Documentation — ZoneRails

Getting Started

ZoneRails is a desktop app for managing DNS records across Cloudflare and Active Directory DNS. Download it from the downloads page, install, and launch.

First Launch

On first launch, you'll see the token setup screen. Choose your DNS provider:

Cloudflare — Enter a label and your API token
Active Directory DNS — Click "Or connect to Active Directory DNS"
ZoneRails Server — Click "Or connect to a ZoneRails Server"

Cloudflare API Token

Create a scoped API token at dash.cloudflare.com → My Profile → API Tokens → Create Token.

Required Permissions

Permission	Access	Purpose
Zone	Read	List zones
DNS	Read + Edit	Manage DNS records

Tip: Set the Zone Resources to "All zones" or specific zones you want to manage. Scoped tokens are more secure than Global API Keys.

Active Directory DNS

Connect to Windows DNS servers via WinRM (Windows Remote Management).

Field	Example	Notes
Label	DC01 — Corp DNS	Display name for the connection
Server Address	dc01.corp.local	DNS server hostname or IP
Port	5986	WinRM HTTPS port (default)
HTTPS	Checked	Use TLS for WinRM
Username	DOMAIN\admin	Domain credentials
Password	••••••	Domain password

Prerequisite: WinRM must be enabled on the DNS server. Run winrm quickconfig on the server if not configured.

AD DNS Zone Delegations

A zone delegation carves a subdomain out of a parent AD DNS zone and points it at a separate set of nameservers — commonly used to hand off a child zone (e.g. dev.example.com) to a different team, external provider, or DNS appliance while keeping the parent zone authoritative.

FlareHub exposes the full delegation lifecycle for AD DNS connections:

List — see all delegations in a selected parent zone, with their nameservers and glue IPs.
Create — add a child delegation with one or more nameservers; optional glue IPs are required when a nameserver is in-bailiwick (its hostname ends with the delegated child zone).
Delete — remove a delegation with a confirmation prompt; the NS records and glue records in the parent zone are removed together.

How to use

Switch to an AD DNS connection (the Delegations button on the DNS tab is only visible for AD DNS).
Click Delegations and select the parent zone from the dropdown.
Click New Delegation — enter the child name (e.g. dev becomes dev.example.com), add one or more nameservers, and optionally set glue IPs and a TTL. Click Create Delegation.
Existing delegations appear in the list with a Delete action.

Under the hood

FlareHub issues the standard Windows DNS PowerShell cmdlets over WinRM:

Add-DnsServerZoneDelegation -ZoneName <parent> -Name <child> -NameServer <ns,...> [-IPAddress <ip,...>]
Get-DnsServerZoneDelegation -Name <parent>
Remove-DnsServerZoneDelegation -ZoneName <parent> -Name <child> -Force

Works in both standalone mode (desktop → AD DNS directly via WinRM) and server-connected mode (desktop → ZoneRails Server → AD DNS). Audit entries land in the Activity Log with record type DELEGATION.

Cloudflare note: The Delegations UI is hidden for Cloudflare connections. To delegate a subdomain on Cloudflare, create NS records in the parent zone via the regular record editor.

Connect to ZoneRails Server

If your organization runs a ZoneRails Server, connect to it for shared DNS management, RBAC, and scheduled deployments.

Field	Example
Server URL	https://zonerails.corp.local:3000
Username	Your AD username or local account
Password	Your password

Click Test to verify connectivity before connecting. The app will auto-reconnect on subsequent launches.

Search & Browse

The Search tab lets you find DNS records across all your zones. Type a record name or content value and press Enter or click Search.

Recent Searches

The last 10 search terms are cached and shared between the main search and the deployment search. Click into the search box to see the dropdown, or start typing to filter. Click Clear history to wipe the cache. A clear button (X) appears inside the input when text is present.

Filters

Provider Filter — dropdown to show only Cloudflare or AD DNS records (appears when multiple providers are connected)

Results Table

Results show 50 records per page with pagination. Each row displays:

Column	Description
Provider	CF or AD badge
Type	Record type (A, AAAA, CNAME, etc.)
Name	Record name + tunnel/lock badges
Content	IP address, hostname, or value
Zone	Parent zone name
Proxied	Cloudflare proxy status
TTL	Time to live (Auto = 1)

Double-click a record to open it for editing. If no records match your search and the name belongs to a zone you own, a NEW row appears — double-click it to create the record. If the same zone exists on multiple providers (e.g. Cloudflare + AD DNS), you'll see one NEW row per provider with its badge so you can choose where to create.

