Docker Compose Installation & Setup Guide

User Manual:

Open the PDF directly: View PDF .
Page Count: 34

Download
Open PDF In Browser	View PDF

Docker Compose
Installation & Setup Guide.
NS1 Private DNS 1.0 • Revised August 8, 2018

2018 © NS1, Inc.

Private DNS 1.0

TABLE OF CONTENTS
1. Overview

2. Before You Begin

2.1. System Requirements

2.1.1. Hardware

2.1.2. Operating Systems

2.1.3. Docker

2.1.4. Software

2.1.5. Network

2.2. Securing System Access

2.3. Transport Layer Security

3. Installation

3.1. Accessing Files & Images

3.2. Configuring Compose Files

3.3. Installation Commands

4. Setup & Configuration

4.1. Setup with CLI

4.1.1. Common CLI Setup Options

4.1.2. Data CLI Setup

4.1.3. DNS CLI Setup

4.1.4. Web CLI Setup

4.1.5. Xfr CLI Setup

4.2. Setup with Web Interface

4.2.1. Data Setup

4.2.2. DNS Setup

4.2.3. Web Setup

4.2.4. Xfr Setup

5. Administrative Actions

5.1. Admin Actions with CLI

5.1.1. Data CLI Actions

5.1.2. DNS CLI Actions

5.1.3. Web CLI Actions

5.1.4. Xfr CLI Actions

5.2. Admin Actions with the Web Interface
5.2.1. Data Actions

21
21

2018 © NS1 Inc.

Page |
1

Private DNS 1.0
5.2.2. DNS Actions

5.2.3. Web Actions

5.2.4. Xfr Actions

6. Import New GeoIP Data

7. Upgrading

8. Uninstalling

9. Appendix A. Bootstrap an Operator

10. Appendix B: Managing Operators

10.1. View Operator(s)

10.2. Create an Operator

10.3. Update an Operator

10.4. Delete an Operator

11. Appendix C: Managing Organizations

11.1. View Organizations

11.2. View an Organization

11.3. Creating an Organization

11.4. Update an Organization

11.5. Delete an Organization

11.6. Reset a User’s Password

12. Appendix D: Managing API Keys, Users & Teams

12.1. Example: Adding a New User to an Organization as Operator

12.2. Example: Adding a Zone as Operator User

13. Appendix E: Unavailable API Endpoints in Private DNS

14. Appendix F: System Topologies

14.1. Architecting for Highly Available DNS

2018 © NS1 Inc.

Page |
2

Private DNS 1.0

1. Overview
NS1’s Private DNS is a solution that can be installed on customers’ networks. It is the
software version of NS1’s industry-leading SaaS platform, bringing DNS and traffic
management capabilities out of the cloud and into owned environments.

2018 © NS1 Inc.

Page |
3

Private DNS 1.0

2. Before You Begin
This guide assumes the reader has familiarity with the principles of DNS, networking, and
working knowledge of Docker and container-based systems.

2.1. System Requirements
The following sections contain both hard requirements and general guidance (e.g.
hardware) for the system. For questions or concerns about target environments, please
contact s upport@ns1.com for more information.

2.1.1. Hardware
The following is the minimum hardware recommended to run a single container image:
●
●
●

2 CPUs
2 GB RAM
20 GB of free disk space

Important note: NS1 highly recommends monitoring disk usage on each host to prevent
service disruption.

2.1.2. Operating Systems
●
●
●

Linux Ubuntu 18.04 (Docker CE 18.05 Edge and higher only) / 17.04 / 16.04 / 14.04 x64
CentOS 7 x86
Red Hat x86_64

Important note: If running multiple containers on the same host machine, a Linux kernel
must support the SO_REUSEPORT socket option to allow multiple sockets on the same host
to bind to the same port.
Important note: Running Private DNS on Mac OS or Windows 10 Pro / Enterprise 64-bit is
not supported by NS1.

2.1.3. Docker
To run multi-container applications with Docker Compose, Private DNS r equires Docker
Version 1
7.03.x or 17.06.x (CE or EE) or higher. More information about Docker
requirements along with installation steps is found at the following locations:
● Docker: https://docs.docker.com/engine/installation/
● Docker Compose: https://docs.docker.com/compose/install/.

2018 © NS1 Inc.

Page |
4

Private DNS 1.0

2.1.4. Software
Web interface configuration was designed to work with current Evergreen browser
versions. Note that newer versions of each browser may be available since this release and
therefore may not be tested yet by NS1. The following browser versions were tested prior
to this release:
●
●
●
●
●

Chrome 67.0.3396.87 (Official Build) (64-bit)
Firefox 58.0
Edge 41.16299.15
EdgeHTML 16.16299
Safari 11.0.2

2.1.5. Network
While configuring the system, IPv4 addresses are recommended. Access to the public
internet is required to pull the latest container images from m
y.nsone.net.
Important notes:
● For private networks without access to the public internet, NS1 recommends pulling
the container images on a separate machine first before transferring contents to a
hard disk or volume which is accessible by the private network.
● If available, it is highly recommended to add each image version to a private
container registry.
The following network protocols are used by the system: H
TTP/HTTPS, UDP, TCP, T
LS.

