• Stars
    star
    226
  • Rank 176,514 (Top 4 %)
  • Language
    Go
  • License
    MIT License
  • Created over 6 years ago
  • Updated 29 days ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Docker DNS server on steroids to access DNS-over-TLS from Cloudflare, Google, Quad9, Quadrant or CleanBrowsing

DNS over TLS upstream server Docker container

DNS over TLS upstream server connected to DNS over TLS (IPv4 and IPv6) servers with DNSSEC, DNS rebinding protection, built-in Docker healthcheck and fine grain IPs + hostnames blocking

Announcement: *You can now try :v2.0.0-beta with this documentation.

The :latest Docker image might break compatibility in the coming days/weeks

Title

Build status

dockeri.co dockeri.co

Last release Last Docker tag Last release size GitHub last release date Commits since release

Latest size

GitHub last commit GitHub commit activity GitHub closed PRs GitHub issues GitHub closed issues

Lines of code Code size GitHub repo size Go version

MIT Visitors count

Features

  • It can be connected to one or more of the following DNS-over-TLS providers:

  • Split-horizon DNS (randomly pick one of the DoT providers specified for each request)

  • Block hostnames and IP addresses for 3 categories: malicious, surveillance and ads

  • Block custom hostnames and IP addresses using environment variables

  • One line setup

  • Runs without root

  • Small 41.1MB Docker image (uncompressed, amd64)

  • Resolves using IPv4 and IPv6 when available

  • Auto updates block lists and cryptographic files every 24h and restarts Unbound (< 1 second downtime)

  • Compatible with amd64, i686 (32 bit), ARM 64 bit, ARM 32 bit v7 and ppc64le πŸŽ†

  • DNS rebinding protection

  • DNSSEC Validation

    DNSSEC Validation

Diagrams are shown for router and client-by-client configurations in the Connect clients to it section.

Setup

  1. ⚠️ Raspberry Pi users running 32 bit systems, you need to do this on your host to run the container.

  2. Launch the container with

    docker run -d -p 53:53/udp qmcgaw/dns

    You can also use docker-compose.yml with:

    docker-compose up -d

    More environment variables are described in the environment variables section.

  3. See the Connect clients to it section, you can also refer to the Verify DNS connection section if you want.

If you run an old Docker version or Kernel, you might want to run the container as root with --user="0" (see this issue for context).

Docker tags 🐳

Docker image Github release
qmcgaw/dns:latest Master branch
qmcgaw/dns:v1.5.1 v1.5.1
qmcgaw/dns:v1.4.1 v1.4.1
qmcgaw/dns:v1.2.1 v1.2.1
qmcgaw/dns:v1.1.1 v1.1.1
qmcgaw/cloudflare-dns-server:latest Master branch
qmcgaw/cloudflare-dns-server:v1.0.0 v1.0.0

πŸ’ qmcgaw/cloudflare-dns-server:latest mirrors qmcgaw/dns:latest

Environment variables

Environment variable Default Description
PROVIDERS cloudflare Comma separated list of DNS-over-TLS providers from cira family, cira private, cira protected, cleanbrowsing adult, cleanbrowsing family, cleanbrowsing security, cloudflare, cloudflare family, cloudflare security, google, libredns, quad9, quad9 secured, quad9 unsecured and quadrant
VERBOSITY 1 From 0 (no log) to 5 (full debug log)
VERBOSITY_DETAILS 0 From 0 to 4 (higher means more details)
BLOCK_MALICIOUS on on or off, to block malicious IP addresses and malicious hostnames from being resolved
BLOCK_SURVEILLANCE off on or off, to block surveillance IP addresses and hostnames from being resolved
BLOCK_ADS off on or off, to block ads IP addresses and hostnames from being resolved
BLOCK_HOSTNAMES comma separated list of hostnames to block from being resolved
BLOCK_IPS comma separated list of IPs to block from being returned to clients
UNBLOCK comma separated list of hostnames to leave unblocked
LISTENINGPORT 53 UDP port on which the Unbound DNS server should listen to (internally)
CACHING on on or off. It can be useful if you have another DNS (i.e. Pihole) doing the caching as well on top of this container
PRIVATE_ADDRESS All IPv4 and IPv6 CIDRs private ranges Comma separated list of CIDRs or single IP addresses. Note that the default setting prevents DNS rebinding
CHECK_DNS on on or off. Check resolving github.com using 127.0.0.1:53 at start
IPV4 on on or off. Uses DNS resolution for IPV4
IPV6 off on or off. Uses DNS resolution for IPV6. Do not enable if you don't have IPV6
UPDATE_PERIOD 24h Period to update block lists and restart Unbound. Set to 0 to disable.