For AD DNS zones, a DELEGATE row also appears — double-click it to create a zone delegation instead of a record.

Edit / Create / Delete

The Edit tab opens when you double-click a search result or click the NEW row to create a record.

Creating a Record

Search for the record name in Tab 1
If it doesn't exist, double-click the NEW row
Select the record type, fill in content and other fields
Click Create Record

Editing a Record

Search for the record in Tab 1
Double-click the record row
Modify the fields you want to change
Click Update Record

Deleting a Record

Open the record for editing (double-click from search)
Click Delete Record
Confirm the deletion

AD DNS-Specific Behavior

The Proxy status toggle is hidden for AD DNS zones (AD DNS doesn't support Cloudflare proxying)
The TTL defaults to 300 seconds (5 minutes) instead of Auto
A Create Delegation Instead button appears in the form footer — click it to create a zone delegation rather than a record
Advanced record types (HTTPS, SVCB, TLSA, etc.) are not supported for AD DNS

Note: All changes are logged in the Activity Log with before/after snapshots and can be rolled back.

Deployments

Deployments let you batch multiple DNS changes together and execute them as a single operation. This is safer than making changes one at a time.

Creating a Deployment

Go to the Deploy tab and click New Deployment
Give it a name and optional ticket number
Click Search to Add to find records
Double-click a record to add an edit or delete, or click the NEW row to add a create
Repeat for all changes needed

Executing a Deployment

Review all items in the deployment
Click Deploy Now
Confirm the changes in the dialog
Watch the progress view for per-item results
DNS verification runs automatically after deployment

Scheduling a Deployment

Click Schedule instead of Deploy Now. Pick a date and time. In server mode, the server executes it automatically. In standalone mode, the app must be open.

Pre-Flight Validation

Click Validate before deploying to run 8 checks per item without making any changes:

Connection — can we reach the provider?
Zone accessible — does the target zone exist?
Record exists (update/delete) — is the record still there?
Drift detection (update/delete) — has it been modified since the snapshot?
Content validation (create/update) — will the provider accept these values?
CNAME conflicts (create) — incompatible record type at the same name?
Duplicate detection (create) — does this record already exist?
Snapshot completeness (update/delete) — will rollback be possible?

Results show per-item pass/warning/error. Click items with issues to expand detailed check results. Fix any errors before deploying.

Real-Time Progress

During execution, the progress bar advances in three phases:

0–50% — Execution: each item's Status cell flips from Pending to Success/Failed in real-time
50–60% — Status review: a 3-second pause so you can read the results before verification begins
60–100% — Verification: DNS propagation checked per item (6 attempts, 10 seconds apart)

Viewing Results

Click any deployed, failed, partial, or rolled-back deployment in the list to see the results view with per-item status and DNS verification results. Click Verify DNS to re-check propagation.

Deployment Rollback

Click Rollback Deployment on any deployed or partial deployment to reverse all successful changes. The impact modal shows:

Per-item risk assessment: Safe, Modified (record changed since deployment), or No snapshot (item will be skipped)
Downstream deployments that later modified the same records
Click any risk badge to expand details showing before/current/deployed state

Rollback reverses items in reverse order (last change undone first) with a full audit trail. The deployment status changes to ROLLED BACK or PARTIAL ROLLBACK if some items fail.

Duplicate Prevention

Records already in the current deployment show an In Deployment badge in the deploy search results. Attempting to add the same record (name + type) twice is blocked with an error message. Records in other active deployments show In Draft or Scheduled badges and cannot be added.

Deployment Statuses

Status	Meaning
DRAFT	Changes planned but not yet executed
SCHEDULED	Scheduled to execute at a specific time
DEPLOYING	Currently executing changes
DEPLOYED	All changes applied successfully
FAILED	No changes applied — all failed
PARTIAL	Some changes succeeded, some failed
CANCELLED	User cancelled before execution
ROLLED BACK	All successful changes reversed
PARTIAL ROLLBACK	Some changes reversed, some rollback items failed

Connectors & Tunnels

The Connectors tab manages Cloudflare Tunnels, ingress rules, private network routes, and virtual networks.

