1
1
mirror of https://github.com/dnscrypt/dnscrypt-server-docker synced 2024-11-22 19:42:03 +01:00
dnscrypt-server-docker/README.md

136 lines
5.3 KiB
Markdown
Raw Normal View History

[![Travis Status](https://travis-ci.org/DNSCrypt/dnscrypt-server-docker.svg?branch=master)](https://travis-ci.org/DNSCrypt/dnscrypt-server-docker/builds/)
[![DNSCrypt](https://raw.github.com/jedisct1/dnscrypt-server-docker/master/dnscrypt-small.png)](https://dnscrypt.info)
2015-08-08 18:18:12 +02:00
2015-07-06 01:39:54 +02:00
DNSCrypt server Docker image
============================
Run your own caching, non-censoring, non-logging, DNSSEC-capable,
[DNSCrypt](http://dnscrypt.org)-enabled DNS resolver virtually anywhere!
If you are already familiar with Docker, it shouldn't take more than 5 minutes
to get your resolver up and running.
2018-02-01 23:13:36 +01:00
Quickstart
==========
* [How to setup your own DNSCrypt server in less than 10 minutes on Scaleway](https://github.com/jedisct1/dnscrypt-proxy/wiki/How-to-setup-your-own-DNSCrypt-server-in-less-than-10-minutes)
* [DNSCrypt server with vultr.com](https://github.com/jedisct1/dnscrypt-proxy/wiki/DNSCrypt-server-with-vultr.com)
2015-07-06 01:39:54 +02:00
Installation
============
Think about a name. This is going to be part of your DNSCrypt provider name.
If you are planning to make your resolver publicly accessible, this name will
be public.
It has to look like a domain name (`example.com`), but it doesn't have to be
2015-07-06 01:56:35 +02:00
a registered domain.
2015-07-06 01:39:54 +02:00
Let's pick `example.com` here.
2015-07-12 17:54:03 +02:00
Download, create and initialize the container, once and for all:
2015-07-06 01:39:54 +02:00
2015-08-29 00:17:30 +02:00
$ docker run --name=dnscrypt-server -p 443:443/udp -p 443:443/tcp --net=host \
jedisct1/dnscrypt-server init -N example.com -E 192.168.1.1:443
2015-07-06 01:39:54 +02:00
2018-01-22 18:21:50 +01:00
This will only accept connections via DNSCrypt on the standard port (443). Replace
`192.168.1.1` with the actual external IP address (not the internal Docker one)
clients will connect to.
2015-08-29 00:17:30 +02:00
`--net=host` provides the best network performance, but may have to be
removed on some shared containers hosting services.
2015-07-06 01:39:54 +02:00
Now, to start the whole stack:
$ docker start dnscrypt-server
Done.
Note that the actual provider name for DNSCrypt is `2.dnscrypt-cert.example.com`,
not just `example.com` as initially entered. The full name has to start with
`2.dnscrypt-cert.` for the client and the server to use the same version of the
protocol.
Customizing Unbound
2018-01-22 15:53:47 +01:00
===================
To add new configuration to Unbound, add files to the `/opt/unbound/etc/unbound/zones`
directory. All files ending in `.conf` will be processed. In this manner, you
can add any directives to the `server:` section of the Unbound configuration.
Serve custom DNS records on a local network
2018-01-22 20:25:29 +01:00
-------------------------------------------
While Unbound is not a full authoritative name server, it supports resolving
custom entries in a way that is serviceable on a small, private LAN. You can use
unbound to resolve private hostnames such as `my-computer.example.com` within
your LAN.
To support such custom entries using this image, first map a volume to the zones
directory. Add this to your `docker run` line:
-v /myconfig/zones:/opt/unbound/etc/unbound/zones
The whole command to create and initialize a container would look something like
this:
$ docker run --name=dnscrypt-server \
-v /myconfig/zones:/opt/unbound/etc/unbound/zones \
-p 443:443/udp -p 443:443/tcp --net=host \
jedisct1/dnscrypt-server init -N example.com -E 192.168.1.1:443
Create a new `.conf` file:
$ touch /myconfig/zones/example.conf
Now, add one or more unbound directives to the file, such as:
local-zone: "example.com." static
local-data: "my-computer.example.com. IN A 10.0.0.1"
local-data: "other-computer.example.com. IN A 10.0.0.2"
Troubleshooting
---------------
If Unbound doesn't like one of the newly added directives, it
will probably not respond over the network. In that case, here are some commands
to work out what is wrong:
$ docker logs dnscrypt-server
$ docker exec dnscrypt-server /opt/unbound/sbin/unbound-checkconf
2015-07-06 01:39:54 +02:00
Details
=======
2019-03-12 15:07:42 +01:00
- Alpine Linux as a base image.
2015-07-06 01:39:54 +02:00
- Caching resolver: [Unbound](https://www.unbound.net/), with DNSSEC, prefetching,
and no logs. The number of threads and memory usage are automatically adjusted.
2015-12-11 10:30:32 +01:00
Latest stable version, compiled from source. qname minimisation is enabled.
2015-07-06 01:39:54 +02:00
- [libsodium](https://download.libsodium.org/doc/) - Latest stable version,
minimal build compiled from source.
- [dnscrypt-wrapper](https://github.com/Cofyc/dnscrypt-wrapper) - Latest stable version,
compiled from source.
2015-07-06 01:47:58 +02:00
2015-07-27 22:54:26 +02:00
Keys and certificates are automatically rotated every 12 hour.
2015-07-06 01:47:58 +02:00
Kubernetes
==========
Kubernetes configurations are located in the `kube` directory. Currently these assume
a persistent disk named `dnscrypt-keys` on GCE. You will need to adjust the volumes
definition on other platforms. Once that is setup, you can have a dnscrypt server up
in minutes.
2017-07-17 00:37:40 +02:00
* Create a static IP on GCE. This will be used for the LoadBalancer.
* Edit `kube/dnscrypt-init-job.yml` and change `example.com` to your desired hostname.
2017-07-17 00:37:40 +02:00
* Edit `kube/dnscrypt-srv.yml` and change `loadBalancerIP` to your static IP.
* Run `kubectl create -f kube/dnscrypt-init-job.yml` to setup your keys.
* Run `kubectl create -f kube/dnscrypt-deployment.yml` to deploy the dnscrypt server.
* Run `kubectl create -f kube/dnscrypt-srv.yml` to expose your server to the world.
To get your public key just view the logs for the `dnscrypt-init` job. The public
IP for your server is merely the `dnscrypt` service address.
2015-07-06 01:47:58 +02:00
Coming up next
==============
2015-07-06 01:49:37 +02:00
- Better isolation of the certificate signing process, in a dedicated container.