CoreDNS

CoreDNS is a DNS server/forwarder, written in Go, that chains plugins. Each plugin performs a (DNS) function making it very flexible. If some functionality is not provided out of the box you can add it by writing a plugin.

CoreDNS can listen for DNS requests coming in over UDP/TCP (Do53), DNS over TLS (DoT, RFC 7858) and DNS over HTTPS (DoH, RFC 8484).

Installation

Install the corednsAUR, or coredns-binAUR, or coredns-gitAUR package.

Configuration

See the documentation on configuration.

coredns.service will look for /etc/coredns/Corefile and fail to start if the file is missing. After creating the configuration file in that location, Start/enable coredns.service.

Below is an example configuration with useful plugins. CoreDNS will start on port 53, serve DNS to the listed subnets and forward everything to Wikimedia DNS servers. You can use drill command to verify that CoreDNS is working locally: drill archlinux.org @127.0.0.1.

/etc/coredns/Corefile
.:53 {
       bind 127.0.0.1 ::1 192.168.1.254 192.0.0.1 
       bufsize 1232 
       acl { 
               allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 192.0.0.0/24
               block
       }
       hosts { 
               reload 0
               fallthrough
       }
       loadbalance
       forward . tls://185.71.138.138 tls://2001:67c:930::1 {
               tls_servername wikimedia-dns.org
       }
       cache {
               success 4096
               denial  1024
               prefetch 512
       }
       prometheus :9153
       errors
       log
}
Note: This example uses Wikimedia DNS. Replace it with a DNS resolver you trust. See Domain name resolution#Third-party DNS services.

Forwarding

To forward queries to a different resolver, use the forward plugin. It supports regular DNS and DNS over TLS. For DNS over TLS, use the tls:// protocol and specify the server hostname with tls_servername.

For example, to forward everything using DNS over TLS to Wikimedia DNS, edit /etc/coredns/Corefile as follows:

/etc/coredns/Corefile
.:53 {
    bind 127.0.0.1 ::1
    forward . tls://185.71.138.138 tls://2001:67c:930::1 {
        tls_servername wikimedia-dns.org
    }
}
Note: This example uses Wikimedia DNS. Replace it with a DNS resolver you trust. See Domain name resolution#Third-party DNS services.

Configure 127.0.0.1 and ::1 as your nameserver; see Domain name resolution. Restart coredns.service after that.

Run journalctl -u coredns as root to verify things are working by default. The resolver will now listen on port 53.

If the resolver should be accessible from other hosts, configure other network interfaces or IP addresses in /etc/coredns/Corefile with bind. Also the acl plugin can be used to block ranges that should be use the server for recursion. Refer to CoreDNS plugin documentation for more information.

Warning: Unless you specifically want to run an open DNS resolver, do not configure the resolver to listen on a public (internet-facing) IP address.

If the resolver should respect entries from the /etc/hosts file, add a hosts line to /etc/coredns/Corefile. See coredns-hosts(7).

See also

This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.