DNScrypt-proxy in a container (mostly for research purposes)
This image is neither for industrial nor for personal use. If you want a light-weight yet working version of a containerized DNScrypt-proxy, use klutchell's work. This image for research purpose only, using a heavier-weight base image to have better interaction with the container, e.g., shell access, save and store SSL keys for decrypting communication.
We have images based on pure bookworm
debian, which is around 234 MB once bundled.
On the other hand, we have Wolfi-based images as well, which are not only less vulnerable to many well known attacks but, since Wolfi is a distroless base image, the final size of the container is around 180 MB. By removing further things from the latter and/or using a base with even less tools, you can actually achieve smaller than 15 MB container like klutchell's work.
Accordingly, we have two tags with two Dockerfiles
:
- cslev/dnscrypt-proxy-docker:debian -- Dockerfile.debian
- cslev/dnscrypt-proxy-docker:wolfi -- Dockerfile.wolfi
sudo docker build -t cslev/dnscrypt-proxy-research:debian . -f Dockerfile.debian
sudo docker build -t cslev/dnscrypt-proxy-research:wolfi . -f Dockerfile.wolfi
To use the container, you have to provide the dnscrypt-config.toml
file, and attach it as a volume to the container.
Use the dnscrypt-proxy.toml
in the config
directory as a template. It already works as it is, and is configured to
- use all possible DoH servers
- make the proxy to listen on 0.0.0.0:5053
- uses random selection of the resolvers, instead of the built-in latency-based load-balancer logic
- logging is done in a log file instead of standard output.
Based on these settings, the container should be run from the root directory as follows:
sudo docker run -v /etc/localtime:/etc/localtime -v ./config/:/dnscrypt-proxy/config/ -v ./logs:/dnscrypt-proxy/logs cslev/dnscrypt-proxy-research:debian
Here, we assume the subnetwork 172.29.1.0/24 is not used by any of your docker stacks.
If yes, amend the below docker-compose file accordingly.
Exposing the port is not necessary and sometimes can clash with your OS' resolved
application.
Without exposing, the proxy can still be address through the docker bridge, using its IP address we configure in the docker-compose file too.
version: "3.6"
services:
dnscrypt-proxy-research:
container_name: dnscrypt-proxy-research
hostname: dnscrypt-proxy-research
restart: unless-stopped
image: cslev/dnscrypt-proxy-research:debian
dns: 9.9.9.9
ports:
- '5053:5053/udp'
volumes:
- '/etc/localtime:/etc/localtime:ro'
- '/etc/timezone:/etc/timezone:ro'
- '/home/lele/git/dnscrypt-proxy-docker/config:/dnscrypt-proxy/config/'
- '/home/lele/git/dnscrypt-proxy-docker/logs:/dnscrypt-proxy/logs'
environment:
- "TZ=Asia/Singapore"
networks:
internal:
ipv4_address: 172.29.1.2
networks:
#local network to talk to within the raspberry itself
internal:
name: dnscrypt_proxy_research_subnet
ipam:
config:
- subnet: 172.29.1.0/24
Images are also available on docker hub, so you can pull them straighaway without compiling them. See the tags on https://hub.docker.com/r/cslev/dnscrypt-proxy-research/tag