dnswatchdog.iodocs
Provider Configuration

Microsoft Azure DNS

Connecting Microsoft Azure DNS as a DNS provider in DNS Watchdog.

Overview

Azure DNS hosts DNS zones on Microsoft Azure infrastructure. DNS Watchdog connects via a service principal to discover zones and sync records.

Prerequisites

You'll need the following credentials to connect Azure DNS to DNS Watchdog:

FieldDescription
Subscription IDAzure subscription containing the DNS zones
Tenant IDAzure AD tenant ID
Client IDApplication (client) ID of the service principal
Certificate PEMPEM-encoded certificate and private key for the service principal

Finding your Subscription ID

In the Azure Portal, search for Subscriptions or select it from the left-hand menu. Select your subscription — the Subscription ID is shown on the Overview page.

The Azure Portal showing where to find the Subscription ID

az account show --query id -o tsv

Finding your Tenant ID

In the Azure Portal, search for Microsoft Entra ID (formerly Azure Active Directory). The Tenant ID is displayed on the Overview page under "Basic information".

The Azure Portal showing where to find the Tenant ID

az account show --query tenantId -o tsv

Creating an App Registration (Client ID)

The Client ID comes from an App Registration in Microsoft Entra ID.

  1. In the Azure Portal, search for Microsoft Entra ID and select it
  2. In the left-hand menu, click App registrations
  3. Click New registration at the top
  4. Enter a name (e.g. dns-watchdog)
  5. Leave the default Supported account types selection (single tenant)
  6. Leave Redirect URI blank
  7. Click Register
  8. On the app's Overview page, note down the Application (client) ID — this is the Client ID you'll enter in DNS Watchdog

If you need to find the Client ID later, go to Microsoft Entra IDApp registrations → select your app → the Application (client) ID is on the Overview page.

# Create the app registration
az ad app create --display-name "dns-watchdog"

The appId in the output is your Client ID.

To look it up later:

az ad app list --display-name "dns-watchdog" --query "[].appId" -o tsv

Generating a Certificate (Certificate PEM)

DNS Watchdog authenticates using a certificate. You'll generate a certificate locally, upload the public half to Azure, and provide the combined PEM (certificate + private key) to DNS Watchdog.

  1. Open a terminal and generate a self-signed certificate: 
    openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem \
  -days 365 -nodes -subj "/CN=dns-watchdog"
    This creates two files: cert.pem (public certificate) and key.pem (private key)
  2. In the Azure Portal, go to your App Registration → Certificates & secrets
  3. Select the Certificates tab and click Upload certificate
  4. Upload the cert.pem file
  5. Combine both files into a single PEM for DNS Watchdog: 
    cat cert.pem key.pem > combined.pem
    The contents of combined.pem is what you'll paste into the Certificate PEM field in DNS Watchdog.
# Generate a self-signed certificate
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem \
  -days 365 -nodes -subj "/CN=dns-watchdog"

# Upload the certificate to the app registration
az ad app credential reset \
  --id <CLIENT_ID> \
  --cert @cert.pem

# Combine into a single PEM for DNS Watchdog (must include both certificate and private key)
cat cert.pem key.pem > combined.pem

Assigning Permissions

The service principal needs a role assignment to access your DNS zones.

  1. Navigate to the resource group (or individual DNS zone) containing your DNS zones
  2. In the left-hand menu, click Access control (IAM)
  3. Click AddAdd role assignment
  4. Search for Reader (for read-only access) or DNS Zone Contributor (for read-write access)
  5. Select the role and click Next
  6. Click Select members, search for the app name you created (e.g. dns-watchdog), select it, and click Select
  7. Click Review + assign
# Read-only access
az role assignment create \
  --assignee <CLIENT_ID> \
  --role "Reader" \
  --scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>

# Read-write access
az role assignment create \
  --assignee <CLIENT_ID> \
  --role "DNS Zone Contributor" \
  --scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>

You can scope to an individual DNS zone by appending /providers/Microsoft.Network/dnsZones/<ZONE_NAME> to the scope.

You can scope the role to:

  • A subscription — access to all DNS zones in the subscription
  • A resource group — access to all DNS zones in that group
  • An individual DNS zone — access to a single zone only

The narrower the scope, the better. If DNS Watchdog only needs access to a single resource group, scope the role there rather than at the subscription level.

  • Read-only — assign the Reader role
  • Read-write — assign the DNS Zone Contributor role

Adding the Provider in DNS Watchdog

  1. Go to SettingsProvidersAdd Provider
  2. Select Microsoft Azure DNS as the provider type
  3. Enter your Subscription ID, Tenant ID, Client ID, and paste the contents of combined.pem into the Certificate PEM field

The Azure DNS credentials form showing Subscription ID, Tenant ID, Client ID, and Certificate PEM input fields

  1. Choose your access mode (read-only or read-write)
  2. Click Save

CSC

Connecting CSC as a DNS provider in DNS Watchdog.

Google Cloud DNS

Connecting Google Cloud DNS as a DNS provider in DNS Watchdog.

On this page

OverviewPrerequisitesFinding your Subscription IDFinding your Tenant IDCreating an App Registration (Client ID)Generating a Certificate (Certificate PEM)Assigning PermissionsAdding the Provider in DNS Watchdog