Docker - DNS Server

What Is DNS and How Does It Work – A Comprehensive Guide
I have been using Bind9 as my home LAN DNS for the past few years. I originally operated it on bare metal on my home router computer. In mid 2023 I successfully moved my Bind9 primary instance to my main home server in a container and created a slave instance in a container running on my home router computer. I created a Docker Bind9 Image using base Docker Alpine Linux images, with S6 init system.

The main router must be set to forward packets! The ability to forward packets must be set / allowed, edit or add the following parameters in sudo vim /etc/sysctl.conf:

• net.ipv4.ip_forward = 1
• net.ipv4.conf.all.proxy_arp = 1
• sudo sysctl net.ipv6.conf.all.forwarding=1 similar for ipv6

After applying these changes reboot or apply setting using sudo sysctl -p /etc/sysctl.conf

• How to make IP forwarding permanent?

• /usr/sbin/named -f -4 to start the isc-bind9 application called named,
  • -f to run in foreground (needed for running with s6)
  • -4 to run ipv4 only
• rndc stop to stop named - need to implement this in S6
• rndc reload to reload the named configuration files
• named-checkconf /etc/bind/named.conf
• named-checkzone kptree.net /etc/bind/db.kptree.net
• named-checkzone 1.168.192.in-addr.arpa /etc/bind/db.1.168.192
• cat /log/named/bind.log to list bind log file
• From Listing all zones loaded in BIND
  • rndc dumpdb -zones
  • cat /var/bind/named_dump.db to see the database dump
  • named-checkconf -l does this option still exist?
  • named-checkconf -p for a flatened uncomment listing of the configuration files

I have setup a primary DNS server and secondary slave DNS server.

• The primary DNS server runs on my main home server, it is the master
• The secondary DNS server runs on my router, it is set up as a slave server from the primary server and reads the zone files from the master when available.

I use the s6 rc system. Notes

1. I never had much success with the S6_KEEP_ENV when I played around with this earlier.
2. Some of the packages are handy for debugging the container, but not required for normal package operation. Hence these are commented out.

Dockerfile

FROM alpine:latest

ARG S6_OVERLAY_VERSION=3.1.6.2

ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp
RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz
ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp
RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz

#ENV S6_KEEP_ENV=1 
#this keeps the environment variables

ENTRYPOINT ["/init"]

#add UID & GID
RUN \
addgroup -g 99 named && \
adduser -G named -u 99  -G named -D -S -h /dev/null named

RUN apk update && \
apk --no-cache add \
bind \
bind-dnssec-tools \
&& \
apk upgrade
#util-linux \
#vim \
#less \

COPY user/* /etc/s6-overlay/s6-rc.d/user/contents.d/

COPY s6-rc.d /etc/s6-overlay/s6-rc.d/

EXPOSE 53/tcp
EXPOSE 53/udp
EXPOSE 953/tcp

A key point is the docker network is in host mode. (The ports are opened directly on the host and not routed from the docker internal network.)

docker-compose.yml

---
services:
  bind:
    build: ./
    image: bind:latest
    tty: true
    stdin_open: true
    container_name: kptr-dns-1
    restart: 'always' # always | unless-stopped | no | on-failure [:max-retries]
    volumes:
      - '/mnt/docker_store/bind9/.config:/app/'
      - '/mnt/docker_store/bind9/.config/etc/bind:/etc/bind/'
      - '/mnt/docker_store/bind9/.config/var/bind:/var/bind/'
      - '/mnt/docker_store/bind9/.config/var/log:/var/log/'
    network_mode: host

    command: /bin/sh

My local DNS server is a recursive caching type only. It take local (LAN) DNS queries and answers directly for any LAN name resolution, checks the cache for any external name resolution and then if not found locally or in cache checks the specified external DNS servers to resolve names. My DNS server is not setup as a public DNS server and is not publicly accessible. Hence DNSSEC is not relevant for this local DNS server query validation.

For external name resolution Bind9 basically now defaults to automatic use of DNSSEC. This can be validated with (How To Test A Recursive Server) using:

• dig @192.168.1.14 ftp.isc.org. A +dnssec +multiline, the query return flag ad indicates the DNS answer returned a validated answer.
• dig @192.168.1.2 ftp.isc.org. A +dnssec +multiline

Equally important the following commands helps confirm that invalid DNS queries have failed and do not rerun invalid IP address, which would be security risk. If dig @192.168.1.14 www.dnssec-failed.org A receives status: SERVFAIL then dig @192.168.1.14 www.dnssec-failed.org A +cd will disable DNSSEC and return the IP address showing that the SERVFAIL occurred due to DNSSEC failure.

