version: "3" name: "dns" networks: nullnet: internal: true services: # watches the pem letsencrypt generated pem file and refreshes the pfx when it changes dns-pfx-helper: restart: unless-stopped image: tristandruyen/pfx-helper:latest volumes: - ./swag/keys/letsencrypt/:/app/mnt/in/:ro - ./dns-pfx-helper/out:/app/mnt/out:rw environment: PFX_PASSWORD: REDACTED networks: - nullnet dns-server: image: technitium/dns-server:latest restart: unless-stopped # we need network_mode host to use ipv4 & 6 at the same time currently # (might be possible to migrate to ingress with latest docker) network_mode: host cap_add: - NET_ADMIN volumes: - ./dns-server:/etc/dns - ./dns-pfx-helper/out/:/etc/out/:ro environment: - DNS_SERVER_DOMAIN=dns.vlt81.de #The primary domain name used by this DNS Server to identify itself. - DNS_SERVER_ADMIN_PASSWORD=REDACTED #DNS web console admin user password. - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol. # All the below stuff can easily be configured in the web interface # - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses. # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled. # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol. # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console. # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console. # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx. # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworks. # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworks` recursion option. # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworks` recursion option. # - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone. # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests. # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs. # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson. # - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging. # sysctls: # - net.ipv4.ip_local_port_range=1024 65000 # port forwards & networks are useless due to network_mode host # networks: # ports: # - target: 53 # DNS # published: 53 # protocol: "tcp" # mode: "ingress" # - target: 53 # DNS # published: 53 # protocol: "udp" # mode: "ingress" # - target: 853 # DNS-over-TLS # published: 853 # protocol: "tdp" # mode: "host" # - target: 853 # DNS-over-QUIC # published: 853 # protocol: "udp" # mode: "ingress" # - "80:80/tcp" #DNS-over-HTTP service # only useful if you dont run your own nginx in front # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3) () # same # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2) # same