Hanzo

Hanzo DNS

Authoritative DNS management with Cloudflare integration, automatic TLS certificates, GeoDNS routing, and DNSSEC across all Hanzo domains.

Hanzo DNS

API reference ยท Hanzo DNS API โ†’ โ€” every endpoint, generated from the OpenAPI spec.

Hanzo DNS manages domain routing and DNS infrastructure for the entire Hanzo ecosystem. All zones are Cloudflare-managed with automatic SSL/TLS certificate provisioning via cert-manager, DNSSEC signing, GeoDNS routing, and a REST API for programmatic zone and record management.

Features

  • Cloudflare-Managed Zones: All production domains proxied through Cloudflare for DDoS protection, caching, and edge routing
  • Automatic TLS: cert-manager with Let's Encrypt issues and renews certificates for all K8s ingresses
  • Multi-Domain Management: Unified control over hanzo.ai, hanzo.id, hanzo.bot, s3.hanzo.ai, hanzo.chat, hanzo.app, hanzo.team, lux.network, and zoo.ngo
  • DNSSEC: Cryptographic signing for all authoritative zones to prevent cache poisoning and spoofing
  • GeoDNS Routing: Latency-based and geographic routing for global traffic distribution
  • Wildcard Subdomains: *.hanzo.ai and *.lux.network wildcards for dynamic service provisioning
  • REST API: Programmatic zone and record management via the Hanzo Gateway
  • Query Analytics: Real-time DNS query logging, latency metrics, and threat dashboards

Endpoints

EnvironmentURL
APIhttps://api.hanzo.ai/v1/dns/*
Dashboardhttps://console.hanzo.ai/dns

Architecture

                         Client Query
                              |
                              v
                    +-------------------+
                    |    Cloudflare     |
                    |   Edge Network    |
                    |  (Anycast DNS)    |
                    +--------+----------+
                             |
              +--------------+--------------+
              |              |              |
              v              v              v
      +-----------+  +-----------+  +-----------+
      | hanzo.ai  |  |lux.network|  |  zoo.ngo  |
      |   zone    |  |   zone    |  |   zone    |
      +-----------+  +-----------+  +-----------+
              |              |              |
              v              v              v
      +-----------+  +-----------+  +-----------+
      | hanzo-k8s |  |  lux-k8s  |  | hanzo-k8s |
      |24.199.76  |  |24.144.69  |  |24.199.76  |
      |   .156    |  |   .101    |  |   .156    |
      +-----------+  +-----------+  +-----------+
              |              |              |
              +-------+------+------+------+
                      v
          +-------------------------+
          |  cert-manager (ACME)    |
          |  Let's Encrypt + DNS-01 |
          +-------------------------+

Managed Domains

DomainClusterPrimary Use
hanzo.aihanzo-k8sCore platform, API, IAM, console
hanzo.idhanzo-k8sIdentity provider (Hanzo IAM)
hanzo.bothanzo-k8sBot platform, skills, automations
s3.hanzo.aihanzo-k8sObject storage (Hanzo S3 console + API)
hanzo.chathanzo-k8sAI chat interface
hanzo.apphanzo-k8sMain application
hanzo.teamhanzo-k8sTeam collaboration
lux.networklux-k8sBlockchain RPC, markets, cloud
zoo.ngohanzo-k8sZoo Foundation, governance

Load Balancer A Records

ClusterIPDomains
hanzo-k8s24.199.76.156hanzo.ai, hanzo.id, hanzo.bot, s3.hanzo.ai, hanzo.chat, hanzo.app, hanzo.team, zoo.ngo
lux-k8s24.144.69.101lux.network

Quick Start

List DNS Zones

curl -H "Authorization: Bearer $HANZO_API_KEY" \
  https://api.hanzo.ai/v1/dns/zones

Create a Record

curl -X POST https://api.hanzo.ai/v1/dns/zones/hanzo.ai/records \
  -H "Authorization: Bearer $HANZO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "A",
    "name": "myapp",
    "content": "24.199.76.156",
    "ttl": 300,
    "proxied": true
  }'

Delete a Record

curl -X DELETE -H "Authorization: Bearer $HANZO_API_KEY" \
  https://api.hanzo.ai/v1/dns/zones/hanzo.ai/records/rec_abc123

Configuration

cert-manager ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ops@hanzo.ai
    privateKeySecretRef:
      name: letsencrypt-prod-key
    solvers:
      - http01:
          ingress:
            class: nginx
      - dns01:
          cloudflare:
            apiTokenSecretRef:
              name: cloudflare-api-token
              key: api-token

Ingress with TLS

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-service
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
    - hosts:
        - myapp.hanzo.ai
      secretName: myapp-hanzo-ai-tls
  rules:
    - host: myapp.hanzo.ai
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-service
                port:
                  number: 80

Cloudflare Settings

SettingValue
SSL ModeFull (strict)
Minimum TLS1.2
Always Use HTTPSOn
HSTSOn (max-age 31536000)
BrotliOn
HTTP/3On

DNSSEC

DNSSEC is enabled at the Cloudflare zone level. DS records are published to each registrar. Verify with:

dig +dnssec hanzo.ai
dig DS hanzo.ai @8.8.8.8

GeoDNS

Cloudflare load balancing with geographic steering distributes traffic by region:

RegionPrimary PoolFallback
North Americahanzo-k8s (NYC)lux-k8s (SFO)
Europehanzo-k8s (NYC)--
Asia Pacifichanzo-k8s (NYC)--

Wildcard Subdomains

PatternTargetUse Case
*.hanzo.ai24.199.76.156Dynamic service subdomains
*.lux.network24.144.69.101Blockchain service subdomains
*.hanzo.bot24.199.76.156Bot skills and app subdomains

Wildcard TLS certificates are issued via DNS-01 challenge (Cloudflare solver).

Key Subdomain Mappings

SubdomainService
api.hanzo.aiGateway (unified API)
console.hanzo.aiConsole (observability)
cloud.hanzo.aiCloud platform
platform.hanzo.aiHanzo Platform (PaaS)
kms.hanzo.aiHanzo KMS
iam.hanzo.aiHanzo IAM
s3-api.hanzo.aiHanzo S3 API
s3.hanzo.aiHanzo S3 console
api.lux.networkLux blockchain RPC
markets.lux.networkDEX and markets

Environment Variables

CF_API_TOKEN=xxx              # Cloudflare API token (DNS edit + zone read)
CF_ZONE_ID_HANZO=xxx          # hanzo.ai zone ID
CF_ZONE_ID_LUX=xxx            # lux.network zone ID
CF_ZONE_ID_ZOO=xxx            # zoo.ngo zone ID
LETSENCRYPT_EMAIL=ops@hanzo.ai

API gateway routing behind DNS records

Identity provider at hanzo.id

Object storage at s3.hanzo.ai

Zero-trust mesh networking at zt.hanzo.ai

How is this guide?

Last updated on

On this page