2.2. Securing System Access
Host Access. Access to host machines on which each container is running should be
secured to system administrators only. NS1 h
ighly recommends that administrators and
operators should be required to access this machine via secure shell (SSH) connection.
Basic Auth. To further secure containers’ web configuration interface, operators must sign
in using “Basic Auth” credentials. By default, Private DNS initializes Username to ns1 and
Password to p
rivate.
Limiting Port Visibility. The w
eb container should only be viewable on ports 80 and 443
from the localhost.

2018 © NS1 Inc.

Page |
5

Private DNS 1.0

2.3. Transport Layer Security
By default all network communication between the various Private DNS containers,
management portal and API endpoints, as well as the main portal and API endpoints is
encrypted using self signed certificates that are generated at initial runtime of each
container. It is expected behavior for a browser certificate trust warning to appear when
navigating to the web configuration interfaces of each container for the first time. Proceed
following the on screen browser instructions.
There are up to three different TLS configurations depending on the container:
TLS Configuration

Description

Availability

Transport TLS

This configuration manages how
communication between the various
containers is encrypted and verified.

●
●
●
●
●

Data
Web
Xfr
Dns
Cache

Management TLS

This configuration manages how
communication between clients and the
management interface is encrypted and
verified.

●
●
●
●
●

Data
Web
Xfr
Dns
Cache

Web TLS

This configuration manages how
communication between clients and the
main NS1 portal and API is encrypted and
verified.

●

Web

The web container uses a self-signed certificate. As a result, a certificate trust warning may
appear when making API calls or visiting the NS1 portal in a web browser. It is safe to
ignore this validation warning. You can replace this certificate with a custom certificate at a
later time.

3. Installation
This section provides instructions on installation using docker-compose.

3.1. Accessing Files & Images
NS1 hosts the installation files and container images within the NS1 Portal. NS1’s Customer
Success team will send an email invitation to Private DNS customers directing them to
https://my.nsone.net/. Once a password is created, navigate to the D
ownloads page.

2018 © NS1 Inc.

Page |
6

Private DNS 1.0
Container images can now be downloaded locally, unzipped, and pushed to a private
container registry.
Alternatively, use your API key to run the following command or download and run the
command here:
sh <(curl -Ls
https://raw.githubusercontent.com/ns1/ns1-privatedns/master/get-privatedns.sh -o -) -k
APIKEY

Then download the compose file here:
wget https://raw.githubusercontent.com/ns1/ns1-privatedns/master/docker-compose.yml

Important note: It is a violation of the NS1 license agreement to push container images to
a repository which is n
ot for exclusive use by the licensee. Pushing images to a public
registry is unlawful redistribution of the software.

3.2. Configuring Compose Files
The example docker-compose.yml provided in the installation directory will start a single
container of each service on one host machine. In-line comments provide more
information about specific parameters. Configuration management tools and other
infrastructure as code frameworks are highly recommended to orchestrate a
production-grade deployment.

3.3. Installation Commands
Execute d
ocker-compose.yml to start containers and volumes for installation. Pass in the
image version at the command line using the TAG parameter as shown below.
TAG=1.0.2 docker-compose -p privatedns up -d

Important note: Upgrading the host machine’s version of Docker Compose is
recommended. See https://docs.docker.com/compose/install/#upgrading for more
information.

2018 © NS1 Inc.

Page |
7

Private DNS 1.0

4. Setup & Configuration
When first setting up the system, the data container should be configured first.
Configuration of other containers can be done in any order.

4.1. Setup with CLI
Using the command line, the system is set up using the supd application. For usage
information of s upd, add the --help or -h option. For example, the xfr c ontainer’s supd
help is accessed with the following command:
docker exec privatedns_xfr_1 supd --help

4.1.1. Common CLI Setup Options
Certain fields are common and shared among all containers. To view the usage information
of the run command for the specific container. For example,
docker exec privatedns_data_1 supd run --help

The following table describes shared options for the run command.
Options

Description

--recovery

Used by the system to recover from a failed
configuration

--bootstrap

Used by the system when first standing up with no
configuration available

-f, --force

overwrite any existing config options with CLI
parameters

--pop_id [value]

This specifies the location (datacenter/pop) of the
server where the data container is running

--server_id [value]

This identifies a specific server in a location where
the data container is running

--enable_ops_metrics
[value]

If enabled this will export system metrics to the
specified metrics database(s)

--transport_enable_tls
[value]

Enable or disable transport TLS encryption, to use for
communicating with other cluster members. (defaults to
True)

--default_transport_tls_
settings [value]

Use the predefined TLS settings for transport networking

2018 © NS1 Inc.