Extra configuration

You can bind mount an Unbound configuration file include.conf to be included in the Unbound server section with -v $(pwd)/include.conf:/unbound/include.conf:ro, see Unbound configuration documentation

Golang API

If you want to use the Go code I wrote, you can see tiny examples of DoT and DoH resolvers and servers using the API developed.

Connect clients to it

Option 1: Router (recommended)

All machines connected to your router will use the 1.1.1.1 encrypted DNS by default

Configure your router to use the LAN IP address of your Docker host as its primary DNS address.

  • Access your router page, usually at http://192.168.1.1 and login with your credentials
  • Change the DNS settings, which are usually located in Connection settings / Advanced / DNS server
  • If a secondary fallback DNS address is required, use a dull ip address such as the router's IP 192.168.1.1 to force traffic to only go through this container

Diagram router

To ensure network clients cannot use another DNS, you might want to

  • Block the outbound UDP 53 port on your router firewall
  • Block the outbound TCP 853 port on your router firewall, except from your Docker host
  • If you have Deep packet inspection on your router, block DNS over HTTPs on port TCP 443

Option 2: Client, one by one

You have to configure each machine connected to your router to use the Docker host as their DNS server.

Diagram clients

Docker containers

Connect other Docker containers by specifying the DNS to be the host IP address 127.0.0.1:

docker run -it --rm --dns=127.0.0.1 alpine

For docker-compose.yml:

version: '3'
services:
  test:
    image: alpine:3.11
    network_mode: bridge
    dns:
      - 127.0.0.1

If the containers are in the same Docker network, you can simply set the dns to the LAN IP address of the DNS container (i.e. 10.0.0.5)

Windows

  1. Open the control panel and follow the instructions shown on the screenshots below.

Windows screenshot 1

Windows screenshot 2

Windows screenshot 3

Windows screenshot 4

Windows screenshot 5

Enter the IP Address of your Docker host as the Preferred DNS server (192.168.1.210 in my case) You can set the Cloudflare DNS server address 1.1.1.1 as an alternate DNS server although you might want to leave this blank so that no domain name request is in plaintext.

Windows screenshot 6

Windows screenshot 7

When closing, Windows should try to identify any potential problems. If everything is fine, you should see the following message:

Windows screenshot 8

Mac OS

Follow the instructions at https://support.apple.com/kb/PH25577

Linux

You probably know how to do that. Otherwise you can usually modify the first line of /etc/resolv.conf by changing the IP address of your DNS server.

Android

See this

iOS

See this

Firewall considerations

This container requires the following connections:

  • UDP 53 Inbound (only if used externally)
  • TCP 853 Outbound to 1.1.1.1 and 1.0.0.1

Verify DNS connection

  1. Verify that you use Cloudflare DNS servers: https://www.dnsleaktest.com with the Standard or Extended test
  2. Verify that DNS SEC is enabled: https://en.internet.nl/connection

Note that https://1.1.1.1/help does not work as the container is not a client to Cloudflare servers but a forwarder intermediary. Hence https://1.1.1.1/help does not detect a direct connection to them.

Go API

Some packages are exposed publicly through the pkg directory.

The API is at v1.x.x but (shame on me) is not stable and subject to change without changing major version. If you need it to be stable, please create an issue and I'll see what I can do.

For now, it is used by the gluetun project for its DNS over TLS usage.

Development

Development setup

Using VSCode and Docker

  1. Install Docker
    • On Windows, share a drive with Docker Desktop and have the project on that partition
    • On OSX, share your project directory with Docker Desktop
  2. With Visual Studio Code, install the remote containers extension
  3. In Visual Studio Code, press on F1 and select Remote-Containers: Open Folder in Container...
  4. Your dev environment is ready to go!... and it's running in a container πŸ‘

Locally

  1. Install Go, Docker and Git

  2. Install dependencies

    go mod download
  3. Install golangci-lint

Commands available

# Build the binary
go build cmd/main.go
# Test the code
go test ./...
# Lint the code
golangci-lint run
# Build the Docker image
docker build -t qmcgaw/dns .

See Contributing for more information on how to contribute to this repository.

More Repositories

1

gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
Go
7,717
star
2

ddns-updater

Container to update DNS records periodically with WebUI for many DNS providers
Go
1,711
star
3

gluetun-wiki

Home to the Markdown Wiki page for Gluetun
369
star
4

godevcontainer

Golang development container for Visual Studio Code Remote Containers Development
Dockerfile
258
star
5

latexdevcontainer

LaTeX development container for Visual Studio Code Remote Containers Development
Dockerfile
190
star
6

deunhealth

Binary program to restart unhealthy Docker containers
Go
117
star
7

caddy-ui

UI for the Caddy proxy server
TypeScript
72
star
8

basedevcontainer

Base development Docker image used by other development Docker images
Shell
59
star
9

