Docker - DNS Server
What Is DNS and How Does It Work – A Comprehensive Guide
I have been using Bind9 as my home LAN DNS for the past few years. I originally operated it on bare metal on my home router computer. In mid 2023 I successfully moved my Bind9 primary instance to my main home server in a container and created a slave instance in a container running on my home router computer. I created a Docker Bind9 Image using base Docker Alpine Linux images, with S6 init system.
Linux setup to forward packets
[This probably needs to be moved and consolidated elsewhere and then highlevel only reference here]
The main router must be set to forward packets!
It would seem that as of Debian 13 the /etc/sysctl.conf file is not longer used, and is deleted on upgrade, including any user changes. Instead overrides must be copied into *.conf files in /etc/sysctl.d/. Normally user conf files in *.d directories are not affected by upgrades.
The command sudo sysctl -a | less can be used to list all current kernel parameters and their current setting, or sudo sysctl net.ipv4.ip_forward to list a specific one.
sudo vim /etc/sysctl.d/ip_forward.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.proxy_arp = 1
net.ipv6.conf.all.forwarding=1
After applying these changes reboot or apply setting using sudo sysctl -p /etc/sysctl.d/ip_forward.conf (Note that sudo sysctl -p defaults to using /etc/sysctl.conf and will error if this file is not available.)
The boot systemctl reads the following configuration files to adjust kernel parameters at boot:
References
Bind9 Controls
/usr/sbin/named -f to start the isc-bind9 application called named,
-f to run in foreground (needed for running with s6)
-4 to run ipv4 only, I am using dual stack now, so this option is not required
rndc stop to stop named - need to implement this in S6
rndc reload to reload the named configuration files
named-checkconf /etc/bind/named.conf
named-checkzone kptree.net /etc/bind/db.kptree.net
named-checkzone 1.168.192.in-addr.arpa /etc/bind/db.1.168.192
cat /log/named/bind.log to list bind log file
-
rndc dumpdb -zones
cat /var/bind/named_dump.db to see the database dump
named-checkconf -l does this option still exist?
named-checkconf -p for a flatened uncomment listing of the configuration files
I have setup a primary DNS server and secondary slave DNS server.
The primary
DNS server runs on my main home server, it is the master
The secondary
DNS server runs on my router, it is set up as a slave server from the primary server and reads the zone files from the master when available.
bind9 Docker setup
bind9 config files
I am basically running a caching and forwarding local DNS. The caching and forwarding should allow improved overall DNS performance. The local DNS also provides local LAN DNS services. The DNS service is only accessible on the LAN. The main router fire wall excludes unsolicited external WAN DNS queries to the LAN.
I breakdown the /etc/bind/named.conf configuration file such that it points to 3 separate sub configuration files. As I am not running a recursive DNS the recursive configuration file is not referenced.
