In this article, I'll walk through the steps to set up a recursive DNS resolver using Unbound on Docker. This resolver will handle DNS queries for a local domain mich0w0h.house by forwarding them to an authoritative nameserver while forwarding queries for other domains to external DNS servers like Google DNS.
This post is one part of building a local DNS service using docker-compose and the authoritative nameserver for mich0w0wh.house is already built by this article.
I'll write the other remaining parts later.
Prerequisites
- Docker installed and running
- A Docker network named
internal-dnswith subnet192.168.1.0/24 - An authoritative nameserver at
192.168.1.102:53for themich0w0h.housedomain
Directory Structure
Please ensure that you execute all the following commands within the internal-dns directory.
internal-dns
├── authoritative
│ └── ...
└── resolver
├── Dockerfile
└── unbound.conf
Create a Dockerfile
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y unbound && rm -rf /var/lib/apt/lists/*
COPY unbound.conf /etc/unbound/unbound.conf
CMD ["/usr/sbin/unbound", "-d", "-c", "/etc/unbound/unbound.conf"]
This Dockerfile installs Unbound on an Ubuntu 22.04 base image and copies the unbound.conf configuration file, then setting the default command to run unbound with the -d flag (to run in the foreground) and the -c flag to specify the configuration file.
Create an unbound.conf
server:
interface: 0.0.0.0
access-control: 192.168.1.0/24 allow
remote-control:
control-enable: no
stub-zone:
name: "mich0w0h.house"
stub-addr: 192.168.1.102
forward-zone:
name: "."
forward-addr: 8.8.8.8 # google DNS
# forward-addr: 192.168.10.1. # ISP provided DNS
This configuration file sets up the following:
-
serversection configures the Unbound server to listen on all interfaces (0.0.0.0) on port 53 and allows queries from the192.168.1.0/24subnet. -
stub-zonesection configures a stub zone for themich0w0h.housedomain, forwarding queries to the authoritative nameserver at192.168.1.102:53. -
forward-zonesection configures forwarding for all other domains to Google DNS (8.8.8.8). You can also use your ISP's DNS server if preferred.
Building and Running
Build the Docker image:
sudo docker image build -t unbound-resolver resolver/
Run the container for testing the configuration:
sudo docker container run --rm --name resolver-test --network internal-dns --ip 192.168.1.101 unbound-resolver unbound-checkconf
If the output shows unbound-checkconf: no errors in /etc/unbound/unbound.conf, then the configuration is valid.
Stop the resolver-test container and run a Unbound resolver container:
sudo docker container run --rm -d --name resolver --network internal-dns --ip 192.168.1.101 unbound-resolver
Testing
You can test the resolver by querying for a record in the mich0w0h.house domain:
dig @192.168.1.101 www.mich0w0h.house
This should return the IP address configured for www.mich0w0h.house in the authoritative nameserver.
; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> @192.168.1.101 www.mich0w0h.house
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64714
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.mich0w0h.house. IN A
;; ANSWER SECTION:
www.mich0w0h.house. 86400 IN A 192.168.1.103
;; Query time: 0 msec
;; SERVER: 192.168.1.101#53(192.168.1.101) (UDP)
;; WHEN: Thu Mar 21 07:52:43 JST 2024
;; MSG SIZE rcvd: 63
With this setup, your devices on the 192.168.1.0/24 subnet can use the resolver at 192.168.1.101 to resolve DNS queries. The resolver will handle queries for mich0w0h.house by forwarding them to the authoritative nameserver while forwarding queries for other domains to external DNS servers.
What's Next
next, I'll use docker compose to build the authoritative nameserver container I set up in the previous article and the recursive resolver container I set up in this article.
It is necessary to configure networking in order to access these containers from other devices on the home network. (Yes, indeed currently these containers can only be accessed from the Ubuntu server on the host machine.)
References
- DNSがよくわかる教科書 | SBクリエイティブ
- 開発系エンジニアのためのDocker絵とき入門 - 秀和システム あなたの学びをサポート!
- Configuration — Unbound 1.19.3 documentation
- NLnet Labs Documentation - Unbound - unbound-checkconf.8
- NLnet Labs Documentation - Unbound - unbound.conf.5
- Resolver for Home Networks — Unbound 1.19.3 documentation
- Docker+DNS入門 その2:Unboundを用いたキャッシュDNSサーバ構築 #Docker - Qiita
Top comments (0)