Page |
8

Private DNS 1.0

--manual_transport_tls_s
ettings [value]

Define the TLS settings for transport networking, when
using manually mounted certificates

--manual_transport_tls_c
rl_file [value]

The CRL certificate to use for verifying client
certificates revocation status, when communicating
between cluster members

--manual_transport_tls_s
ni_zone [value]

The zone to use for TLS verification purposes, when
communicating between cluster members

--manual_transport_tls_c
lient_cert_verfiy
[value]

Whether or not to enforce strict certificate
verification, when communicating between cluster
members. NOTE: You must set 'TLS certificate zone' for
this to work with custom certificates

--manual_transport_tls_v
ersion [value]

The minimum TLS version to enforce, when communicating
between cluster members

--manual_transport_tls_c
iphers [value]

The set of TLS ciphers to use, when communicating
between cluster members

--management_enable_tls
[value]

Enable or disable management TLS encryption, to use for
communicating with other cluster members. (defaults to
True)

--default_management_tls
_settings [value]

Use the predefined TLS settings for management
networking

--manual_management_tls_
settings [value]

Define the TLS settings for management networking, when
using manually mounted certificates

--manual_management_tls_
cert_bundle [value]

The combined certificate/key PEM file to present, when
communicating between cluster members

--manual_management_tls_
crl_file [value]

The CRL certificate to use for verifying client
certificates revocation status, when communicating
between cluster members

--manual_management_tls_
client_cert_verfiy
[value]

Whether or not to enforce strict certificate
verification, when communicating between cluster members

--manual_management_tls_
version [value]

The minimum TLS version to enforce, when communicating
between cluster members

--manual_management_tls_
ciphers [value]

The set of TLS ciphers to use, when communicating
between cluster members

-h, --help

output usage information

2018 © NS1 Inc.

Page |
9

Private DNS 1.0

4.1.2. Data CLI Setup
To see the data container’s unique configuration options, view the usage information of the
run command.
docker exec privatedns_data_1 supd run --help

The following table describes options specific to the data container.
Options

Description

--number_of_stats_proces
sors [value]

The number of processors to run for query metrics

--query_metrics_ttl
[value]

Duration to keep query metrics.

--telegraf_output_ns1_da
ta [value]

None

--telegraf_output_ns1_da
ta_enabled [value]

Use the default metrics store

--telegraf_output_influx
db [value]

Enable InfluxDB output for operational metrics

--telegraf_output_influx
db_data_host [value]

Hostname of InfluxDB host

--telegraf_output_influx
db_database [value]

InfluxDB Database Name

--telegraf_output_influx
db_enable_auth [value]

Enable user/password authentication for InfluxDB

--telegraf_output_influx
db_username [value]

InfluxDB User

--telegraf_output_influx
db_password [value]

InfluxDB Password

--telegraf_output_influx
db_enable_tls [value]

Enable TLS for InfluxDB

--telegraf_output_influx
db_server_pem_key
[value]

The PEM key for the InfluxDB server

--telegraf_output_influx
db_ca_pem_key [value]

The CA key used for validation if provided

--telegraf_output_influx
db_crt [value]

The CRT for the InfluxDB server

--telegraf_output_elasti
csearch [value]

Enable Elasticsearch output for operational metrics

2018 © NS1 Inc.

Page |
10

Private DNS 1.0

--telegraf_output_elasti
csearch_data_host
[value]

Elasticsearch Host

--telegraf_output_elasti
csearch_sniff_cluster
[value]

Enable sniffing Elasticsearch for additional hosts in
cluster

--telegraf_output_elasti
csearch_timeout [value]

Timeout for Connecting to Elasticsearch

--telegraf_output_elasti
csearch_index [value]

Elasticsearch Index

--telegraf_output_elasti
csearch_enable_auth
[value]

Enable user/password authentication for Elasticsearch

--telegraf_output_elasti
csearch_username [value]

Elasticsearch Username

--telegraf_output_elasti
csearch_password [value]

Elasticsearch Password

--telegraf_output_elasti
csearch_enable_tls
[value]

Enable TLs for Elasticsearch

--telegraf_output_elasti
csearch_server_pem_key
[value]

The PEM key for the Elasticsearch server

--telegraf_output_elasti
csearch_ca_pem_key
[value]

The CA key used for validation of Elasticsearch

--telegraf_output_elasti
csearch_crt [value]

The CRT for the Elasticsearch server

--telegraf_output_elasti
csearch_enable_managed_t
emplate [value]

Whether to have the metrics process or Elasticsearch
manage the template

--telegraf_output_elasti
csearch_template_name
[value]

The name of the elasticsearch template

--telegraf_output_elasti
csearch_overwirte_templa
te [value]

Whether to be able to overwrite an existing template

--telegraf_output_opents
db [value]

Enable OpenTSB output for operational metrics

--telegraf_output_opents
db_host [value]

OpenTSDB Hostname

2018 © NS1 Inc.

Page |
11

Private DNS 1.0

--telegraf_output_opents
db_batch_size [value]

Batch Size of writes to OpenTSDB

--telegraf_output_graphi
te [value]

Enable graphite output for operational metrics

--telegraf_output_graphi
te_host [value]

Graphite server hostname

--telegraf_output_graphi
te_timeout [value]

Timeout for connecting to graphite

--telegraf_output_graphi
te_template [value]

Template format for metrics in graphite

--telegraf_output_graphi
te_enable_tls [value]

Enable TLS for graphite

--telegraf_output_graphi
te_server_pem_key
[value]

The PEM key for the graphite server

--telegraf_output_graphi
te_ca_pem_key [value]

The CA PEM key used for validation of graphite server

--telegraf_output_graphi
te_crt [value]

The CRT for the graphite server

4.1.3. DNS CLI Setup
To see the dns c ontainer’s unique configuration options, view the usage information of the
run command.
docker exec privatedns_dns_1 supd run --help

The following table describes options specific to the dns c ontainer.
Options

Description

--data_host [value]

Hostname or IP address of the data or cache container

--num_metrics_procs
[value]

The number of processors running to collect metrics for
DNS queries

--metrics_flush_interval
[value]

Interval for flushing metrics to the data container

--dns_recv_buffer
[value]

The size in bytes of the UDP receive buffers used by the
dns server. A setting of '0' uses the OS defined default
value.

