gists/docker-compose-dns.yml

version: "3"
name: "dns"
networks:
  nullnet:
    internal: true

services:
  # watches the pem letsencrypt generated pem file and refreshes the pfx when it changes
  dns-pfx-helper:
    restart: unless-stopped
    image: tristandruyen/pfx-helper:latest
    volumes:
      - ./swag/keys/letsencrypt/:/app/mnt/in/:ro
      - ./dns-pfx-helper/out:/app/mnt/out:rw
    environment:
      PFX_PASSWORD: REDACTED
    networks:
      - nullnet

  dns-server:
    image: technitium/dns-server:latest
    restart: unless-stopped
    # we need network_mode host to use ipv4 & 6 at the same time currently
    # (might be possible to migrate to ingress with  latest docker)
    network_mode: host 
    cap_add:
      - NET_ADMIN
    volumes:
      - ./dns-server:/etc/dns
      - ./dns-pfx-helper/out/:/etc/out/:ro
    environment:
      - DNS_SERVER_DOMAIN=dns.vlt81.de #The primary domain name used by this DNS Server to identify itself.
      - DNS_SERVER_ADMIN_PASSWORD=REDACTED #DNS web console admin user password.
      - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol.
      # All the below stuff can easily be configured in the web interface
      # - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses.
      # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.
      # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
      # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console.
      # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console.
      # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
      # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworks.
      # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworks` recursion option.
      # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworks` recursion option.
      # - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
      # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
      # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs.
      # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
      # - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging.
      # sysctls:
      # - net.ipv4.ip_local_port_range=1024 65000
    # port forwards & networks are useless due to network_mode host
    # networks:
    # ports:
    #   - target: 53 # DNS
    #    published: 53
    #    protocol: "tcp"
    #    mode: "ingress"
    #  - target: 53 # DNS
    #    published: 53
    #    protocol: "udp"
    #    mode: "ingress"
    #  - target: 853 # DNS-over-TLS
    #    published: 853
    #    protocol: "tdp"
    #    mode: "host"
    #  - target: 853 # DNS-over-QUIC
    #    published: 853
    #    protocol: "udp"
    #    mode: "ingress"
    # - "80:80/tcp" #DNS-over-HTTP service                         # only useful if you dont run your own nginx in front
    # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3) ()          # same
    # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)   # same
Add docker-compose-dns.yml Signed-off-by: tristan <tristan@gitea@vault81.de> 2024-11-19 20:40:12 +00:00			`version: "3"`
			`name: "dns"`
			`networks:`
			`nullnet:`
			`internal: true`

			`services:`
			`# watches the pem letsencrypt generated pem file and refreshes the pfx when it changes`
			`dns-pfx-helper:`
			`restart: unless-stopped`
			`image: tristandruyen/pfx-helper:latest`
			`volumes:`
			`- ./swag/keys/letsencrypt/:/app/mnt/in/:ro`
			`- ./dns-pfx-helper/out:/app/mnt/out:rw`
			`environment:`
			`PFX_PASSWORD: REDACTED`
			`networks:`
			`- nullnet`

			`dns-server:`
			`image: technitium/dns-server:latest`
			`restart: unless-stopped`
			`# we need network_mode host to use ipv4 & 6 at the same time currently`
			`# (might be possible to migrate to ingress with latest docker)`
			`network_mode: host`
			`cap_add:`
			`- NET_ADMIN`
			`volumes:`
			`- ./dns-server:/etc/dns`
			`- ./dns-pfx-helper/out/:/etc/out/:ro`
			`environment:`
			`- DNS_SERVER_DOMAIN=dns.vlt81.de #The primary domain name used by this DNS Server to identify itself.`
			`- DNS_SERVER_ADMIN_PASSWORD=REDACTED #DNS web console admin user password.`
			`- DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol.`
			`# All the below stuff can easily be configured in the web interface`
			`# - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses.`
			`# - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.`
			`# - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.`
			`# - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console.`
			`# - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console.`
			`# - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.`
			`# - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworks.`
			# - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworks` recursion option.
			# - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworks` recursion option.
			`# - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.`
			`# - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.`
			`# - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs.`
			`# - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.`
			`# - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging.`
			`# sysctls:`
			`# - net.ipv4.ip_local_port_range=1024 65000`
			`# port forwards & networks are useless due to network_mode host`
			`# networks:`
			`# ports:`
			`# - target: 53 # DNS`
			`# published: 53`
			`# protocol: "tcp"`
			`# mode: "ingress"`
			`# - target: 53 # DNS`
			`# published: 53`
			`# protocol: "udp"`
			`# mode: "ingress"`
			`# - target: 853 # DNS-over-TLS`
			`# published: 853`
			`# protocol: "tdp"`
			`# mode: "host"`
			`# - target: 853 # DNS-over-QUIC`
			`# published: 853`
			`# protocol: "udp"`
			`# mode: "ingress"`
			`# - "80:80/tcp" #DNS-over-HTTP service # only useful if you dont run your own nginx in front`
			`# - "443:443/udp" #DNS-over-HTTPS service (HTTP/3) () # same`
			`# - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2) # same`