A docker image to run dnsdist.
dnsdist website : dnsdist.org
We had to deal with dockerization and running mostly WSL and Docker Desktop CE for development. This works very smoothly and we really love it, but it becomes a pain, if you had to deal with different hidden DNS resolvers on your laptop, that are only accessible via VPN or special LAN connections.
Even if your VPN client creates the right NRTP entries on your host, that are not populated to your WSL console or to your docker daemon. Dynamic DNS resolver adaption is a long running, unsolved issue for WSL and Docker Desktop. Maybe it's addressed in the future by WSL 2 or the Moby project.
In the meantime we like to use a dockerized DNS proxy running on the host as a workaround. It's configurable during runtime and solves our WSL issues at least. dnsdist is the Swiss army knife for such use cases.
But of course we like to provide this image for any other dnsdist
related use case.
It's available via Dockerhub.
Build and run as usual:
# docker build --tag=dnsdist .
docker run -p 53:53/udp -p 53:53/tcp -p 5199:5199 -p 8053:8053 \
-d --restart=unless-stopped --name dnsdist dnsdist
docker container stop dnsdist
pick console key from dnsdist
docker log
[~] >>docker logs dnsdist
Running: /usr/bin/dnsdist --disable-syslog --supervised
Set console key: setKey("CaQ/vT2fLIf2TMqRwbMwbeGGs++5nc61V+BAWAZ4MJ8=")
Added downstream server 8.8.4.4:53
Added downstream server 8.8.8.8:53
Listening on 0.0.0.0:53
...
always restart dnsdist
with explicit console key
docker container stop dnsdist
docker run -p 53:53/udp -p 53:53/tcp -p 5199:5199 -p 8053:8053 \
-e CONSOLE_KEY='CaQ/vT2fLIf2TMqRwbMwbeGGs++5nc61V+BAWAZ4MJ8=' \
-d --restart=always --name dnsdist dnsdist
install local dnsdist
client
sudo apt-get install -y dnsdist
setup /etc/dnsdist/dnsdist.conf
controlSocket("127.0.0.1")
setKey("CaQ/vT2fLIf2TMqRwbMwbeGGs++5nc61V+BAWAZ4MJ8=")
point your /etc/resolv.conf
to dnsdist
# removed symlink to /run/resolvconf/resolv.conf
#
options timeout:2 attempts:2 single-request
nameserver 127.0.0.1
nameserver 8.8.4.4
nameserver 8.8.8.8
From now on you can access...
# dnsdist console via local client
dnsdist -c
dnsdist -c -e 'showServers()'
# dnsdist console via container client
docker exec -it dnsdist dnsdist -c
docker exec -it dnsdist dnsdist -c -e 'showRules()'
# dnsdist API
curl -sS -H 'X-API-Key: token' http://127.0.0.1:8053/api/v1/servers/localhost | jq '.rules[]'
But there is no rule set applied by default...
dig +short @127.0.0.1 dnsdist.org
So you need to setup your rules first. The simplest rule is applied via
echo 'addAction(AllRule(), PoolAction("default"))' | dnsdist -c
# Yeehawk...
dig +short @127.0.0.1 dnsdist.org
188.166.104.92
more sophisticated bootstrapping example from .bashrc
nc -z -v 127.0.0.1 8053
if [ "$?" == "0" ]; then
DNS_RULES=`curl -m5 -sS -H 'X-API-Key: token' \
http://127.0.0.1:8053/api/v1/servers/localhost | jq '.rules[]'`
if [ -z "$DNS_RULES" ]; then
cat <<EOT | dnsdist -c >/dev/null 2>&1
newServer({address="192.168.168.2", name="eth", pool="downstream"})
newServer({address="192.168.189.1", name="wlan", pool="downstream"})
newServer({address="10.100.1.10", name="ns.example.com", pool="example"})
newServer({address="10.100.2.10", name="ns2.example.com", pool="example"})
addAction("example.com.", PoolAction("example"))
addAction("example.org.", PoolAction("example"))
addAction(AllRule(), PoolAction("downstream"))
EOT
fi
echo DNS Servers:
echo 'showServers()' | dnsdist -c | head -n -1 | tail -n +2 | \
awk '{ printf "%4s | %10s | %s (%s)\n", $4, $14, $2, $3 }'
echo
fi
Connection to 127.0.0.1 8053 port [tcp/*] succeeded!
DNS Servers:
up | default | dns.google (8.8.4.4:53)
up | default | dns.google (8.8.8.8:53)
up | downstream | eth (192.168.168.2:53)
down | downstream | wlan (192.168.189.1:53)
up | example | ns.example.com (10.100.1.10:53)
down | example | ns2.example.com (10.100.2.10:53)
Enjoy! Point your browser at http://127.0.0.1:8053 and log in with any username, and the default password
.
environment | default |
---|---|
CONSOLE_KEY | |
CONSOLE_ACL | "172.16.0.0/12" "127.0.0.1/8" "::1/128" |
WEB_PASSWORD | password |
WEB_APITOKEN | token |
We are using:
- Alpine as container OS
- Alpine dnsdist packages
- Tini as explicit
init
for containers instead of--init
- mo as mustache template engine
- provide a valid console key without
makeKey()
- how to feed changing downstream servers to dnsdist?
PowerShell.exe -Command 'Get-DnsClientServerAddress -AddressFamily IPv4'`
Written with StackEdit.