without an associated A record and generate them.
This tool operates in 3 basic steps: 1. It reads records from a DNS provider such as Cloudflare 2. It looks for domains that have an AAAA record, but no A records 3. It creates A records for these missing domains based on an supplied IPv4 address source (such as a static address or a hostname to lookup)
nat-helper also keeps track of domain ownership using TXT records (or potentially another registry in the future), meaning that it knows which domains A records were created by it, and which ones weren't. This also allows us to track changes, update records when they become outdated and delete A records for a owned domain when there are no more AAAA records.
If you couldn't tell from the above description, this is a hobby project for a rather specific use case. That said, I built it with reliability, safety and extensibility in mind and it has served its purpose well. Still, use it at your own risk. I may break things in future releases if needed.
Providers, Registries and Ipv4Sources use pluggable interfaces, so adding new ones in the future should be simple.
You can download linux binaries from the releases page.
Note that only the x86_64-unknown-linux-gnu target is tested thoroughly, the other binaries should work as well however.
If you have cargo installed, simply run
cargo install clouddns-nat-helper
Docker images are automatically built and pushed to the following registries:
Notes:
- The latest tag points to this repositories master branch and may break at any time.
- Supported architectures: amd64 (default), arm64 (use tags with the -arm64 suffix)
To pass arguments to the image, use environment variables or an environment file:
``` $ docker run --env-file ./.env maxhoesel/clouddns-nat-helper:0.1
$ cat .env
CLOUDDNSNATPROVIDER=cloudflare CLOUDDNSNATCLOUDFLAREAPITOKEN=abc123456789
CLOUDDNSNATSOURCE=hostname CLOUDDNSNATIPV4_HOSTNAME=maxhoesel.de ```
There is a helm chart available for download here.
Download your desired version (using the GitHub tag selection menu), then install is with the usual helm commands:
helm install my-helper --namespace my-helper --create-namespace --values values.yml ./charts/clouddns-nat-helper
A repository to install from may be created in the future.
(Almost) all flags can be passed via a command-line or as an environment variable.
See clouddns-nat-helper --help for a list of all flags
clouddns-nat-helper -s hostname -p cloudflare --ipv4-hostname <yourdomain.invalid> --cloudflare-api-token <your_cf_api_token>
-s specifies the IPv4 source to use. Here, hostname is used to resolve a hostname to an IP address
--ipv4-hostname specifies the hostname that you want to resolve to its IP address-p specifies the DNS provider to use
--cloudflare-api-token is your API token. You may want to pass this via an environment variable (CLOUDDNS_NAT_CLOUDFLARE_API_TOKEN) for increased securitySome other useful options:
--dry-run/-d: Preview what changes will be made--run-once: Set this if you just want to run the tool once--interval/-i: Set a different interval between runs from the default of 60 secondsAs mentioned above, this tool will NOT touch any records that it did not create/does not own. On its own, this should prevent any conflicts with manually entered IPv4 addresses or other DNS automation.
However, if you want to be extra careful or are running into a situation where this is not the case, you can limit the allowed actions even further.
NOTE
If you want to manually change an A record that was previously managed by this tool, you need to remove its ownership information first.
For the TXT registry (default), delete the ownership TXT record associated with that domain (look for a TXT record for the affected domain with clouddns in it).
Deleting this record will remove ownership of the domain and the tool will no longer messs with your manual entry
The --policy flag can be used to limit the actions that this tool may perform on records. Options are:
- createonly: Don't modify any records, only create new ones. This breaks record updates and will not work with a dynamic IPv4 address
- upsert: Create records and update existing ones, but don't delete A records if their corresponding AAAA records get removed
- sync (default): Perform create, update and delete actions as needed
The steps below assume that you have a rust toolchain and cargo installed on your system.
To use the pre-commit hooks, pre-commit needs to be installed and in $PATH
cargo install cargo-makecargo make dev-envMost common actions can be performed with cargo-make.
This will automatically install build-time dependencies and perform other setup steps, if required
You can use either cargo make or makers to run the commands below.
cargo make lintcargo make buildcargo make --profile release buildcargo make -e TARGET=aarch64-unknown-linux-gnu buildcargo make -e TARGET=aarch64-unknown-linux-gnu --profile release buildcargo make testcargo make -e TARGET=aarch64-unknown-linux-gnu testcargo make coveragecargo make docsNote: images will be saved with the tag clouddns-nat-helper:<development/release>
cargo make dockercargo make --profile release dockerNote: Set DOCKER_ARCH to one of the officially supported debian image architectures
cargo make -e TARGET=aarch64-unknown-linux-gnu -e DOCKER_ARCH=arm64v8 dockercargo make --profile release -e TARGET=aarch64-unknown-linux-gnu -e DOCKER_ARCH=arm64v8 docker