--num_trex_procs [value]

Number of Authoritative DNS server processes to run

2018 © NS1 Inc.

Page |
12

Private DNS 1.0

--enable_ops_metrics
[value]

Whether to send operational metrics to the data
container

--operation_mode [value]

Controls whether the server will act as authoritative
server or recursive resolver

--external_resolver
[value]

IP address of resolver to handle ALIAS record resolution
and queries for non-authoritative zones if recursive
mode is enabled. Builtin resolver will be used if this
option is not specified

--forward_zones [value]

Additional zones and their authoritative servers to be
configured in the resolver as forwarded zones. This
allows the zones to be resolved if they are not
delegated from public DNS hierarchy

4.1.4. Web CLI Setup
To see the web container’s unique configuration options, view the usage information of the
run command.
docker exec privatedns_web_1 supd run --help

The following table describes options specific to the web c ontainer.
Options

Description

--data_host [value]

Hostname or IP address of data container

--api_hostname [value]

Hostname to use for API calls (bootstrap, organization
management require this to be set)

--portal_hostname
[value]

Hostname to use for portal access

--web_enable_tls [value]

Enable or disable web TLS encryption, to use for
communicating with the portal interface and api.
(defaults to True)

--default_web_tls_settin
gs [value]

Use the predefined TLS settings for web networking.

--manual_web_tls_setting
s [value]

Define the TLS settings for web networking, when using
manually mounted certificates.

--manual_web_tls_cert_bu
ndle [value]

The combined certificate/key PEM file to present, when
communicating between cluster members.

--manual_web_tls_crl_fil
e [value]

The CRL certificate to use for verifying client
certificates revocation status, when communicating
between cluster members.

--manual_web_tls_force_r
edir [value]

Enable or disable forcing redirect of http traffic to
https, for the web facing portal and api. (defaults to

2018 © NS1 Inc.

Page |
13

Private DNS 1.0

True)
--manual_web_tls_client_
cert_verfiy [value]

Whether or not to enforce strict certificate
verification, when communicating between cluster
members.

--manual_web_tls_version
[value]

The minimum TLS version to enforce, when communicating
between cluster members.

--manual_web_tls_ciphers
[value]

The set of TLS ciphers to use, when communicating
between cluster members.

--nameservers [value]

List of default name servers to set as NS records for
new zones. The first server in the list is also used as
primary name server in the SOA record. For example,
['ns1.example.net', 'ns2.example.net'].

--hostmaster_email
[value]

E-mail address to set as hostmaster in the SOA record
for new zones.

4.1.5. Xfr CLI Setup
To see the xfr c ontainer’s unique configuration options, view the usage information of the
run command.
docker exec privatedns_xfr_1 supd run --help

The following table describes options specific to the xfr c ontainer.
Options

Description

--data_host [value]

Hostname or IP address of data container

2018 © NS1 Inc.

Page |
14

Private DNS 1.0

4.2. Setup with Web Interface
Each container has a web interface for manual configuration.

4.2.1. Data Setup
To set up the d
ata container via web interface:
1. Open a web browser to h
ttps://:3300
Note: The configuration port 3300 is set in the docker-compose file.
Optional configurations include:
2. Under the Identifiers grouping, enter a Location ID (datacenter/pop) of the server
where the container is run and S
erver ID to identify the specific host machine of the
container.
3. Under the Operational Details grouping, enter the Number of Metrics Processors
and the Q
uery Metrics TTL to determine how long query metrics are retained.
4. Enable Metrics Export is configured to collect operational telemetry and
application metrics locally by default. Other export options allow metrics to also
feed into the following external data stores: InfluxDB, Elasticsearch, OpenTSDB, and
Graphite.
a. Each additional option besides of Default Internal Metrics requires additional
parameters to ensure successful connection to the external data store.
b. InfluxDB r equires a Host, Database Name, Username, InfluxDB Password
and SSL/TLS key information to securely connect.
c. Elasticsearch cluster requires Hosts, Timeout, Index Name, Username,
Password, optional Template, and SSL/TLS information to securely connect.
d. OpenTSDB e
xport requires a Host and Batch Size.
e. Graphite r equires a Host, Timeout, Template, and SSL/TLS information to
securely connect.
5. Under the TLS Settings grouping, choosing to use Defaults f or Transport TLS and
Management TLS will operate with the system’s self-signed certificates which were
generated on startup.
a. Manual Settings will require either bind mounting the certificates to Xyz or
uploading a certificate bundle by visiting the C
erts and Files page.
Important note: If Enable Metrics Export is enabled on other containers, they will send
operational metrics back to data for aggregation and export to other data stores.

2018 © NS1 Inc.

