Hanzo
Hanzo Skills Reference

Hanzo DNS

Hanzo DNS is a CoreDNS fork providing a programmable, plugin-based DNS server for Hanzo infrastructure. Go codebase (module `github.com/coredns/coredns`), ships as a single `coredns` binary. Includ...

Overview

Hanzo DNS is a CoreDNS fork providing a programmable, plugin-based DNS server for Hanzo infrastructure. Go codebase (module github.com/coredns/coredns), ships as a single coredns binary. Includes a custom hanzoapi plugin for API-driven DNS record management. Supports UDP/TCP, DoT (RFC 7858), DoH (RFC 8484), DoH3, DoQ (RFC 9250), and gRPC listeners. License: Apache-2.0.

Why Hanzo DNS?

  • Plugin chain architecture: 50+ built-in plugins, each does one thing in a middleware chain
  • Custom hanzoapi plugin: API-driven DNS records for Hanzo services
  • Multi-protocol: UDP, TCP, TLS (DoT), HTTPS (DoH/DoH3), QUIC (DoQ), gRPC
  • Kubernetes native: Built-in kubernetes plugin for in-cluster DNS
  • Cloud provider backends: Route53, Azure DNS, Google Cloud DNS
  • Service discovery: etcd, Kubernetes, Nomad backends

Tech Stack

  • Language: Go 1.25+
  • Build: Make + go generate (plugin registration from plugin.cfg)
  • CI: CircleCI + GitHub Actions (CodeQL, Go tests)
  • Image: ghcr.io/hanzoai/dns (distroless base, nonroot user)

OSS Base

Repo: hanzoai/dns (CoreDNS fork). Default branch: main.

When to use

  • Internal DNS for Hanzo K8s clusters
  • Programmable DNS with API-driven record management via hanzoapi plugin
  • Service discovery across Kubernetes, etcd, or Nomad
  • DNS-over-HTTPS/QUIC termination at the edge
  • GeoIP-based routing and load balancing

Hard requirements

  1. Port 53 (or alternative via -dns.port) available for DNS listeners
  2. Go 1.25+ for building from source
  3. Corefile configuration file in working directory (or specified with -conf)

Quick reference

ItemValue
Default Port53 (UDP/TCP)
Go Modulegithub.com/coredns/coredns
Go Version1.25+
Binarycoredns
Config FileCorefile
Plugin Registryplugin.cfg
LicenseApache-2.0
Repogithub.com/hanzoai/dns
Default Branchmain

One-file quickstart

Build from source

git clone https://github.com/hanzoai/dns
cd dns
make

Minimal Corefile

cat > Corefile <<EOF
.:53 {
    forward . 8.8.8.8
    log
}
EOF
./coredns -conf Corefile

Test

dig @127.0.0.1 google.com

Docker build

docker run --rm -i -t \
    -v $PWD:/go/src/github.com/coredns/coredns \
    -w /go/src/github.com/coredns/coredns \
    golang:1.25 sh -c 'GOFLAGS="-buildvcs=false" make gen && GOFLAGS="-buildvcs=false" make'

Core Concepts

Architecture

                    ┌──────────────────────────────────────────────┐
                    │              Hanzo DNS (CoreDNS)              │
DNS Query ────────> │                                              │
(UDP/TCP/DoT/DoH/  │  Corefile ──> Plugin Chain (ordered by cfg)  │
 DoQ/gRPC)         │                                              │
                    │  ┌──────┐ ┌──────┐ ┌─────────┐ ┌─────────┐ │
                    │  │ log  │→│cache │→│hanzoapi │→│forward  │ │
                    │  └──────┘ └──────┘ └─────────┘ └─────────┘ │
                    └──────────────────────────────────────────────┘

Plugin System

Plugins are registered in plugin.cfg in execution order. Each plugin is a Go package under plugin/. To add or remove plugins, edit plugin.cfg and run:

go generate coredns.go
go get
go build

Key Plugins (50+ total)

