indisoluble · indisoluble · Feb 21, 2026 · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026
diff --git a/.github/workflows/test-docker.yml b/.github/workflows/test-docker.yml
@@ -29,34 +29,122 @@ jobs:
         # Verify the image was created
         docker images a-healthy-dns:test
 
-    - name: test docker image with minimal configuration
+    - name: test docker image with alias zone configuration
       run: |
-        # Start the DNS server in the background with minimal valid config
+        # Create an isolated network for deterministic container-to-container checks
+        docker network create --subnet 172.28.0.0/24 a-healthy-dns-test-net
+
+        # Start backend service that health checks can reach
+        docker run -d \
+          --name a-healthy-dns-backend \
+          --network a-healthy-dns-test-net \
+          --ip 172.28.0.10 \
+          nginx:alpine
+
+        # Start DNS server with hosted zone plus alias zones
         docker run -d \
           --name a-healthy-dns-test \
+          --network a-healthy-dns-test-net \
           -p 53053:53053/udp \
           -e DNS_HOSTED_ZONE="test.example.com" \
-          -e DNS_ZONE_RESOLUTIONS='{"www":{"ips":["127.0.0.1"],"health_port":80}}' \
+          -e DNS_ALIAS_ZONES='["test.other.com","test.another.com"]' \
+          -e DNS_ZONE_RESOLUTIONS='{"www":{"ips":["172.28.0.10"],"health_port":80}}' \
           -e DNS_NAME_SERVERS='["ns1.test.example.com"]' \
+          -e DNS_PORT="53053" \
+          -e DNS_TEST_MIN_INTERVAL="1" \
+          -e DNS_TEST_TIMEOUT="1" \
           -e DNS_LOG_LEVEL="debug" \
           a-healthy-dns:test
 
     - name: wait for dns server to start
       run: |
         # Wait a bit for the server to fully start
-        sleep 10
+        sleep 5
 
-        # Check if container is still running
+        # Check if containers are still running
+        docker ps | grep a-healthy-dns-backend
         docker ps | grep a-healthy-dns-test
 
     - name: test dns server functionality
       run: |
+        set -euo pipefail
+
         # Install dig for testing
         sudo apt-get update && sudo apt-get install -y dnsutils
-
-        # Test DNS query (should get a response, even if NXDOMAIN)
-        # Using timeout to avoid hanging
-        timeout 10s dig @127.0.0.1 -p 53053 www.test.example.com || echo "DNS query completed (expected behavior for test)"
+
+        DNS_HOST="127.0.0.1"
+        DNS_PORT="53053"
+        BACKEND_IP="172.28.0.10"
+        EXPECTED_NS="ns1.test.example.com."
+
+        wait_for_a_record() {
+          local fqdn="$1"
+          local answer
+
+          for _ in $(seq 1 20); do
+            answer="$(dig +short +time=1 +tries=1 @"${DNS_HOST}" -p "${DNS_PORT}" "${fqdn}" A)"
+            printf '%s\n' "${answer}" | grep -qx "${BACKEND_IP}" && {
+              echo "[OK] A ${fqdn}"
+              return 0
+            }
+            sleep 1
+          done
+
+          echo "[FAIL] A ${fqdn}"
+          dig +nocmd +noall +comments +answer @"${DNS_HOST}" -p "${DNS_PORT}" "${fqdn}" A || true
+          return 1
+        }
+
+        assert_dns_status() {
+          local fqdn="$1"
+          local rtype="$2"
+          local expected_status="$3"
+          local output
+          local actual_status
+
+          output="$(dig +time=1 +tries=1 +noall +comments @"${DNS_HOST}" -p "${DNS_PORT}" "${fqdn}" "${rtype}")"
+          actual_status="$(printf '%s\n' "${output}" | sed -n 's/.*status: \([A-Z]*\).*/\1/p' | head -n 1)"
+
+          if [ "${actual_status}" = "${expected_status}" ]; then
+            echo "[OK] ${rtype} ${fqdn} ${actual_status}"
+            return 0
+          fi
+
+          echo "[FAIL] ${rtype} ${fqdn} expected=${expected_status} got=${actual_status:-none}"
+          printf '%s\n' "${output}"
+          return 1
+        }
+
+        assert_ns_record() {
+          local zone="$1"
+          local ns_answer
+
+          ns_answer="$(dig +short +time=1 +tries=1 @"${DNS_HOST}" -p "${DNS_PORT}" "${zone}" NS)"
+          printf '%s\n' "${ns_answer}" | grep -qx "${EXPECTED_NS}" || {
+            echo "[FAIL] NS ${zone}"
+            printf '%s\n' "${ns_answer}"
+            exit 1
+          }
+          echo "[OK] NS ${zone}"
+        }
+
+        for fqdn in \
+          "www.test.example.com" \
+          "www.test.other.com" \
+          "www.test.another.com"; do
+          wait_for_a_record "${fqdn}"
+        done
+
+        for zone in \
+          "test.example.com" \
+          "test.other.com" \
+          "test.another.com"; do
+          assert_ns_record "${zone}"
+        done
+
+        assert_dns_status "www.test.other.com" "AAAA" "NOERROR"
+        assert_dns_status "missing.test.other.com" "A" "NXDOMAIN"
+        assert_dns_status "www.not-configured.example.org" "A" "NXDOMAIN"
 