Page |
15

Private DNS 1.0

4.2.2. DNS Setup
Before continuing with the d
ns container(s), the data container must be configured already.
For each d
ns container, to set up the d
ns container via web interface:
1. Open a web browser to h
ttps://:3301
2. Under the Data Container Connection grouping, enter the Data Host.
3. To configure metrics settings under the Operational Details grouping, choose a
Number of Query Metrics Processors. NS1 recommends at least 2.
4. Enter a M
etrics Flush Interval to determine at what interval metrics get sent back
to data. NS1 recommends 10s for this value.
5. Enter a D
NS UDP Receive Buffer Length in bytes. A setting of '0' uses the OS
defined default value.
6. Enter the N
umber of Authoritative DNS Servers. NS1 recommends at least 2.
7. Under Resolving Configuration, toggle whether the container will operate as an
Authoritative Server or Recursive Resolver.
Optional configurations include:
8. Entering a Location ID (datacenter/pop) of the server where the container is run
9. Server ID to identify the specific host machine of the container
10. An External Resolver’s IP can be set to handle ALIAS record resolution and also
queries for non-authoritative zones in Recursive Resolver mode. By default, the
container’s built in resolver will be used if this value is not specified.
11. Forwarded Zones can be added individually with a Domain and one or more
forwarding IP Addresses and Port.
12. Under the TLS Settings grouping, choosing to use Defaults f or Transport TLS and
Management TLS will operate with the system’s self-signed certificates which were
generated on startup.
a. Manual Settings will require either bind mounting the certificates to Xyz or
uploading a certificate bundle by visiting the C
erts and Files page.

4.2.3. Web Setup
Before continuing with the w
eb container, the d
ata container must be configured already.
To set up the w
eb container via web interface:
1.
2.
3.
4.

Open a web browser to h
ttps://:3302
Under the Data Container Connection grouping, enter the Data Host.
Enter an A
PI Hostname which will be used for feed URLs.
Enter a P
ortal Hostname at which users can reach the NS1 Portal running in the
web container.

2018 © NS1 Inc.

Page |
16

Private DNS 1.0
Optional configurations include:
5. Entering a Location ID (datacenter/pop) of the server where the container is run
6. Server ID to identify the specific host machine of the container.
7. Under the Operational Details grouping, one more more Nameservers c an be
added along with a Hostmaster E-mail address to be associated with new zones’
SOA records.
8. Under the TLS Settings grouping, choosing to use Defaults f or Transport TLS,
Management TLS , and Web TLS will operate with the system’s self-signed
certificates which were generated on startup.
a. Manual Settings will require either bind mounting the certificates to Xyz or
uploading a certificate bundle by visiting the C
erts and Files page.

4.2.4. Xfr Setup
Before continuing with the x
fr c ontainer, the data container must be configured already. To
set up the xfr container via web interface:
1. Open a web browser to h
ttps://:3303
2. Under the Data Container Connection grouping, enter the Data Host.
Optional configurations include:
3. Entering a Location ID (datacenter/pop) of the server where the container is run
4. Server ID to identify the specific host machine of the container
5. Under the TLS Settings grouping, choosing to use Defaults f or Transport TLS,
Management TLS , and Web TLS will operate with the system’s self-signed
certificates which were generated on startup.
a. Manual Settings will require either bind mounting the certificates to Xyz or
uploading a certificate bundle by visiting the C
erts and Files page.

2018 © NS1 Inc.

Page |
17

Private DNS 1.0

5. Administrative Actions
Administrative actions are included with each container for operations such as restarting a
service or creating backups.

5.1. Admin Actions with CLI
Actions can be executed on the command line for each container.

5.1.1. Data CLI Actions
To see available actions of the dns container, view the usage information of supd.
docker exec privatedns_data_1 supd --help

The following table describes action commands.
Commands

Description

generate_runtime_logs

Generates an archive of runtime reports in
/ns1/data/log/health/

update_basic_auth
[options]

Sets and updates your basic authorization credentials to
the container’s configuration UI

backup_db

Dumps database to data/backup/.tgz

restart_maindb

This will cause an outage for API and XFR (zone
transfer) services.

restart_metricsdb

This will cause an outage for metrics.

restart_msg_svs

This will cause an outage for data container services.

restart_metrics_svs

This will cause an outage for operational metrics.

restart_in_mem_db

This will cause an outage for creation of portal
sessions

health [options]

run all health checks. returns a json-formatted
object in k:v format

version

print the standalone version number.
You can also use -V. versionfile is located at
/etc/version

run [options]

run ansible via flags or environment variables.
flags supercede environment vars.
Defaults to ignoring existing config.yml

viewconfig [options]

Lists all current config parameters; adding -a will
display all available parameters, even null values

2018 © NS1 Inc.

