.\" Generated by Mmark Markdown Processer - mmark.miek.nl
.TH "COREDNS-NOMAD" 7 "September 2025" "CoreDNS" "CoreDNS Plugins"

.SH "NAME"
.PP
\fInomad\fP - enables reading zone data from a Nomad cluster.

.SH "DESCRIPTION"
.PP
This plugin serves DNS records for services registered with Nomad. Nomad 1.3+ comes with support for discovering services
\[la]https://www.hashicorp.com/en/blog/nomad-service-discovery\[ra] with an in-built service catalogue that is available via the HTTP API. This plugin extends the HTTP API and provides a DNS interface for querying the service catalogue.

.PP
The query can be looked up with the format \fB\fC[service].[namespace].service.nomad\fR. The plugin currently handles A, AAAA and SRV records. Refer to #Usage Example
\[la]#usage-example\[ra] for more details.

.SH "EXAMPLE JOB TEMPLATE"
.PP
.RS

.nf
job "dns" {
  type = "service"

  group "dns" {
    network {
      port "dns" {
        static = 1053
      }
    }
    task "dns" {
      driver = "docker"

      config {
        image = "coredns/coredns:latest"
        ports = ["dns"]
        args = ["\-conf", "/secrets/coredns/Corefile", "\-dns.port", "1053"]
      }

      service {
        name         = "hostmaster"
        provider     = "nomad"
        port         = "dns"
        address\_mode = "driver"
      }

      identity {
        env = true
      }

      template {
        data          = <<EOF
\&. {
  forward . 1.1.1.1
}

service.nomad. {
  errors
  debug
  health
  log
  nomad service.nomad {
    address unix:///secrets/api.sock
    ttl 10
  }
  cache 30
}
EOF
        destination   = "secrets/coredns/Corefile"
        change\_mode   = "signal"
        change\_signal = "SIGHUP"
      }
    }
  }
}

.fi
.RE

.SH "SYNTAX"
.PP
.RS

.nf
nomad [ZONE] {

.fi
.RE

.PP
With only the plugin specified, the \fInomad\fP plugin will default to \fB\fCservice.nomad\fR zone.

.PP
.RS

.nf
nomad [ZONE] {
    address URL
    token TOKEN
    ttl DURATION
}

.fi
.RE

.IP \(bu 4
\fB\fCaddress\fR The address where a Nomad agent (server) is available. \fBURL\fP defaults to \fB\fChttp://127.0.0.1:4646\fR.
.IP \(bu 4
\fB\fCtoken\fR The SecretID of an ACL token to use to authenticate API requests with if the Nomad cluster has ACL enabled. \fBTOKEN\fP defaults to \fB\fC""\fR.
.IP \(bu 4
\fB\fCttl\fR allows you to set a custom TTL for responses. \fBDURATION\fP defaults to \fB\fC30 seconds\fR. The minimum TTL allowed is \fB\fC0\fR seconds, and the maximum is capped at \fB\fC3600\fR seconds. Setting TTL to 0 will prevent records from being cached. The unit for the value is seconds.


.SH "METRICS"
.PP
If monitoring is enabled (via the \fIprometheus\fP directive) the following metric is exported:

.IP \(bu 4
\fB\fCcoredns_nomad_success_requests_total{namespace,server}\fR - Counter of DNS requests handled successfully.
.IP \(bu 4
\fB\fCcoredns_nomad_failed_requests_total{namespace,server}\fR - Counter of DNS requests failed.


.PP
The \fB\fCserver\fR label indicated which server handled the request. \fB\fCnamespace\fR indicates the namespace of the service in the query.

.SH "READY"
.PP
This plugin reports readiness to the ready plugin. It will be ready only when it has successfully connected to the Nomad server. It queries the \fB\fC/v1/agent/self\fR
\[la]https://developer.hashicorp.com/nomad/api-docs/agent#query-self\[ra] endpoint to check if it is ready.

.SH "EXAMPLES"
.PP
Enable nomad with and resolve all services with \fB\fC.nomad\fR as the suffix. \fB\fCcache\fR plugin is used to cache the responses for 30 seconds. This avoids a lookup to the Nomad server for every request.

.PP
.RS

.nf
service.nomad.:1053 {
    log
    cache
    errors
    nomad service.nomad {
        address http://127.0.0.1:4646 http://127.0.0.2:4646 http://127.0.0.3:4646
        ttl 10
    }
    cache 30
}

.fi
.RE

.SH "AUTHENTICATION"
.PP
\fB\fCnomad\fR plugin uses a default Nomad configuration to create an API client. Options like the HTTP address and the token can be specified in Corefile. However, Nomad Go SDK can also additionally read these environment variables.