     - name: test docker-compose configuration
       run: |
@@ -66,17 +154,22 @@ jobs:
           sudo apt-get install -y docker-compose
 
           # Validate the compose file syntax
-          docker-compose -f docker-compose.example.yml config > /dev/null && echo "✓ docker-compose.example.yml is valid"
+          docker-compose -f docker-compose.example.yml config > /dev/null && echo "[OK] docker-compose.example.yml is valid"
         else
           echo "docker-compose.example.yml not found"
         fi
 
     - name: cleanup
       if: always()
       run: |
-        # Stop and remove test container
+        # Stop and remove test containers
+        docker stop a-healthy-dns-backend || true
         docker stop a-healthy-dns-test || true
+        docker rm a-healthy-dns-backend || true
         docker rm a-healthy-dns-test || true
+
+        # Remove test network
+        docker network rm a-healthy-dns-test-net || true
 
         # Remove test image
         docker rmi a-healthy-dns:test || true
diff --git a/Dockerfile b/Dockerfile
@@ -63,15 +63,16 @@ ENV PATH="/home/appuser/.local/bin:$PATH" \
 WORKDIR /app
 
 # Default environment variables for all parameters
-ENV DNS_HOSTED_ZONE="" \
+ENV DNS_PORT="53" \
+    DNS_LOG_LEVEL="" \
+    DNS_HOSTED_ZONE="" \
+    DNS_ALIAS_ZONES="" \
     DNS_ZONE_RESOLUTIONS="" \
+    DNS_TEST_MIN_INTERVAL="" \
+    DNS_TEST_TIMEOUT="" \
     DNS_NAME_SERVERS="" \
-    DNS_PORT="53" \
-    DNS_LOG_LEVEL="info" \
-    DNS_TEST_MIN_INTERVAL="30" \
-    DNS_TEST_TIMEOUT="2" \
     DNS_PRIV_KEY_PATH="" \
-    DNS_PRIV_KEY_ALG="RSASHA256"
+    DNS_PRIV_KEY_ALG=""
 
 # Expose the default DNS port (static at build time)
 EXPOSE 53/udp
@@ -94,16 +95,33 @@ ENTRYPOINT ["tini", "--", "sh", "-c", "\
     echo 'Error: DNS_NAME_SERVERS environment variable is required'; \
     exit 1; \
     fi; \
-    ARGS=\"--hosted-zone $DNS_HOSTED_ZONE\"; \
-    ARGS=\"$ARGS --zone-resolutions $DNS_ZONE_RESOLUTIONS\"; \
-    ARGS=\"$ARGS --ns $DNS_NAME_SERVERS\"; \
-    ARGS=\"$ARGS --port $DNS_PORT\"; \
+    ARGS=\"--port $DNS_PORT\"; \
+    if [ -n \"$DNS_LOG_LEVEL\" ]; then \
     ARGS=\"$ARGS --log-level $DNS_LOG_LEVEL\"; \
+    fi; \
+    if [ -n \"$DNS_HOSTED_ZONE\" ]; then \
+    ARGS=\"$ARGS --hosted-zone $DNS_HOSTED_ZONE\"; \
+    fi; \
+    if [ -n \"$DNS_ALIAS_ZONES\" ]; then \
+    ARGS=\"$ARGS --alias-zones $DNS_ALIAS_ZONES\"; \
+    fi; \
+    if [ -n \"$DNS_ZONE_RESOLUTIONS\" ]; then \
+    ARGS=\"$ARGS --zone-resolutions $DNS_ZONE_RESOLUTIONS\"; \
+    fi; \
+    if [ -n \"$DNS_TEST_MIN_INTERVAL\" ]; then \
     ARGS=\"$ARGS --test-min-interval $DNS_TEST_MIN_INTERVAL\"; \
+    fi; \
+    if [ -n \"$DNS_TEST_TIMEOUT\" ]; then \
     ARGS=\"$ARGS --test-timeout $DNS_TEST_TIMEOUT\"; \
+    fi; \
+    if [ -n \"$DNS_NAME_SERVERS\" ]; then \
+    ARGS=\"$ARGS --ns $DNS_NAME_SERVERS\"; \
+    fi; \
     if [ -n \"$DNS_PRIV_KEY_PATH\" ]; then \
     ARGS=\"$ARGS --priv-key-path $DNS_PRIV_KEY_PATH\"; \
     fi; \
+    if [ -n \"$DNS_PRIV_KEY_ALG\" ]; then \
     ARGS=\"$ARGS --priv-key-alg $DNS_PRIV_KEY_ALG\"; \
+    fi; \
     echo \"Starting a-healthy-dns with arguments: $ARGS\"; \
     exec a-healthy-dns $ARGS"]
diff --git a/README.md b/README.md
@@ -12,6 +12,7 @@ This ensures that DNS queries only return healthy endpoints, providing automatic
 