Page |
18

Private DNS 1.0

5.1.2. DNS CLI Actions
To see available actions of the dns container, view the usage information of supd.
docker exec privatedns_dns_1 supd --help

The following table describes action commands.
Commands

Description

generate_runtime_logs

Generates an archive of runtime reports in
/ns1/data/log/health/

update_basic_auth
[options]

Sets and updates your basic authorization credentials to
the container’s configuration UI

restart_dns

This will cause an outage for DNS.

restart_caching

This will cause DNS caching to be delayed.

restart_metrics

This will cause an outage for metrics reporting.

restart_resolver

This will cause an outage for DNS

health [options]

run all health checks. returns a json-formatted
object in k:v format

version

print the standalone version number.
You can also use -V. versionfile is located at
/etc/version

run [options]

run ansible via flags or environment variables.
flags supercede environment vars.
Defaults to ignoring existing config.yml

viewconfig [options]

Lists all current config parameters; adding -a will
display all available parameters, even null values

5.1.3. Web CLI Actions
To see available actions of the the w
eb container, view the usage information of supd.
docker exec privatedns_web_1 supd --help

The following table describes action commands.
Commands

Description

generate_runtime_logs

Generates an archive of runtime reports in
/ns1/data/log/health/

update_basic_auth

Sets and updates your basic authorization credentials to

Page |
19

Private DNS 1.0

[options]

the container’s configuration UI

restart_apid

Restarting the API Service will cause an outage for the
API.

health [options]

run all health checks. returns a json-formatted
object in k:v format

version

print the standalone version number.
You can also use -V. versionfile is located at
/etc/version

run [options]

run ansible via flags or environment variables.
flags supercede environment vars.
Defaults to ignoring existing config.yml

viewconfig [options]

Lists all current config parameters; adding -a will
display all available parameters, even null values

5.1.4. Xfr CLI Actions
To see available actions of the xfr c ontainer, view the usage information of supd.
docker exec privatedns_xfr_1 supd --help

The following table describes action commands.
Commands

Description

generate_runtime_logs

Generates an archive of runtime reports in
/ns1/data/log/health/

update_basic_auth
[options]

Sets and updates your basic authorization credentials to
the container’s configuration UI

restart_xfr_svs

This action restarts zone transfer services. Zone
transfers will be unavailable during the restart.

health [options]

run all health checks. returns a json-formatted
object in k:v format

version

print the standalone version number.
You can also use -V. versionfile is located at
/etc/version

run [options]

run ansible via flags or environment variables.
flags supercede environment vars.
Defaults to ignoring existing config.yml

viewconfig [options]

Lists all current config parameters; adding -a will
display all available parameters, even null values

Page |
20

Private DNS 1.0

5.2. Admin Actions with the Web Interface
Actions are found on their own tab of each container configuration page.

5.2.1. Data Actions
The container’s actions can be executed from the Actions tab of the Configuration Manager
page.
Actions

Description

Generate Runtime Report

Generates an archive of runtime reports in
/ns1/data/log/health/

Set Basic Auth
Credentials

Sets and updates your basic authorization credentials to
the container’s configuration UI

Backup Database

Dumps database to data/backup/.tgz

Restart Main Database

This will cause an outage for API and XFR (zone
transfer) services.

Restart Metrics Database

This will cause an outage for metrics.

Restart Messaging
Service

This will cause an outage for data container services.

Restart Metrics Service

This will cause an outage for operational metrics.

Restart in Memory
Database

This will cause an outage for creation of portal
sessions

5.2.2. DNS Actions
The container’s actions can be executed from the Actions tab of the Configuration Manager
page.
Actions

Description

Generate Runtime Report

Generates an archive of runtime reports in
/ns1/data/log/health/

Set Basic Auth
Credentials

Sets and updates your basic authorization credentials to
the container’s configuration UI

Restart Authoritative
DNS Servers

This will cause an outage for DNS.

Page |
21

Private DNS 1.0

Restart Caching Service

This will cause DNS caching to be delayed.

Restart Metrics Service

This will cause an outage for metrics reporting.

Restart Recursive DNS
Service

This will cause an outage for DNS

5.2.3. Web Actions
The container’s actions can be executed from the Actions tab of the Configuration Manager
page.
Actions

Description

Generate Runtime Report

Generates an archive of runtime reports in
/ns1/data/log/health/

Set Basic Auth
Credentials

Sets and updates your basic authorization credentials to
the container’s configuration UI

Restart API Service

Restarting the API Service will cause an outage for the
API.

5.2.4. Xfr Actions
The container’s actions can be executed from the Actions tab of the Configuration Manager
page.
Actions

Description

Generate Runtime Report

Generates an archive of runtime reports in
/ns1/data/log/health/

Set Basic Auth
Credentials

Sets and updates your basic authorization credentials to
the container’s configuration UI

Restart XFR Service

This action restarts zone transfer services. Zone
transfers will be unavailable during the restart.

Page |
22

Private DNS 1.0

6. Import New GeoIP Data
The dns container images ships with a built-in GeoIP database to facilitate geographic
routing. This authoritative nameserver is populated from the free version of Maxmind
GeoIP2’s database files which NS1 has licensed for redistribution.
If available, a paid version of Maxmind’s GeoIP database files can be uploaded to each dns
container for more precise geo routing.
Important note: The d
ns container currently supports binary databases formatted
according to MaxMind DB File Format Specification v2.0.
1. Open a web browser to the dns container’s C
erts and Files page.
2. Replace the default GeoIP-City.mmdb file by selecting U
pload, browse to the file,
and select O
pen.
3. Replace the default GeoIP-ASN.mmdb file by selecting U
pload, browse to the file,
and select O
pen.
4. Navigate to the Configuration Manager page, select the Actions t ab, and select
Restart Authoritative DNS Service. When successfully restarted, the new GeoIP
data is loaded.

