ExternalDNS — Sync Kubernetes Services with DNS Providers

Introduction

ExternalDNS is a Kubernetes SIG project that keeps your DNS provider in sync with the Services, Ingresses, Gateway API routes, and other resources running in your cluster. Instead of manually creating A/AAAA/CNAME records for each exposed workload, you annotate the resource, and ExternalDNS reconciles the records in Route 53, Cloudflare, Google Cloud DNS, Azure, and 30+ other providers.

What ExternalDNS Does

• Watches Services, Ingresses, Gateway API HTTPRoutes, and CRDs for hostname metadata.
• Creates/updates/deletes DNS records in the chosen provider to match cluster state.
• Owns only records it created by storing ownership metadata in TXT records.
• Supports multiple policies: sync (create + delete), upsert-only, or create-only.
• Works across cloud DNS (AWS, GCP, Azure, OVH, Alibaba), CDNs (Cloudflare), and on-prem (PowerDNS, RFC2136, PiHole).

Architecture Overview

ExternalDNS runs as a single Deployment. On each reconcile tick it lists registered source types, compares the desired endpoints with the records currently published by the provider (filtered by ownership TXT records), and issues the minimum set of provider API calls. Ownership is tracked per record using a heritage TXT record — so multiple ExternalDNS instances can share a zone safely. The provider interface is pluggable; each provider implements Records, ApplyChanges, and optional zone discovery.

Self-Hosting & Configuration

• Pick a provider flag: --provider=aws|google|cloudflare|azure|....
• Scope records with --domain-filter, --zone-id-filter, and --annotation-filter.
• Give the pod only DNS permissions: e.g. AWS IRSA with route53:ChangeResourceRecordSets on specific zones.
• Tune --interval (default 1m) and --txt-owner-id for multi-cluster setups.
• Enable Gateway API sources with --source=gateway-httproute for modern ingress stacks.

Key Features

• 30+ providers under one reconciler, including PiHole and RFC2136 for on-prem.
• Gateway API support for the next generation of Kubernetes ingress.
• Record ownership via TXT records prevents cross-cluster clobbering.
• Works with any CRD that exposes a hostname via a configurable source.
• Handles split-horizon DNS through multiple instances with distinct owner IDs.

Comparison with Similar Tools

• cert-manager — manages certificates; ExternalDNS manages records. Often deployed together.
• kubernetes-sigs/dns-controller — an older K8s project; ExternalDNS superseded most uses.
• Cloudflare K8s Operator — vendor-specific; ExternalDNS is provider-agnostic.
• AWS Load Balancer Controller — creates ALBs; ExternalDNS creates the DNS records pointing at them.
• octodns — declarative DNS from Git; ExternalDNS reconciles from live cluster state instead.

FAQ

Q: Does ExternalDNS create wildcard records? A: Yes, annotate the source with *.example.com and the provider supports wildcards.

Q: What prevents it from deleting my manual records? A: TXT ownership markers. Records without the marker are left alone.

Q: Can I run it against multiple clusters sharing one zone? A: Yes, give each instance a distinct --txt-owner-id.

Q: Does it support Gateway API? A: Yes: HTTPRoute, TLSRoute, TCPRoute, UDPRoute, and GRPCRoute sources.

Sources

• https://github.com/kubernetes-sigs/external-dns
• https://kubernetes-sigs.github.io/external-dns/