Tunnels

View, create, and delete Cloudflare Tunnels. Each tunnel shows its health status, number of active connectors, and creation date. Click a tunnel to view its token and connector details.

Ingress Rules (Config)

Configure which hostnames route to which backend services through a tunnel. Each rule maps a hostname + optional path to a service URL.

Field	Example
Hostname	app.example.com
Service	http://127.0.0.1:8080
Path (optional)	^/api/.*$

Routes

Create routes to private networks via tunnels. Routes map CIDR blocks to tunnels and virtual networks.

Virtual Networks

Create and manage virtual networks (VNets) for organizing private network routes.

Activity Log

Every DNS change is logged with a full audit trail including before/after snapshots, the user who made the change, and a timestamp.

Filtering

Action Type — All, Create, Update, Delete
Search — Filter by record name

Rollback

Click the rollback button on any audit entry to restore the record to its previous state. The rollback itself is also logged in the activity log.

Export

Click Export to download the full audit log as a JSON file for compliance or archival.

Settings

Click the gear icon in the title bar to open the Settings drawer.

Connections

Manage your Cloudflare API tokens and AD DNS connections. Add, edit, switch, or remove connections. The active connection is shown with an ACTIVE badge.

Cache & Refresh

Cache TTL — How long zone/record data is cached locally (default: 5 minutes)
Auto-refresh — Toggle automatic data reload on a timer
Interval — Auto-refresh interval in minutes

License

Enter a Pro license key to unlock all features. Standard (free) tier is limited to a single zone.

Data & Privacy

Clear All Data removes all stored tokens, audit logs, DNS cache, and settings from the device.

ZoneOps: Record Protection

Mark critical DNS records as protected to prevent accidental modification or deletion. When editing a protected record, a confirmation dialog appears before any change is applied.

Toggle protection using the shield icon in the edit form footer.

ZoneOps: Conflict Detection

Before creating or updating a record, ZoneRails checks for conflicts:

CNAME conflicts — CNAME records cannot coexist with other record types at the same name
Duplicate detection — Warns about duplicate name + type combinations
MX validation — Warns if an MX record points to an IP address instead of a hostname

ZoneOps: Drift Detection

When editing a record, ZoneRails compares the loaded state against the current live state. If someone else changed the record since you loaded it, a drift warning appears so you don't accidentally overwrite their changes.

ZoneOps: Propagation Verification

After deploying DNS changes, ZoneRails verifies propagation:

Cloudflare (proxied records) — Verifies via the Cloudflare API that the record exists with the correct content
Cloudflare (DNS-only records) — Queries Cloudflare DNS-over-HTTPS (1.1.1.1) to confirm the record resolves correctly
AD DNS — Uses the system DNS resolver to verify propagation

Verification runs automatically after deployment (6 attempts over ~60 seconds) and can be triggered manually with the Verify DNS button. Cloudflare records are verified via the Cloudflare API (name + type existence check), which works reliably for all record types including proxied CNAMEs and MX records.

ZoneOps: Tunnel Guardrails

ZoneRails monitors your Cloudflare Tunnel DNS records for issues:

Orphaned records — DNS records pointing to tunnels that no longer exist
Dangling routes — Tunnel DNS records with no matching ingress rule
Health mapping — Shows tunnel health status on DNS records in search results

Orphan alerts appear in the status bar. Click to view and clean up affected records.

ZoneRails Server: Installation

ZoneRails Server is a self-hosted Node.js backend for enterprise teams. It requires Node.js 18+ and runs on Linux, Docker, or Windows.

Linux (systemd)

sudo ./install/install-linux.sh

This installs to /opt/zonerails-server, creates a zonerails user, and registers a systemd service.

systemctl status zonerails-server
systemctl restart zonerails-server
journalctl -u zonerails-server -f

Docker

docker-compose up -d

Volumes: /var/lib/zonerails (database), /var/log/zonerails (logs).

Windows

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
.\install\install-windows.ps1

Installs as a Windows Service at C:\ZoneRails-Server.

First Run

On first startup, the server:

Generates JWT secret and encryption key (saved to config.json)
Runs database migrations
Creates default roles (Admin, Operator, Deployer, Viewer)
Creates a local admin account (default: admin / admin)

Change the default admin password immediately via the web UI at http://server:3000.