7. Upgrading
When a new version of a container is released, admins may choose to upgrade the docker
containers to apply the latest features and bug fixes to the system.
If a new version of one or more container images is available, admins should download the
images from h
ttps://my.nsone.net/. All containers can be updated at once with
docker-compose.
In the d
ocker-compose.yml file, the $
{TAG} parameter allows you to choose the image tag
at the command line. For example,
1. First, stop the system.
docker-compose -p privatedns stop

2. Remove the existing images and volumes.
docker-compose -p privatedns rm && docker volume prune

Page |
23

Private DNS 1.0
3. And finally, bring the system up again passing in a different image tag at the
command line. In the d
ocker-compose.yml file, the $
{TAG} parameter allows you to
choose the image tag at the command line.
TAG=1.0.1 docker-compose -p privatedns up -d

Important note: Rollback to previous versions is also possible using the same process and
specifying the previous container image (e.g. 1.0.0).

8. Uninstalling
System uninstallation is simple. To remove the entire system, including volume data,
execute the following:
docker-compose -p privatedns down -v

Important note: This command is d
estructive and will remove volumes. Ensure data is
backed up appropriately.

Page |
24

Private DNS 1.0

9. Appendix A. Bootstrap an Operator
When no operators exist in the main database, the bootstrap endpoint is enabled. Once
the system is ready for use, an initial operator must be boostrapped. Below is an example
cURL command.
curl -X POST \
https://{{web-host}}/v1/ops/bootstrap \
-H 'Content-Type: application/json' \
-d '{
"user": "root",
"name": "Root Operator",
"email": "ops@example.com",
"password": "rootpassword"
}'

Important Notes:
● Bootstrap can only be performed once.
● Save the API Key (key) and 2
FA Secret (secret) of the first operator created during
bootstrap. If the API Key is lost and no other operators are created yet, the system is
rendered unmanageable and a new instance must be deployed.
● The options -k or --insecure are needed on a cURL command if a valid SSL/TLS
certificate has not been uploaded for use by the w
eb container. See T
ransport Layer
Security for more information about adding custom certificates.
● Password length should be between 10 and 255 characters.
If the operator was successfully added, a JSON response will provide information such as
the 2FA Secret and API Key. For example,
{
"two_factor_auth": { "secret": "{{2fasecret}}", "type": "totp" },
"name": "Operator Name",
"id": "5b11a509d4f9fa0e5ec1373d",
"user": "operator",
"key": "{{operator_api_key}}",
"last_access": "2018-06-01T19:56:56.604228",
"password": "L0R3M1PSUm",
"email": "operator@example.com"
}

Page |
25

Private DNS 1.0

10. Appendix B: Managing Operators
After bootstrap, other operator users can be added to the system. An operator user has full
access to every operation and all system data.
Important note: It is highly recommended to add additional operator users after
bootstrapping the first operator. If the bootstrapped operator’s API Key is lost and no other
operators are created yet, the system is rendered unmanageable and a new instance must
be deployed.

10.1. View Operator(s)
curl -X GET \
https://{{web-host}}/v1/ops/operators/{{id}} \
-H 'X-NSONE-Key: {{operator_api_key}}'

10.2. Create an Operator
curl -X PUT \
https://{{web-host}}/v1/ops/operators \
-H 'X-NSONE-Key: {{operator_api_key}}\
-d '{
"user": "operator",
"name": "Operator Name",
"email": "ops@email.com",
"password": "mypassword"
}'

10.3. Update an Operator
curl -X POST \
https://{{web-host}}/v1/ops/operators/{{id}} \
-H 'Content-Type: application/json' \
-H 'X-NSONE-Key: {{operator_api_key}}' \
-d '{
"name": "Changed Name",
"email": "changed@email.com"
}'

10.4. Delete an Operator
curl -X DELETE \
https://{{web-host}}/v1/ops/operators/{{id}} \
-H 'X-NSONE-Key: {{operator_api_key}}'

Page |
26

Private DNS 1.0
Important note: Operators cannot delete their own accounts from the system. This
ensures bootstrapping system users is a one-time event.

Page |
27

Private DNS 1.0

11. Appendix C: Managing Organizations
With the exception of operators, all users, zones, and records belong to an organization. To
continue with the initial setup of Private DNS, an operator must create the first
organization using the 'PUT' API call (Section 11.3) below.

11.1. View Organizations
curl -X GET \
'https://{{web-host}}/v1/ops/orgs' \
-H 'X-NSONE-Key: {{operator_api_key}}'

11.2. View an Organization
curl -X GET \
'https://{{web-host}}/v1/ops/orgs/{{org_id}}' \
-H 'X-NSONE-Key: {{operator_api_key}}'

11.3. Creating an Organization
curl -X PUT \
'https://{{web-host}}/v1/ops/orgs' \
-H 'X-NSONE-Key: {{operator_api_key}}' \
-d '{"name": "Organization Name"}'

In response, an o
rg_id is created along with a unique object i
d. The first organization in
the Private DNS instance is set to 2000.
{
"org_id": 2000,
"name": "Organization Name",
"id": "5b16cb703ca56f"
}