/etc/bind/name.conf
// Default contents of /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
/etc/bind/name.conf.options
acl "trusted" {
192.168.1/24;
127.0.0.1;
localhost;
localnets;
::1;
fe80::/64;
2404:e80:943d:178::/64;
};
tls quad9-tls { remote-hostname "dns.quad9.net"; };
tls cloudflare-tls { remote-hostname "one.one.one.one"; };
tls google-tls { remote-hostname "dns.google"; };
options {
directory "/var/bind";
auth-nxdomain no; # conform to RFC1035
// dnssec-validation auto; //set to auto by default
//bind now uses dnssec by default
recursion yes;
allow-recursion {
trusted;
};
/* forwarders {
//quad9 with basic malware blocking, no ECS
9.9.9.9;
149.112.112.112;
2620:fe::fe;
2620:fe::9;
//Cloudflare basic
//1.1.1.1;
//1.0.0.1;
//Cloudflare with basic malware blocking
1.1.1.2;
1.0.0.2;
2620:4700:4700::1111;
2620:4700:4700::1001;
//Opendns basic
208.67.222.222;
208.67.220.220;
2620:0:ccc::2;
2620:0:ccd::2;
}; */
forwarders port 853 {
9.9.9.9 tls quad9-tls;
149.112.112.112 tls quad9-tls;
2620:fe::fe tls quad9-tls;
2620:fe::9 tls quad9-tls;
1.1.1.1 tls cloudflare-tls;
1.0.0.1 tls cloudflare-tls;
2606:4700:4700::1111 tls cloudflare-tls;
2606:4700:4700::1001 tls cloudflare-tls;
8.8.8.8 tls google-tls;
8.8.4.4 tls google-tls;
2001:4860:4860::8844 tls google-tls;
2001:4860:4860::8888 tls google-tls;
};
allow-query {
trusted;
};
allow-transfer {
trusted;
};
//listen-on { any; };
//listen-on-v6 { none; };
};
logging {
channel bind.log {
file "/var/log/named/bind.log" versions 10 size 20m;
severity notice;
print-category yes;
print-severity yes;
print-time yes;
};
category queries { bind.log; };
category default { bind.log; };
category config { bind.log; };
};
/etc/bind/name.conf.local
// key "rndc-key" {
// algorithm hmac-md5;
// secret "LBLC2Dg8v6hYNE/ecnd6Ag==";
// };
zone "kptree.net" {
type master;
file "/etc/bind/db.kptree.net";
allow-transfer { trusted; };
also-notify { 192.168.1.2; };
// allow-update { key rndc-key; };
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.1.168.192";
allow-transfer { trusted; };
also-notify { 192.168.1.2; };
// allow-update { key rndc-key; };
};
/etc/bind/name.conf.default-zones
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
NOT USED, as not running a recursive DNS: /etc/bind/name.conf.recursive
// Copy this file to /etc/bind/named.conf if you want to run bind as a
// recursive DNS resolver. If you want to run an authoritative nameserver
// instead, see /etc/bind/named.conf.authoritative.
//
// BIND supports using the same daemon as both authoritative nameserver and
// recursive resolver; it supports this because it is the oldest and original
// nameserver and so was designed before it was realized that combining these
// functions is inadvisable.
//
// In actual fact, combining these functions is a very bad idea. It is thus
// recommended that you run a given instance of BIND as either an authoritative
// nameserver or recursive resolver, not both. The example configuration herein
// provides a starting point for running a recursive resolver.
//
//
// *** IMPORTANT ***
// You should note that running an open DNS resolver (that is, a resolver which
// answers queries from any globally routable IP) makes the resolver vulnerable
// to abuse in the form of reflected DDoS attacks.
//
// These attacks are now widely prevalent on the open internet. Even if
// unadvertised, attackers can and will find your resolver by portscanning the
// global IPv4 address space.
//
// In one case the traffic generated using such an attack reached 300 Gb/s (!).
//
// It is therefore imperative that you take care to configure the resolver to
// only answer queries from IP address space you trust or control. See the
// "allow-recursion" directive below.
//
// Bear in mind that with these attacks, the "source" of a query will actually
// be the intended target of a DDoS attack, so this only protects other networks
// from attack, not your own; ideally therefore you should firewall DNS traffic
// at the borders of your network to eliminate spoofed traffic.
//
// This is a complex issue and some level of understanding of these attacks is
// advisable before you attempt to configure a resolver.
options {
directory "/var/bind";
// Specify a list of CIDR masks which should be allowed to issue recursive
// queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above.
allow-recursion {
127.0.0.1/32;
};
// If you want this resolver to itself resolve via means of another recursive
// resolver, uncomment this block and specify the IP addresses of the desired
// upstream resolvers.
//forwarders {
// 123.123.123.123;
// 123.123.123.123;
//};
// By default the resolver will attempt to perform recursive resolution itself
// if the forwarders are unavailable. If you want this resolver to fail outright
// if the upstream resolvers are unavailable, uncomment this directive.
