DNS in CI/CD Pipelines
How to manage DNS changes through CI/CD with checks, previews, approvals, scoped secrets, drift detection, and safe rollback.
TL;DR
DNS belongs in CI/CD when changes affect production traffic, certificates, email, or customer onboarding. The safe pattern is check on every pull request, preview the DNS diff before merge, apply only from a protected branch, use zone-scoped credentials, and keep rollback as a normal commit. Do not let ad hoc scripts with broad API keys change production DNS outside review.
What you'll learn
- Design a safe DNS change pipeline
- Separate validation, preview, apply, and drift detection
- Scope DNS credentials for CI systems
- Choose between Terraform, DNSControl, and provider API scripts
DNS changes are production changes.
An A record can move users. An MX record can break mail. A TXT record can fail domain verification. A DS record can make a signed domain disappear behind SERVFAIL.
That is why serious DNS changes should follow the same path as code:
pull request -> check -> preview -> review -> apply -> monitorThe Safe Pipeline Shape
Use four stages:
| Stage | Runs when | Purpose |
|---|---|---|
| Check | Every pull request | Validate syntax, record rules, and provider config |
| Preview | Every pull request | Show the DNS diff before merge |
| Apply | Protected branch only | Push reviewed changes to the provider |
| Drift audit | Scheduled | Detect manual or out-of-band changes |
The important separation: pull requests should not mutate production DNS.
What to Check
Your check stage should catch boring mistakes before a human reviewer reads the diff.
Good checks:
- zone file or config syntax
- duplicate records
- invalid CNAME combinations
- missing trailing dots in raw zone files
- SPF lookup count
- TTL bounds
- protected record deletion
- DNSSEC-sensitive changes
- provider authentication
Examples:
dnscontrol check
terraform fmt -check
terraform validateFor policy checks, keep rules explicit:
Do not delete MX records without approval.
Do not lower TTL below 60 seconds.
Do not edit production apex records from non-production workspaces.
Do not change DS records without a migration ticket.What to Preview
The preview stage should answer one question:
What DNS records will change if this is merged?For DNSControl:
dnscontrol previewFor Terraform:
terraform planThe output should be attached to the pull request. Reviewers should not have to run the command locally to see the blast radius.
Applying Changes
Apply only after merge to a protected branch:
main branch -> apply workflow -> provider APIUse branch protection:
- required review
- required status checks
- no direct pushes
- separate approval for production environments
If the provider supports scoped credentials, the apply token should be scoped to the exact zone or account role it needs.
DNScale supports zone-scoped API keys, which is the right default for CI. A leaked token for example.com should not be able to edit every customer-facing domain.
Drift Detection
Drift is what happens when published DNS no longer matches code.
Common causes:
- emergency dashboard edits
- another automation job
- manual registrar changes
- failed partial deploys
- provider-side imports
Run a scheduled preview or plan:
dnscontrol preview
terraform plan -detailed-exitcodeAlert when drift appears. Do not silently overwrite it without review; the manual change may have been an incident fix.
Rollback
Rollback should be a normal code change:
git revert <bad-change>Then let the same pipeline check, preview, and apply it.
For high-risk migrations, prepare the rollback commit before you start. DNS rollback is time-sensitive because resolver caches keep old answers until TTL expiry.
Secret Handling
Bad pattern:
DNSCALE_API_KEY=... in repoBetter pattern:
CI secret store -> environment variable -> provider toolBest pattern:
- one token per zone or environment
- no production token in pull-request workflows from forks
- short rotation process
- audit log review
- separate read-only token for drift checks when possible
Terraform vs DNSControl vs API Scripts
| Tool | Best fit |
|---|---|
| Terraform | DNS tied to infrastructure resources, remote state, approval workflows |
| DNSControl | DNS-first workflows, multi-provider sync, readable zone diffs |
| API scripts | Small operational tasks that do not deserve full IaC state |
Avoid custom scripts for the main production path unless you are prepared to maintain validation, diffing, retries, and rollback yourself.
Minimal Pipeline Policy
For production DNS:
- All changes through pull requests.
- Preview output attached to the PR.
- Apply only after merge to protected branch.
- Zone-scoped write credentials.
- Scheduled drift detection.
- Manual dashboard edits documented and backfilled into code.
- DNSSEC and delegation changes require extra review.
That is enough to prevent most DNS accidents.
Related Reading
Frequently asked questions
- Should DNS changes go through CI/CD?
- Production DNS changes should. DNS controls traffic, email, certificates, and service discovery. Review and preview reduce the chance of shipping a bad record globally.
- What should a DNS pipeline run on pull requests?
- Run syntax checks, policy checks, and a preview or plan. The pull request should show what records would be added, changed, or deleted.
- Should CI apply DNS changes from every branch?
- No. Apply only from a protected branch after review. Feature branches should validate and preview, not mutate production DNS.
- Where should DNS API keys live?
- In the CI secret store or a dedicated secret manager. Use zone-scoped keys whenever possible and avoid account-wide tokens.
- What is DNS drift?
- Drift is a difference between the records declared in code and the records currently published by the provider. Drift usually means someone changed DNS manually or another automation path changed it.
- Is Terraform or DNSControl better for DNS CI/CD?
- Terraform is strong when DNS is part of broader infrastructure state. DNSControl is strong for DNS-specific review, multi-provider sync, and zone-oriented workflows.
Related guides
Automation
Managing DNS with Terraform
Learn how to manage your DNS zones and records as Infrastructure as Code using the DNScale Terraform Provider.
Automation
Managing DNS with DNSControl
Learn how to manage your DNS zones and records as code using DNSControl with the DNScale provider. Define your entire DNS configuration in JavaScript.
Automation
DNS for Cloud Infrastructure ā Best Practices and Architecture
Learn cloud DNS best practices including service discovery, multi-cloud strategies, automation with Terraform, and TTL optimization for dynamic infrastructure.
Automation
DNS as Code Best Practices
A practical guide to managing DNS as code with ownership, review, previews, drift detection, scoped credentials, and safe migration patterns.
Ready to manage your DNS with confidence?
DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.
Start free