11.4. Update an Organization
curl -X POST \
'https://{{web-host}}/v1/ops/orgs/{{org_id}}' \
-H 'X-NSONE-Key: {{operator_api_key}}' \
-d '{"name": "New Organization Name"}'

Page |
28

Private DNS 1.0

11.5. Delete an Organization
Deleting an organization removes all data associated with the organization including: API
Keys, Users, Teams, Zone and Record data. For this reason, the DELETE operation can only
be performed using an operator user’s 2-factor authentication (2FA) token.
Important note: An operator’s 2FA secret was returned in response to operator creation.
A 2FA token can then be generated with any 6-digit TOTP generator that rotates at
30-second intervals.
curl -X DELETE \
'https://{{web-host}}/v1/ops/orgs/{{org_id}}?token={123456}' \
-H 'X-NSONE-Key: {{operator_api_key}}'

11.6. Reset a User’s Password
Operators can generate a new invite token for users if passwords are forgotten.
curl -X POST \
'https://{{web-host}}/v1/ops/account/{{org_id}}/user/{{user-name}}/password/reset' \
-H 'X-NSONE-Key: {{operator_api_key}}'

Page |
29

Private DNS 1.0

12. Appendix D: Managing API Keys, Users &
Teams
API Keys, Users, and Teams are objects within an organization. Each can be managed by an
organization member with sufficient privileges; however, operators also have the ability to
act on behalf of an organization. This is necessary when setting up the first organization’s
users or API keys.
If an operator is acting on behalf of an organization, appending exclamation point (!) plus
the org_id (e.g. !
2000) to an API key allows use of other endpoints described in NS1’s
Managed DNS API Documentation.

12.1. Example: Adding a New User to an Organization as
Operator
For example, an operator can add a user with the following cURL command:
curl -X PUT \
'https://{{web-host}}/v1/account/users/newuser' \
-H 'X-NSONE-Key: {{operator_api_key}}!{{org_id}}' \
-d '{"username":"newuser", "name":"New User","email":"newuser@exmple.com"}'

In response an invite token is generated for this user to set a password:
{
"username": "newuser",
"notify": {
"billing": false
},
"permissions": {},
"invite_token": "{{new_invite_token}}",
"ip_whitelist_strict": false,
"name": "New User",
"teams": [],
"ip_whitelist": [],
"last_access": null,
"2fa_enabled": false,
"email": "newuser@example.com"
}

An operator can then send an invitation URL to the portal user for setting an initial
password.

Page |
30

Private DNS 1.0

https://{{web-host}}/#/invite/{{new_invite_token}}

12.2. Example: Adding a Zone as Operator User
And a zone can be added for an organization’s account using the following cURL command:
curl -X PUT \
'https://{{web-host}}/v1/zones/newzone.com' \
-H 'X-NSONE-Key: {{operator_api_key}}!{{org_id}}' \
-d '{"zone":"newzone.com", "nx_ttl":60}'

In the same way an operator can use the API on behalf of an organization, the operator can
also sign into the Private DNS portal by appending exclamation point (!) and org_id to the
operator username of the login page.

Important notes:
● An operator singing into the portal on behalf of an organization is required to
provide a 2-factor authentication (2FA) token.
● An operator’s 2FA secret was returned in response to operator creation. A 2FA token
can then be generated with any 6-digit TOTP generator that rotates at 30-second
intervals.

Page |
31

Private DNS 1.0

13. Appendix E: Unavailable API Endpoints in
Private DNS
The NS1 Managed DNS API Documentation describe endpoints which are not applicable to
Private DNS including those pertaining to Account billing and overages. These endpoints
will return a 4
04: Not Found response. The following is a list of non-applicable endpoints:
●

●

Monitoring & Notifications
○ Monitoring Job endpoints
○ Notification List endpoints
Account Management
○ Overage Alert endpoints
○ Plan and Billing endpoints
○ Payment method endpoints
Pulsar
○ All Pulsar endpoints

Page |
32

Private DNS 1.0

14. Appendix F: System Topologies
In a typical Private DNS deployment, core services (web, xfr, and data containers) are run in
a control or “core” node. In an on-premise deployment, the system’s core node is typically
deployed to the enterprise’s primary data. There can be (and usually are) more than one
dns container running at the system’s edge in “edge nodes”. For local development or a
proof of concept deployment, it is possible to run all containers on one host machine;
however, it is recommended that at least dns b
e on its own host.

14.1. Architecting for Highly Available DNS
When initialized, each d
ns container caches authoritative zones and records; therefore, d
ns
containers can continue serving DNS responses even if the system core services are
unavailable. Depending on organization resources, prior experience, and preference,
network administrators typically choose one of two strategies to achieve high availability
(HA) of DNS services: anycasting with BGP or employing application- or appliance-based
load balancers.
Important note: No matter the chosen HA strategy, when setting up more than one DNS
service in multiple geographically distributed DNS nodes, filling in the Location ID and
Server ID should be used to properly identify the host machine.

Page |
33

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : Yes
Producer                        : Skia/PDF m70
Page Count                      : 34

EXIF Metadata provided by EXIF.tools

Docker Compose Installation & Setup Guide

Navigation menu

Versions of this User Manual:

Views

Navigation