Personal DNS Docker Solution
Purpose
In order to further learn Docker (for the first time essentially) wanted to create a multi-tier solution to "optimizing" my home DNS solution.
Initially I am thinking
Router -> NXFilter -> PiHole -> OpenDNS
Since I am not interested in tracking what device queries which domain, I prefer to use my Ubiquiti Edgrouter as the prefered DNS server for my home network. This makes it easy to swap upstream servers without having to monkey with DHCP.
Process
Going to play with the packetworks version of nxfilter docker image first. If it doesn't work for me I will build my own. I would like to mount the existing database and logs into the container to keep setup as minimal as possible. After all, docker images are made to be disposable.
docker pull docker.io/packetworks/nxfilter-base docker run -itd docker.io/packetworks/nxfilter-base docker exec -it c675111bd776 bash ## . ## ## ## == ## ## ## ## === /""""""""""""""""\___/ === ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~ \______ o __/ \ \ __/ \____\______/ ___ _ ____ __ < /_________(_)__ ____ ________ / __ \____ _____/ /_____ _____ / / ___/ ___/ / _ \/ __ \/ ___/ _ \ / / / / __ \/ ___/ //_/ _ \/ ___/ / (__ ) /__/ / __/ / / / /__/ __/ / /_/ / /_/ / /__/ ,< / __/ / /_/____/\___/_/\___/_/ /_/\___/\___/ /_____/\____/\___/_/|_|\___/_/ Alpine Linux 3.1 image. (Linux 4.4.0-77-generic #98-Ubuntu SMP Wed Apr 26 08:34:02 UTC 2017) - with Java(TM) SE Runtime Environment (build 1.7.0_80-b15) oot@~ > cat /etc/os-release NAME="Alpine Linux" ID=alpine VERSION_ID=3.1.4 PRETTY_NAME="Alpine Linux v3.1" HOME_URL="http://alpinelinux.org" BUG_REPORT_URL="http://bugs.alpinelinux.org" root@~ > head /nxfilter/readme.txt ***************************************************************** NxFilter v4.3.2.7 Author : Jinhee Lee Homepage : http://www.nxfilter.org Contact : support@nxfilter.org ***************************************************************** NxFilter is a property of Jahastech.
Map Storage and ports
[1]So far so good. It was nice to see the latest version listed as my current instance was 4.2.3. Now I needed to shutdown everything, and re-run the container mounting the following
- /nxfilter/backup
- /nxfilter/db
- /nxfilter/log
to my primary storage backend.
docker run -itd --name nxfilter1 -v /raid5/services/nxfilter/backup:/nxfilter/backup -v /raid5/services/nxfilter/db:/nxfilter/db -v /raid5/services/nxfilter/log:/nxfilter/log -p 192.168.11.120:53:53/udp -p 192.168.11.120:80:80 -p 192.168.11.120:443:443 --restart unless-stopped a23f0f927739
At the same time I mapped relevant ports. For now I am passing through the ports from the host IP since that was what I did previously. Eventually I want to set this up to bridge to my LAN so I free up the ports for other things.
PiHole
Now the fun part. I want pihole to be the upstream to NXFilter, it seems to have better adblocking capabilities.
docker pull docker.io/pihole/pihole docker run -d --name pihole --link nxfilter1:nxfilter1 -e ServerIP=192.168.11.200 --restart unless-stopped docker.io/pihole/pihole
At this point I needed the IP for pihole so nxfilter could talk to it.
[root@nas ~]# docker network inspect bridge [ { "Name": "bridge", "Id": "df9b6f05e9235b5ebad28d0b65450ebe004fa8c9d63842fb839708dd2c41f393", "Created": "2018-11-01T15:18:52.428399954-04:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "Gateway": "172.17.0.1" } ... "Containers": { "5e542bce4e209d40862ef7b1254efc69eba6da5b52fb327b07fa933b22879b40": { "Name": "nxfilter1", "EndpointID": "2553aab75a787bb1182b0ffcabe2cb4e1f9db002a9ef72922e4a0e21739c639f", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", "IPv6Address": "" }, "ea1649c074c1911f14ff765c9e9fec754a3c561781908a5ad5ea27c8fcfdf37f": { "Name": "pihole", "EndpointID": "c7ea37ea17a17714b61cb75254775af8805e00b789f2439db832f9d380ad5f9f", "MacAddress": "02:42:ac:11:00:03", "IPv4Address": "172.17.0.3/16", "IPv6Address": "" } ...
Which allowed me to update my nxfilter dns config with the new upstream IP address of 172.17.0.3. This worked.
Just for fun, AdGuard
Next I wanted to play around with AdGuard[2] DNS blocking. I am skeptical about these people, but no harm done using them at home. Updated pihole to use them as upstream DNS.
docker exec pihole sed -i 's/PIHOLE_DNS_1=8\.8\.8\.8/PIHOLE_DNS_1=176\.103\.130\.130/; s/PIHOLE_DNS_2=8\.8\.4\.4/PIHOLE_DNS_2=176\.103\.130\.131/' /etc/pihole/setupVars.conf docker restart pihole
So now I have
- NXFilter Ad blocking -> PiHole -> Adguard