PluginPurpose
hanzoapiHanzo API-driven DNS records (custom)
kubernetesKubernetes service discovery
etcdetcd-backed records (SkyDNS compatible)
forwardProxy to upstream resolvers
cacheResponse caching
route53AWS Route53 backend
azureAzure DNS backend
clouddnsGoogle Cloud DNS backend
prometheusMetrics on :9153/metrics
logQuery logging
dnssecOn-the-fly DNSSEC signing
loadbalanceRound-robin response shuffling
rewriteQuery rewriting
aclAccess control lists
geoipGeoIP-based metadata
tls / quic / httpsTransport protocol listeners
nomadHashiCorp Nomad service discovery

Protocol Examples

# DNS over TLS + gRPC
tls://example.org grpc://example.org {
    whoami
}

# DNS over QUIC
quic://example.org {
    whoami
    tls mycert mykey
}

# DNS over HTTPS
https://example.org {
    whoami
    tls mycert mykey
}

Directory Structure

dns/
  Corefile               # Runtime config (not in repo, user-created)
  Dockerfile             # Distroless container (nonroot, cap_net_bind_service)
  Makefile               # Build: make, make gen, make clean
  Makefile.docker        # Docker image builds
  Makefile.release       # Release automation
  coredns.go             # Entry point + go:generate directive
  plugin.cfg             # Plugin registration (order matters!)
  go.mod                 # Go module (github.com/coredns/coredns)
  core/                  # Core DNS server, plugin framework
  coremain/              # Main function, startup
  plugin/                # All plugins (50+ subdirectories)
    hanzoapi/            # Custom Hanzo API plugin
    kubernetes/          # K8s service discovery
    forward/             # Upstream forwarding
    cache/               # Response cache
    etcd/                # etcd backend
    ...
  pb/                    # Protobuf definitions
  request/               # DNS request helpers
  test/                  # Integration tests
  zones/                 # Example zone files
  man/                   # Man pages
  scripts/               # Build/release scripts
  .circleci/             # CircleCI config
  .github/               # GitHub Actions (CodeQL, tests)

Build Options

VariableDefaultDescription
CGO_ENABLED0Static binary by default
GOTAGSgrpcnotraceBuild tags
COREDNS_PLUGINS-Extra plugins (comma-separated, plugin.cfg format)
STRIP_FLAGS-s -wBinary stripping

Troubleshooting

IssueCauseSolution
Port 53 in usesystemd-resolved or another DNSChange port with -dns.port 1053 or stop conflicting service
Plugin not foundNot in plugin.cfgAdd to plugin.cfg, run go generate coredns.go && go build
Zone not loadingCorefile syntax errorCheck Corefile syntax, ensure zone files exist
K8s plugin failsMissing RBAC permissionsEnsure ServiceAccount has list/watch on services/endpoints
hanzoapi not respondingPlugin not compiled inVerify hanzoapi:hanzoapi is in plugin.cfg
  • hanzo/hanzo-ingress.md - Ingress controller (routes traffic)
  • hanzo/hanzo-universe.md - K8s infrastructure where DNS runs
  • hanzo/hanzo-platform.md - PaaS deployment platform
  • hanzo/hanzo-pubsub.md - NATS messaging (sibling infrastructure)

How is this guide?

Last updated on

Hanzo Dataroom

Hanzo Dataroom is the open-source DocSend alternative -- a document sharing platform with built-in analytics, custom domains, and secure link-based access. Papermark fork rebranded for the Hanzo ec...

Hanzo Edge - On-Device AI Inference Runtime

Hanzo Edge is an on-device AI inference runtime for running Zen models and any GGUF model locally on macOS, Linux, Web (WASM), and embedded devices. Zero cloud dependency, full data privacy, zero n...

On this page

Overview
Why Hanzo DNS?
Tech Stack
OSS Base
When to use
Hard requirements
Quick reference
One-file quickstart
Build from source
Minimal Corefile
Test
Docker build
Core Concepts
Architecture
Plugin System
Key Plugins (50+ total)
Protocol Examples
Directory Structure
Build Options
Troubleshooting
Related Skills