Security API Reference
NetBird extends the management REST API with fields for AES tunnel configuration, DSKE security hubs, and peer security status.
Account Settings
AES DNS Domain
Configure the DNS domain used for AES IP resolution.
Endpoint: PUT /api/accounts/{accountId}
Request body:
{
"settings": {
"aes_dns_domain": "secure.myorg.com"
}
}
Response (settings section):
{
"settings": {
"dns_domain": "netbird.cloud",
"aes_dns_domain": "secure.myorg.com"
}
}
Behavior:
- If empty or unset, defaults to
aes.<dns_domain> - Can be overridden per-account via this API
- Management server flag
--aes-dns-domainsets the default for all accounts - Changes are logged as
account.aes.dns.domain.updateactivity events
Precedence (highest first):
- Per-account API setting
- Management server CLI flag
- Automatic default
Peer Fields
The following fields are added to peer responses for AES and DSKE features.
Endpoints: GET /api/peers, GET /api/peers/{id}, PUT /api/peers/{id}
Response Fields
| Field | Type | Description |
|---|---|---|
aes_ip | string | null | AES WireGuard IP address allocated by the management server. Null if the peer has no AES IP. |
aes_exempt | boolean | null | Whether this peer bypasses the AES tunnel. AES-exempt peers use single-layer WireGuard encryption. |
dske_security_hub | boolean | null | Whether this peer operates as a DSKE security hub. Hub peers are automatically AES-exempt. |
aes_dns_label | string | null | Fully-qualified domain name in the AES DNS zone. Null if the peer has no AES IP, is AES-exempt, or the account has no AES DNS domain. |
Example Peer Response
{
"id": "abc123",
"name": "my-server",
"ip": "100.64.0.1",
"aes_ip": "100.64.128.1",
"aes_exempt": false,
"dske_security_hub": false,
"aes_dns_label": "my-server.aes.netbird.cloud",
"connected": true,
...
}
Updating Peer Security Properties
# Mark a peer as AES-exempt
curl -X PUT "https://management.example.com/api/peers/{peerId}" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"aes_exempt": true}'
# Mark a peer as a security hub
curl -X PUT "https://management.example.com/api/peers/{peerId}" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"dske_security_hub": true}'
Peer Type Summary
| Configuration | AES IP | AES Tunnel | DSKE Role |
|---|---|---|---|
aes_exempt: false, dske_security_hub: false | Allocated | Active (aes0) | Key exchange participant |
aes_exempt: true | None | Bypassed | Not active |
dske_security_hub: true | None | Bypassed (auto-exempt) | Hub provisioner |
AES DNS Zone
The management server generates DNS zones for both WireGuard and AES IPs:
| Zone | Records For | Excluded Peers |
|---|---|---|
| Standard DNS domain | All peers with WireGuard IPs | None |
| AES DNS domain | Peers with AES IPs that are not AES-exempt | AES-exempt peers, security hubs, peers without AES IP |
Reverse DNS (PTR records) for the AES IP range are generated automatically on the client side.
Activity Events
| Event | Trigger |
|---|---|
account.aes.dns.domain.update | AES DNS domain changed via API |
Event metadata includes old_aes_dns_domain and new_aes_dns_domain values.