//forward only;
// Configure the IPs to listen on here.
listen-on { 127.0.0.1; };
listen-on-v6 { none; };
// If you have problems and are behind a firewall:
//query-source address * port 53;
pid-file "/var/run/named/named.pid";
// Removing this block will cause BIND to revert to its default behaviour
// of allowing zone transfers to any host (!). There is no need to allow zone
// transfers when operating as a recursive resolver.
allow-transfer { none; };
};
// Briefly, a zone which has been declared delegation-only will be effectively
// limited to containing NS RRs for subdomains, but no actual data beyond its
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
// filter out "wildcard" or "synthesized" data from NAT boxes or from
// authoritative name servers whose undelegated (in-zone) data is of no
// interest.
// See http://www.isc.org/products/BIND/delegation-only.html for more info
//zone "COM" { type delegation-only; };
//zone "NET" { type delegation-only; };
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
bind9 docker image
I use the s6 rc system.
Notes
I never had much success with the S6_KEEP_ENV when I played around with this earlier.
Some of the packages are handy for debugging the container, but not required for normal package operation. Hence these are commented out.
Dockerfile
FROM alpine:latest
ARG S6_OVERLAY_VERSION=3.1.6.2
ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp
RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz
ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp
RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz
#ENV S6_KEEP_ENV=1
#this keeps the environment variables
ENTRYPOINT ["/init"]
#add UID & GID
RUN \
addgroup -g 99 named && \
adduser -G named -u 99 -G named -D -S -h /dev/null named
RUN apk update && \
apk --no-cache add \
bind \
bind-dnssec-tools \
&& \
apk upgrade
#util-linux \
#vim \
#less \
COPY user/* /etc/s6-overlay/s6-rc.d/user/contents.d/
COPY s6-rc.d /etc/s6-overlay/s6-rc.d/
EXPOSE 53/tcp
EXPOSE 53/udp
EXPOSE 953/tcp
docker compose
A key point is the docker network is in host mode. (The ports are opened directly on the host and not routed from the docker internal network.)
docker-compose.yml
---
services:
bind:
build: ./
image: bind:latest
tty: true
stdin_open: true
container_name: kptr-dns-1
restart: 'always' # always | unless-stopped | no | on-failure [:max-retries]
volumes:
- '/mnt/docker_store/bind9/.config:/app/'
- '/mnt/docker_store/bind9/.config/etc/bind:/etc/bind/'
- '/mnt/docker_store/bind9/.config/var/bind:/var/bind/'
- '/mnt/docker_store/bind9/.config/var/log:/var/log/'
network_mode: host
command: /bin/sh
DNSSEC
My local DNS server is a recursive caching type only. It take local (LAN) DNS queries and answers directly for any LAN name resolution, checks the cache for any external name resolution and then if not found locally or in cache checks the specified external DNS servers to resolve names. My DNS server is not setup as a public DNS server and is not publicly accessible. Hence DNSSEC is not relevant for this local DNS server query validation.
For external name resolution Bind9 basically now defaults to automatic use of DNSSEC. This can be validated with (How To Test A Recursive Server) using:
dig @192.168.1.14 ftp.isc.org. A +dnssec +multiline, the query return flag
ad indicates the
DNS answer returned a validated answer.
-
Equally important the following commands helps confirm that invalid DNS queries have failed and do not rerun invalid IP address, which would be security risk. If dig @192.168.1.14 www.dnssec-failed.org A receives status: SERVFAIL then dig @192.168.1.14 www.dnssec-failed.org A +cd will disable DNSSEC and return the IP address showing that the SERVFAIL occurred due to DNSSEC failure.
Basic Bind9 DNSSEC configuration options
The option (in /etc/bind/named.conf.options) dnssec-enable yes; is no longer valid and use will cause configuration error. DO NOT USE! DNSSEC is enabled by default.
The option dnssec-validation is set default to auto. The other setting options are yes and no. No action is required, if the option is not specified in the configuration file it is set to auto by default.