.IP \(bu 4
\fB\fCNOMAD_TOKEN\fR
.IP \(bu 4
\fB\fCNOMAD_ADDR\fR
.IP \(bu 4
\fB\fCNOMAD_REGION\fR
.IP \(bu 4
\fB\fCNOMAD_NAMESPACE\fR
.IP \(bu 4
\fB\fCNOMAD_HTTP_AUTH\fR
.IP \(bu 4
\fB\fCNOMAD_CACERT\fR
.IP \(bu 4
\fB\fCNOMAD_CAPATH\fR
.IP \(bu 4
\fB\fCNOMAD_CLIENT_CERT\fR
.IP \(bu 4
\fB\fCNOMAD_CLIENT_KEY\fR
.IP \(bu 4
\fB\fCNOMAD_TLS_SERVER_NAME\fR
.IP \(bu 4
\fB\fCNOMAD_SKIP_VERIFY\fR


.PP
You can read about them in detail here
\[la]https://developer.hashicorp.com/nomad/docs/reference/runtime-environment-settings\[ra].

.SH "USAGE EXAMPLE"
.SS "A RECORD"
.PP
.RS

.nf
dig redis.default.service.nomad @127.0.0.1 \-p 1053

; <<>> DiG 9.18.1\-1ubuntu1.2\-Ubuntu <<>> redis.default.service.nomad @127.0.0.1 \-p 1053
;; global options: +cmd
;; Got answer:
;; \->>HEADER<<\- opcode: QUERY, status: NOERROR, id: 54986
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bdc9237f49a1f744 (echoed)
;; QUESTION SECTION:
;redis.default.service.nomad.        IN    A

;; ANSWER SECTION:
redis.default.service.nomad.    10    IN    A    192.168.29.76
redis.default.service.nomad.    10    IN    A    192.168.29.76
redis.default.service.nomad.    10    IN    A    192.168.29.76

;; Query time: 4 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1) (UDP)
;; WHEN: Thu Jan 05 12:12:25 IST 2023
;; MSG SIZE  rcvd: 165

.fi
.RE

.SS "SRV RECORD"
.PP
Since an A record doesn't contain the port number, SRV record can be used to query the port number of a service.

.PP
.RS

.nf
dig redis.default.service.nomad @127.0.0.1 \-p 1053 SRV

; <<>> DiG 9.18.1\-1ubuntu1.2\-Ubuntu <<>> redis.default.service.nomad @127.0.0.1 \-p 1053 SRV
;; global options: +cmd
;; Got answer:
;; \->>HEADER<<\- opcode: QUERY, status: NOERROR, id: 49945
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 14572535f3ba6648 (echoed)
;; QUESTION SECTION:
;redis.default.service.nomad.        IN    SRV

;; ANSWER SECTION:
redis.default.service.nomad.    8    IN    SRV    10 10 25395 redis.default.service.nomad.
redis.default.service.nomad.    8    IN    SRV    10 10 20888 redis.default.service.nomad.
redis.default.service.nomad.    8    IN    SRV    10 10 26292 redis.default.service.nomad.

;; ADDITIONAL SECTION:
redis.default.service.nomad.    8    IN    A    192.168.29.76
redis.default.service.nomad.    8    IN    A    192.168.29.76
redis.default.service.nomad.    8    IN    A    192.168.29.76

;; Query time: 0 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1) (UDP)
;; WHEN: Thu Jan 05 12:12:20 IST 2023
;; MSG SIZE  rcvd: 339

.fi
.RE

.SS "SOA RECORD"
.PP
.RS

.nf
$ dig @localhost \-p 1053 1dns.default.service.nomad.

; <<>> DiG 9.18.12\-0ubuntu0.22.04.2\-Ubuntu <<>> @localhost \-p 1053 1dns.default.service.nomad.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; \->>HEADER<<\- opcode: QUERY, status: NXDOMAIN, id: 21012
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 6d146bb140b4d8ca (echoed)
;; QUESTION SECTION:
;1dns.default.service.nomad.    IN      A

;; ANSWER SECTION:
1dns.default.service.nomad. 5   IN      SOA     ns1.1dns.default.service.nomad. ns1.1dns.default.service.nomad. 1 3600 600 604800 3600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#1053(localhost) (UDP)
;; WHEN: Wed Aug 23 21:14:41 EEST 2023
;; MSG SIZE  rcvd: 189

.fi
.RE