How to run stubby-docker
as systemd service docker.stubby.service
.
stubby-docker
uses stubby DNS Privacy stub resolver for most work and unbound DNS for caching.
stubby
as a docker systemd service- Similar projects
This succeeded on Debian 9 Stretch using docker
version 19 and docker-compose
version 1.8. MMV.
Assuming installed packages docker-ce
, docker-compose
. Run commands as root
.
Download and build stubby-docker
cd /opt
wget https://github.com/MatthewVance/stubby-docker/archive/master.zip
unzip master.zip
mv stubby-docker-master stubby-docker
cd stubby-docker
docker build -t mvance/stubby:latest ./stubby
docker build -t mvance/unbound:1.13.1-stubby ./unbound
These exec docker-compose
within the correct working directory.
File /opt/stubby-docker/start.sh
#!/usr/bin/env bash
set -eu
cd "$(dirname -- "${0}")"
set -x
exec /usr/bin/docker-compose up --force-recreate --remove-orphans
File /opt/stubby-docker/stop.sh
#!/usr/bin/env bash
set -eu
cd "$(dirname -- "${0}")"
set -x
exec /usr/bin/docker-compose down
Set permissions
chmod 0555 /opt/stubby-docker/start.sh /opt/stubby-docker/stop.sh
[Unit]
Description=stubby and unbound docker container services
After=docker.service
Requires=docker.service
[Service]
TimeoutStartSec=0
Restart=always
ExecStart=/opt/stubby-docker/start.sh
ExecStop=/opt/stubby-docker/stop.sh
[Install]
WantedBy=multi-user.target
Set permissions
chmod 0444 /etc/systemd/system/docker.stubby.service
Load and start the new service.
systemctl daemon-reload
systemctl start docker.stubby.service
Check status or stop the service
systemctl status docker.stubby.service
systemctl stop docker.stubby.service
Modify the docker-compose.yml
so changes to the stubby.yml
file are used within the running docker instance (the volumes
entry under services: stubby
is newly added).
---
version: '2'
services:
stubby:
image: "mvance/stubby:latest"
networks:
- dns
volumes:
- ./stubby/stubby.yml:/opt/stubby/etc/stubby/stubby.yml:ro
restart: unless-stopped
unbound:
image: "mvance/unbound:1.13.1-stubby"
depends_on:
- "stubby"
ports:
- "53:53/udp"
- "53:53/tcp"
networks:
- dns
volumes:
- ./unbound/a-records.conf:/opt/unbound/etc/unbound/a-records.conf:ro
restart: unless-stopped
networks:
dns:
Assuming the stubby host is using external IPv4 address 192.168.1.1
dig @192.168.1.1 www.yahoo.com
Check the stubby.yml within the running container instance
docker exec -it stubbydocker_stubby_1 cat /opt/stubby/etc/stubby/stubby.yml | grep -vEe '^#' | sed '/^$/d'
Output should look something like
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
tls_ca_path: "/etc/ssl/certs/"
listen_addresses:
- 0.0.0.0@8053
- 0:0:0:0:0:0:0:0@8053
dnssec_return_status: GETDNS_EXTENSION_TRUE
upstream_recursive_servers:
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1111
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1001
tls_auth_name: "cloudflare-dns.com"
Check the unbound.conf within the running container instance
docker exec -it stubbydocker_unbound_1 cat /opt/unbound/etc/unbound/unbound.conf
Assuming the stubby.yml
field upstream_recursive_servers
are 1.1.1.1
and 1.0.0.1
.
On the docker service host
tcpdump -v -s0 -w /tmp/stubby.pcap port 53 or host 1.1.1.1 or host 1.0.0.1
docker network inspect stubbydocker_dns
docker container inspect stubbydocker_unbound_1
docker container inspect stubbydocker_stubby_1