So I do not need to do any configuration for DNSSEC to function on external queries.
reference
DNS over TLS (DoT)
DNS over TLS encrypts the DNS data so others can not see the specific DNS query and response. DNSSEC does not prevent viewing of the DNS data, but rather ensure prevent man in the middle attacks.
Bind9 circa version 9.20 allows used of TLS forwarders, e.g.
/etc/named.conf
tls cloudflare-tls { remote-hostname "one.one.one.one"; };
tls quad9-tls { remote-hostname "dns.quad9.net"; };
tls google-tls { remote-hostname "dns.google"; };
options {
...
forwarders port 853 {
1.1.1.1 tls cloudflare-tls;
1.0.0.1 tls cloudflare-tls;
2606:4700:4700::1111 tls cloudflare-tls;
2606:4700:4700::1001 tls cloudflare-tls;
9.9.9.9 tls quad9-tls;
149.112.112.112 tls quad9-tls;
2620:fe::fe tls quad9-tls;
2620:fe::9 tls quad9-tls;
8.8.8.8 tls google-tls;
8.8.4.4 tls google-tls;
2001:4860:4860::8844 tls google-tls;
2001:4860:4860::8888 tls google-tls;
};
};
reference
Testing DNS
My local recursive servers are ns1.local.kptree.net and ns2.local.kptree.net, which are on separate serves on the local network. These DNS servers are for local LAN use only and cannot and should not be accessible from outside the LAN.
Using host command:
host ns1.local.kptree.net ns2.local.kptree.net - if both local name servers are running to cross check
host ns2.local.kptree.net ns1.local.kptree.net - if both local name servers are running to cross check
host google.com ns1.local.kptree.net - an external services via local name server
host -t A mail.kptree.net 9.9.9.9 - remote address to local hosted external services via an external name server
use flag -t A or -t AAAA to only return IP4 or IP6 results only respectively. Otherwise both are returned.
Using delv:
delv @ns2.local.kptree.net ns1.local.kptree.net - if both local name servers are running to cross check
delv @ns1.local.kptree.net ns2.local.kptree.net - if both local name servers are running to cross check
delv @ns2.local.kptree.net google.com - an external services via local name server
delv @1.1.1.1 mail.kptree.net - remote address to local hosted external services via an external name server
Using dig:
dig @ns2.local.kptree.net -p 53 ns1.local.kptree.net any
dig @ns2.local.kptree.net -p 53 kptree.net any
dig @ns2.local.kptree.net -tAXFR kptree.net gave me the full name list from ns2.local.kptree.net
dig @ns1.local.kptree.net -tAXFR kptree.net gave me the full name list from ns1.local.kptree.net
Note that bind9 needs to be setup to allow-transfer from the requesting ip address, I include my
LAN address range in the bind9 acl.
To find the version of bind9 used, anywhere from the LAN:
Public DNS Provideders
DDNS
DDNS (Dynamic DNS) is used to update the DNS server with the DHCP assignments. I previously used this with ISC Bind9 and ISC DHCP server. I did not like how the updates changed my bind9 zone configuration file. Basically the dynamic entries would be added randomly throughout the zone file. I would prefer if my static assignments were in a separate file to the dynamic ones, however I am not sure if this configuration is possible.
To further complicate matters I have 2 Bind9 servers in a master-slave configuration across to separate computers on my LAN as well as 2 separate Kea DHCP servers in a primary-secondary back-up configuration also on 2 separate computers on my LAN. This has worked really well for me. If one DNS or DHCP server are not functional my LAN operates well, previously without backup is the DNS or DHCP servers were not operational the LAN would loose functionality. I would need DDNS to function correctly within my backup DNS and DHCP configurations.
References
KPTree.net's bare metal implementation of
dns - dhcp, based upon ISC Bind9 and DHCP on Debian 10
(was originally Ubuntu).
-
-
-
-
-
-
-
-
-
-
-