ZoneRails Server: Configuration

Configuration is stored in config.json in the server directory. All settings can be overridden with environment variables.

{
  "port": 3000,
  "host": "0.0.0.0",
  "database": {
    "type": "sqlite",
    "path": "./data/zonerails.db"
  },
  "auth": {
    "type": "local",
    "jwt": {
      "expiresIn": "1h",
      "refreshExpiresIn": "7d"
    }
  },
  "cache": {
    "enabled": true,
    "refreshIntervalMinutes": 10
  },
  "websocket": {
    "enabled": true,
    "heartbeatIntervalMs": 30000
  },
  "scheduler": {
    "enabled": true
  }
}

Environment Variables

Variable	Default	Description
`ZR_PORT`	3000	Server port
`ZR_HOST`	0.0.0.0	Bind address
`ZR_DB_PATH`	./data/zonerails.db	Database file path
`ZR_AUTH_TYPE`	local	`local` or `active-directory`
`ZR_JWT_SECRET`	(auto-generated)	JWT signing secret
`ZR_ADMIN_PASS`	admin	Default admin password
`ZR_CACHE_INTERVAL`	10	Cache refresh interval (minutes)
`ZR_LDAP_URL`	—	LDAP server URL
`ZR_LDAP_BASE_DN`	—	LDAP base DN

ZoneRails Server: Active Directory

Set auth.type to "active-directory" in config.json to enable AD authentication. Local accounts still work alongside AD (hybrid auth).

{
  "auth": {
    "type": "active-directory",
    "ldap": {
      "url": "ldap://dc01.corp.local:389",
      "baseDN": "DC=corp,DC=local",
      "bindDN": "CN=svc-zonerails,OU=Service,DC=corp,DC=local",
      "bindPassword": "ServiceAccountPassword",
      "userSearchFilter": "(sAMAccountName={{username}})",
      "groupSearchBase": "OU=Groups,DC=corp,DC=local",
      "tlsOptions": { "rejectUnauthorized": false }
    }
  }
}

How AD Login Works

User enters AD credentials
Server binds to LDAP with service account
Searches for user by sAMAccountName
Re-binds as the user to verify password
Extracts group memberships from memberOf
Maps AD groups to ZoneRails roles (configured in admin UI)
Issues JWT with roles and permissions

If no AD groups are mapped, the user gets the Viewer role by default.

ZoneRails Server: Roles & Permissions

System Roles

Role	Permissions
Admin	`*` (full access)
Operator	`dns:`, `deploy:`, `audit:read`, `audit:rollback`, `connections:*`
Deployer	`dns:read`, `deploy:*`, `audit:read`, `connections:read`
Viewer	`dns:read`, `deploy:read`, `audit:read`, `connections:read`

Admins can create custom roles with any combination of permissions. Permission format: namespace:action (e.g., dns:create). Namespace wildcards are supported (e.g., dns:*).

ZoneRails Server: Admin Dashboard

Access the web-based admin dashboard at http://server:3000. Log in with admin credentials.

Sections

Users — Create local users, enable/disable accounts, reset passwords, assign roles, delete users
Roles — View system roles, create custom roles with granular permissions
AD Groups — Map Active Directory groups to ZoneRails roles for automatic role assignment on login
Connections — Add, edit, and delete DNS provider connections (Cloudflare API tokens, AD DNS servers). Credentials are encrypted at rest.
License — Activate, view, or remove the server license key. Register for a new license.

ZoneRails Server: REST API

The server exposes a full REST API. All endpoints (except /api/auth and /api/health) require a JWT token in the Authorization: Bearer header.

Key Endpoints

Method	Endpoint	Description
POST	`/api/auth/login`	Authenticate and get JWT
GET	`/api/dns/cached/all`	Get all cached zones and records
POST	`/api/dns/records`	Create a DNS record
PUT	`/api/dns/records/:id`	Update a DNS record
DELETE	`/api/dns/records/:id`	Delete a DNS record
GET	`/api/deployments`	List deployments
POST	`/api/deployments/:id/execute`	Execute a deployment
POST	`/api/deployments/:id/verify`	Verify DNS propagation
POST	`/api/deployments/:id/validate`	Pre-flight validation (8 checks per item)
GET	`/api/deployments/:id/rollback-impact`	Rollback impact analysis
POST	`/api/deployments/:id/rollback`	Execute deployment rollback
GET	`/api/audit`	Get audit log entries
POST	`/api/audit/:id/rollback`	Rollback a change
GET	`/api/admin/users`	List users (admin only)
GET	`/api/health`	Server health check

WebSocket endpoint: ws://server:3000/ws?token=JWT for real-time events.

