Setting Up a Recursive DNS Resolver Using Unbound on Docker

mich0w0h

mich0w0h

Posted on March 20, 2024

Setting Up a Recursive DNS Resolver Using Unbound on Docker

In this article, I'll walk through the steps to set up a recursive DNS resolver using Unbound on Docker. This resolver will handle DNS queries for a local domain mich0w0h.house by forwarding them to an authoritative nameserver while forwarding queries for other domains to external DNS servers like Google DNS.

This post is one part of building a local DNS service using docker-compose and the authoritative nameserver for mich0w0wh.house is already built by this article.

I'll write the other remaining parts later.

Prerequisites

  • Docker installed and running
  • A Docker network named internal-dns with subnet 192.168.1.0/24
  • An authoritative nameserver at 192.168.1.102:53 for the mich0w0h.house domain

Directory Structure

Please ensure that you execute all the following commands within the internal-dns directory.

internal-dns
├── authoritative
│   └── ...
└── resolver
    ├── Dockerfile
    └── unbound.conf
Enter fullscreen mode Exit fullscreen mode

Create a Dockerfile

FROM ubuntu:22.04

RUN apt-get update && apt-get install -y unbound && rm -rf /var/lib/apt/lists/*

COPY unbound.conf /etc/unbound/unbound.conf

CMD ["/usr/sbin/unbound", "-d", "-c", "/etc/unbound/unbound.conf"]
Enter fullscreen mode Exit fullscreen mode

This Dockerfile installs Unbound on an Ubuntu 22.04 base image and copies the unbound.conf configuration file, then setting the default command to run unbound with the -d flag (to run in the foreground) and the -c flag to specify the configuration file.

Create an unbound.conf

server:
    interface: 0.0.0.0
    access-control: 192.168.1.0/24 allow
    remote-control:
        control-enable: no
stub-zone:
    name: "mich0w0h.house"
    stub-addr: 192.168.1.102
forward-zone:
    name: "."
    forward-addr: 8.8.8.8 # google DNS
    # forward-addr: 192.168.10.1. # ISP provided DNS
Enter fullscreen mode Exit fullscreen mode

This configuration file sets up the following:

  • server section configures the Unbound server to listen on all interfaces (0.0.0.0) on port 53 and allows queries from the 192.168.1.0/24 subnet.
  • stub-zone section configures a stub zone for the mich0w0h.house domain, forwarding queries to the authoritative nameserver at 192.168.1.102:53.
  • forward-zone section configures forwarding for all other domains to Google DNS (8.8.8.8). You can also use your ISP's DNS server if preferred.

Building and Running

Build the Docker image:

sudo docker image build -t unbound-resolver resolver/
Enter fullscreen mode Exit fullscreen mode

Run the container for testing the configuration:

sudo docker container run --rm --name resolver-test --network internal-dns --ip 192.168.1.101 unbound-resolver unbound-checkconf
Enter fullscreen mode Exit fullscreen mode

If the output shows unbound-checkconf: no errors in /etc/unbound/unbound.conf, then the configuration is valid.

Stop the resolver-test container and run a Unbound resolver container:

sudo docker container run --rm -d --name resolver --network internal-dns --ip 192.168.1.101 unbound-resolver
Enter fullscreen mode Exit fullscreen mode

Testing

You can test the resolver by querying for a record in the mich0w0h.house domain:

dig @192.168.1.101 www.mich0w0h.house
Enter fullscreen mode Exit fullscreen mode

This should return the IP address configured for www.mich0w0h.house in the authoritative nameserver.

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> @192.168.1.101 www.mich0w0h.house
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64714
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.mich0w0h.house.        IN  A

;; ANSWER SECTION:
www.mich0w0h.house. 86400   IN  A   192.168.1.103

;; Query time: 0 msec
;; SERVER: 192.168.1.101#53(192.168.1.101) (UDP)
;; WHEN: Thu Mar 21 07:52:43 JST 2024
;; MSG SIZE  rcvd: 63
Enter fullscreen mode Exit fullscreen mode

With this setup, your devices on the 192.168.1.0/24 subnet can use the resolver at 192.168.1.101 to resolve DNS queries. The resolver will handle queries for mich0w0h.house by forwarding them to the authoritative nameserver while forwarding queries for other domains to external DNS servers.

What's Next

next, I'll use docker compose to build the authoritative nameserver container I set up in the previous article and the recursive resolver container I set up in this article.

It is necessary to configure networking in order to access these containers from other devices on the home network. (Yes, indeed currently these containers can only be accessed from the Ubuntu server on the host machine.)

References

💖 💪 🙅 🚩
mich0w0h
mich0w0h

Posted on March 20, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related