cod4-docker

Runs a Call of duty 4 Modern Warfare (cod4x) dedicated server in a Docker container.
Go
57
star
10

youtube-dl-docker

Download with youtube-dl using command line arguments or a configuration file + Automated updates
Shell
46
star
11

stackedit-docker

StackEdit 5.14.5 Server in a light Docker container
Go
42
star
12

rustdevcontainer

Rust development container for VSCode
Dockerfile
40
star
13

caddy-scratch

Caddy server 2.0.0 / 1.0.5 on Docker Scratch, all in 18MB / 35MB
Dockerfile
39
star
14

reprint

Golang deep copying, THE RIGHT WAY ℒ️
Go
37
star
15

htmlspitter

NodeJS server to spit out HTML from loaded JS using Puppeteer
TypeScript
31
star
16

hbc

API of homomorphic binary operations such as binary comparisons or binary divisions using the library HElib
C++
28
star
17

port-checker

Simple Docker container to test if a port works using a Golang server
Go
27
star
18

reactdevcontainer

React development container for Visual Studio Code
Dockerfile
22
star
19

meemo

Run a lightweight Meemo server with database on Docker with docker-compose
Dockerfile
21
star
20

ss-server

Shadowsocks server to use with Docker and to integrate in other Go programs
Go
21
star
21

btrfs-recover-scripts

Scripts to help you recover the latest files you have lost in a BTRFS volume
Shell
21
star
22

devtainr

Static binary tool to setup your development container in your repository
Go
15
star
23

go-template

Golang server template
Go
13
star
24

binpot

The Docker based pot of binaries
Dockerfile
12
star
25

goshutdown

Go library to shutdown your goroutines gracefully and in a timely manner
Go
12
star
26

VFIO-Arch-Guide

Windows 10 Parsec server setup for an Arch Linux host
12
star
27

golibs

Experimental Go libraries for my own projects
Go
10
star
28

docker-proxy-acl-alpine

A lightweight docker Unix socket proxy which restricts endpoint usage to allowed sections
Go
9
star
29

tinier

Make your videos, images and audio files tinier
Go
9
star
30

pingodown

Introduces latency on a UDP port for gaming purposes
Go
9
star
31

teamspeak-server-alpine

Minimalist Teamspeak 3 server Docker container
Shell
9
star
32

caddy-ui-server

Server responsible to serve the Caddy UI and communicate with the Caddy server API
Go
8
star
33

BitcoinUses

Big data analytics on how bitcoins are used since their creation
Java
7
star
34

xcputranslate

Simple CI translation from Docker CPU arch strings to other format
Go
7
star
35

welcome

Golang static binary I use on my servers when I login
Go
6
star
36

files

Periodically updated files and lists used by other projects and machines
6
star
37

gosplash

Go library to make initial log lines at a program start time
Go
5
star
38

BillSplitter

Mobile website app to split your bill at a venue (backend and frontend)
JavaScript
5
star
39

updated

Go program to update files periodically
Go
5
star
40

rsync-docker

Rsync in 790KB Docker image & Rsync+SSH in 5.2MB Docker image
Shell
4
star
41

srv

srv is a small Go application to server static files over HTTP
Go
4
star
42

reactserv

A Go HTTP server to serve React compiled code (no SSR)
Go
4
star
43

gotree

Go library to build tree of files and directories
Go
4
star
44

nodedevcontainer

Dockerfile
3
star
45

govalid

Go library to validate and convert strings
Go
3
star
46

log

Go log library focused on humans and thread safety
Go
3
star
47

goservices

Go package to help manage Go long running services
Go
3
star
48

reinstall

PowerShell
3
star
49

blog

Static blog using Hugo
HTML
2
star
50

qdm12

2
star
51

iptables

Docker container to run your iptables rules
Dockerfile
2
star
52

spigot-docker

Lightweight Docker container for Spigot server
Dockerfile
2
star
53

ThumbGifs

Generates intervals GIFs from video files for any length
Python
2
star
54

errdeclutter

Finds Go error wrapping messages with cluttering prefixes such as 'failed to', 'cannot', 'unable to', etc.
1
star
55

Staminaputations

Python
1
star
56

hitinc

HTTP server counter to count visitors, claps, upvotes
1
star
57

My-Computing-course

This is a course I will give about computing in general for people new to computing
Python
1
star
58

Staminapp

Android mobile application for the Stamina system
Java
1
star
59

gosettings

Go package providing helper functions for working with settings
Go
1
star
60

cli-template

A template for cross platform, cross CPU binary CLI tools
Go
1
star
61

node-ts-template

NodeJS with Typescript template
JavaScript
1
star
62

courses

TeX
1
star
63

templates

Github templates for various programming languages I use often
1
star
64

wireguard-docker

Alpine docker image with Wireguard tooling (requires Wireguard in kernel)
Dockerfile
1
star