Record Types Reference

FlareHub supports every DNS record type that Cloudflare's API exposes — from the nine common types with dedicated form fields down to the full set of RFC-defined advanced types via a structured-data editor.

Common types

Type	Content	Extra Fields	Proxyable
A	IPv4 address	—	Yes
AAAA	IPv6 address	—	Yes
CNAME	Target hostname	—	Yes
MX	Mail server hostname	Priority (0–65535)	No
TXT	Text content	—	No
NS	Nameserver hostname	—	No
SRV	Target hostname	Priority, Weight, Port	No
CAA	(assembled from fields)	Flags, Tag, CA Domain	No
PTR	Domain name	—	No

Advanced types (RFC-defined, structured-data editor)

Type	Purpose	Data Fields	Proxyable
CERT	Certificate storage (RFC 4398)	type, key_tag, algorithm, certificate	No
DNSKEY	DNSSEC public key (RFC 4034)	flags, protocol, algorithm, public_key	No
DS	Delegation signer (RFC 4034)	key_tag, algorithm, digest_type, digest	No
HTTPS	HTTPS service binding (RFC 9460)	priority, target, value (SvcParams)	No
LOC	Geographic location (RFC 1876)	lat/long degrees, minutes, seconds, direction, altitude, size, precision	No
NAPTR	Naming authority pointer (RFC 3403)	order, preference, flags, service, regex, replacement	No
OPENPGPKEY	OpenPGP public key (RFC 7929)	content (base64)	No
SMIMEA	S/MIME cert association (RFC 8162)	usage, selector, matching_type, certificate	No
SSHFP	SSH host key fingerprint (RFC 4255)	algorithm, type, fingerprint	No
SVCB	Service binding (RFC 9460)	priority, target, value (SvcParams)	No
TLSA	TLS cert association / DANE (RFC 6698)	usage, selector, matching_type, certificate	No
URI	URI resource identifier (RFC 7553)	priority, weight, target	No

About advanced types

Advanced record types use Cloudflare's structured data object (one field per column above) rather than a single content string. FlareHub's advanced editor renders one input per subfield, with a collapsible Edit as JSON escape hatch for power users who'd rather paste a full payload.

Validation is strict on presence and numeric ranges (all required fields must be populated; integer fields are range-checked), but format-level validation of certificate blobs, public keys, fingerprints, SvcParams, and NAPTR regex is delegated to Cloudflare's API — bad inputs surface through the standard error dialog. DNS-over-HTTPS propagation verification is skipped for advanced types, since record equality over DoH text-match isn't reliable.

Advanced types are Cloudflare-only. Active Directory DNS connections will reject any advanced type with a clear error message.

Badge Reference

Badge	Where	Meaning
CF	Search results	Cloudflare provider
AD	Search results	Active Directory DNS
In Draft	Record name	Record is in a draft deployment
Scheduled Apr 15	Record name	Record scheduled for deployment
Tunnel	Record name	Tunnel healthy
No route	Record name	Tunnel exists but no ingress rule matches
ORPHAN	Record name	Tunnel no longer exists
ACTIVE	Settings	Currently selected connection

Deployment Statuses

Status	Color	Description
Draft	Gray	Changes planned, not yet executed
Scheduled	Blue	Waiting for scheduled execution time
Deploying	Amber	Currently executing changes
Deployed	Green	All changes applied successfully
Partial	Orange	Some succeeded, some failed
Failed	Red	All changes failed
Cancelled	Gray	Cancelled by user before execution
Rolling Back	Red	Rollback in progress
Rolled Back	Gray	All successful changes reversed
Partial Rollback	Orange	Some items reversed, some rollback failed

Keyboard Shortcuts

Key	Action
`Enter` in search	Execute search
`Enter` in token setup	Save token
`Enter` in license field	Activate license
Double-click search result	Open record for editing
Double-click deploy search result	Add record to deployment