 - **Health Checking**: Continuously monitors IP addresses via TCP connectivity tests
 - **Dynamic Updates**: Automatically updates DNS zones based on health check results
+- **Multi-Domain Support**: Serve multiple domains with the same records without duplicating health checks
 - **Configurable TTL**: TTL calculation based on health check intervals
 - **Threaded Operations**: Background health checking
 - **Multiple Records**: Support for multiple IP addresses per subdomain with individual health tracking
@@ -120,6 +121,7 @@ a-healthy-dns \
 - `--test-min-interval`: Minimum interval between connectivity tests in seconds (default: 30)
 - `--test-timeout`: Maximum time to wait for health check response in seconds (default: 2)
 - `--log-level`: Logging level (debug, info, warning, error, critical) (default: info)
+- `--alias-zones`: Additional domain names that resolve to the same records as the hosted zone (JSON array, default: [])
 
 #### DNSSEC Parameters
 
@@ -161,6 +163,23 @@ The `--zone-resolutions` parameter accepts a JSON object with the following stru
 - Health checks run continuously in the background at the configured interval
 - TTL values are automatically calculated based on health check intervals
 
+### Multi-Domain Support
+
+The DNS server supports serving multiple domains that resolve to the same IP addresses without duplicating health checks. This is achieved through the `--alias-zones` parameter:
+
+```bash
+a-healthy-dns \
+  --hosted-zone primary.com \
+  --alias-zones '["alias1.com", "alias2.com"]' \
+  --zone-resolutions '{"www": {"ips": ["192.168.1.100"], "health_port": 8080}}' \
+  --ns '["ns1.primary.com"]'
+```
+
+With this configuration:
+- `www.primary.com` → resolves to `192.168.1.100`
+- `www.alias1.com` → resolves to `192.168.1.100` (same IP)
+- `www.alias2.com` → resolves to `192.168.1.100` (same IP)
+
 ### Example Deployment
 
 For a deployment serving `example.com`:
@@ -232,6 +251,7 @@ docker-compose up -d
 - `DNS_LOG_LEVEL`: Logging level (default: info)
 - `DNS_TEST_MIN_INTERVAL`: Minimum interval between connectivity tests in seconds (default: 30)
 - `DNS_TEST_TIMEOUT`: Timeout for each connection test in seconds (default: 2)
+- `DNS_ALIAS_ZONES`: Additional domain names that resolve to the same records (JSON array, default: [])
 - `DNS_PRIV_KEY_PATH`: Path to DNSSEC private key PEM file
 - `DNS_PRIV_KEY_ALG`: DNSSEC private key algorithm (default: RSASHA256)
 

diff --git a/docker-compose.example.yml b/docker-compose.example.yml
@@ -11,16 +11,17 @@ services:
       DNS_HOSTED_ZONE: "example.com"
       DNS_ZONE_RESOLUTIONS: '{"www":{"ips":["192.168.1.100","192.168.1.101"],"health_port":8080},"api":{"ips":["192.168.1.102"],"health_port":8000}}'
       DNS_NAME_SERVERS: '["ns1.example.com", "ns2.example.com"]'
-      
+
       # Optional parameters (with their default values)
       # DNS_PORT: "53053"
       # DNS_LOG_LEVEL: "info"
+      # DNS_ALIAS_ZONES: '[]'
       # DNS_TEST_MIN_INTERVAL: "30"
       # DNS_TEST_TIMEOUT: "2"
-      # DNS_PRIV_KEY_ALG: "RSASHA256"
-
-      # Optional DNSSEC private key path (if you have one)
+
+      # Optional DNSSEC parameters (if you have one)
       # DNS_PRIV_KEY_PATH: "/app/keys/private.pem"
+      # DNS_PRIV_KEY_ALG: "RSASHA256"
 
     # volumes:
       # Mount a directory for DNSSEC keys (optional)