Basic Bind9 DNSSEC configuration options

• The option (in /etc/bind/named.conf.options) dnssec-enable yes; is no longer valid and use will cause configuration error. DO NOT USE! DNSSEC is enabled by default.
• The option dnssec-validation is set default to auto. The other setting options are yes and no. No action is required, if the option is not specified in the configuration file it is set to auto by default.

So I do not need to do any configuration for DNSSEC to function on external queries.

• How DNSSEC Works
• DNSSEC – What Is It and Why Is It Important?
• Domain Name System Security Extensions
• Bind9 DNSSEC Guide

old references

DNS over TLS encrypts the DNS data so others can not see the specific DNS query and response. DNSSEC does not prevent viewing of the DNS data, but rather ensure prevent man in the middle attacks.

It looks like Bind9 is still working on support for DNS over TLS (DoT) for forwarders. It may work on the current developer release 9.19.

• quad9 TLS config data:
  • 9.9.9.9 ip address
  • dns.quad9.net dns name
  • sha256
  • echo | openssl s_client -connect '9.9.9.9:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 to get the SPKI key for quad9

• Bind9
  • Bind TLS Block Grammar
  • Bind Forwarders Grammar
  • Bind 9 Administrator Reference Manual
• Privacy: Using DNS-over-TLS with the Quad9 DNS Service
• How to use DNS-over-TLS with BIND9 forwarders
• Enable TLS on BIND9
• QUAD9
  • quad9
  • quad9 FAQ
• DNS Privacy Project - DNS Privacy Clients
• DNS-over-TLS in Linux (systemd)

My local recursive servers are ns1.local.kptree.net and ns2.local.kptree.net, which are on separate serves on the local network. These DNS servers are for local LAN use only and cannot and should not be accessible from outside the LAN.

• Using host command:
  • host -t A ns1.local.kptree.net ns2.local.kptree.net - if both local name servers are running to cross check
  • host -t A ns2.local.kptree.net ns1.local.kptree.net - if both local name servers are running to cross check
  • host -t A google.com ns1.local.kptree.net - an external services via local name server
  • host -t A mail.kptree.net 9.9.9.9 - remote address to local hosted external services via an external name server
• Using delv:
  • delv @ns2.local.kptree.net ns1.local.kptree.net - if both local name servers are running to cross check
  • delv @ns1.local.kptree.net ns2.local.kptree.net - if both local name servers are running to cross check
  • delv @ns2.local.kptree.net google.com - an external services via local name server
  • delv @1.1.1.1 mail.kptree.net - remote address to local hosted external services via an external name server
• Using dig:
  • dig @ns2.local.kptree.net -p 53 ns1.local.kptree.net any
  • dig @ns2.local.kptree.net -p 53 kptree.net any
  • dig @ns2.local.kptree.net -tAXFR kptree.net gave me the full name list from ns2.local.kptree.net
  • dig @ns1.local.kptree.net -tAXFR kptree.net gave me the full name list from ns1.local.kptree.net
    • Note that bind9 needs to be setup to allow-transfer from the requesting ip address, I include my LAN address range in the bind9 acl.

To find the version of bind9 used, anywhere from the LAN:

• nslookup -q=txt -class=CHAOS version.bind ns1.local.kptree.net
• dig -t txt -c chaos VERSION.BIND @ns1.local.kptree.net

• KPTree.net's bare metal implementation of dns - dhcp, based upon ISC Bind9 and DHCP on Debian 10 (was originally Ubuntu).
• DNS for Rocket Scientists
• mjkaye/bind9-alpine
• Getting started with BIND - how to build and run named with a basic recursive configuration
• How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 16.04
• How to enable named/bind/DNS full logging? [closed]
• dnssec, Bind9 on Alpine
• ISC Bind9
• Github internetsystemsconsortium/bind9
• How to Configure BIND9 as a Secondary DNS Server on Ubuntu 20.04
• Command-line to list DNS servers used by my system
• Configure Slave BIND DNS Server on Ubuntu 22.04|20.04