Personal DNS Docker Solution

From Michael's Information Zone
Revision as of 16:46, 2 February 2019 by Michael.mast (talk | contribs) (→‎Map Storage and ports)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Purpose

In order to further learn Docker (for the first time essentially) wanted to create a multi-tier solution to "optimizing" my home DNS solution.

Initially I am thinking

Router -> NXFilter -> PiHole -> OpenDNS

Since I am not interested in tracking what device queries which domain, I prefer to use my Ubiquiti Edgrouter as the prefered DNS server for my home network. This makes it easy to swap upstream servers without having to monkey with DHCP.

Process

Going to play with the packetworks version of nxfilter docker image first. If it doesn't work for me I will build my own. I would like to mount the existing database and logs into the container to keep setup as minimal as possible. After all, docker images are made to be disposable.

docker pull docker.io/packetworks/nxfilter-base
docker run -itd docker.io/packetworks/nxfilter-base
docker exec -it c675111bd776 bash
                                        ##        .
                                  ## ## ##       ==
                               ## ## ## ##      ===
                           /""""""""""""""""\___/ ===
                      ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~
                           \______ o          __/
                             \    \        __/
                              \____\______/
   ___          _                         ____             __
  <  /_________(_)__  ____  ________     / __ \____  _____/ /_____  _____
  / / ___/ ___/ / _ \/ __ \/ ___/ _ \   / / / / __ \/ ___/ //_/ _ \/ ___/
 / (__  ) /__/ /  __/ / / / /__/  __/  / /_/ / /_/ / /__/ ,< /  __/ /
/_/____/\___/_/\___/_/ /_/\___/\___/  /_____/\____/\___/_/|_|\___/_/
Alpine Linux 3.1 image. (Linux 4.4.0-77-generic #98-Ubuntu SMP Wed Apr 26 08:34:02 UTC 2017)
- with Java(TM) SE Runtime Environment (build 1.7.0_80-b15)

oot@~ > cat /etc/os-release 
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.1.4
PRETTY_NAME="Alpine Linux v3.1"
HOME_URL="http://alpinelinux.org"
BUG_REPORT_URL="http://bugs.alpinelinux.org"

root@~ > head /nxfilter/readme.txt 
*****************************************************************
NxFilter v4.3.2.7
  Author : Jinhee Lee
  Homepage : http://www.nxfilter.org
  Contact : support@nxfilter.org
*****************************************************************

NxFilter is a property of Jahastech.

Map Storage and ports

[1]So far so good. It was nice to see the latest version listed as my current instance was 4.2.3. Now I needed to shutdown everything, and re-run the container mounting the following

  • /nxfilter/backup
  • /nxfilter/db
  • /nxfilter/log

to my primary storage backend.

docker run -itd --name nxfilter1 \
-v /raid5/services/nxfilter/backup:/nxfilter/backup \
-v /raid5/services/nxfilter/db:/nxfilter/db \
-v /raid5/services/nxfilter/log:/nxfilter/log \
-p 192.168.11.120:53:53/udp \
-p 192.168.11.120:80:80 \
-p 192.168.11.120:443:443 \
--restart unless-stopped docker.io/packetworks/nxfilter-base

At the same time I mapped relevant ports. For now I am passing through the ports from the host IP since that was what I did previously. Eventually I want to set this up to bridge to my LAN so I free up the ports for other things.

PiHole

Now the fun part. I want pihole to be the upstream to NXFilter, it seems to have better adblocking capabilities.

docker pull docker.io/pihole/pihole
docker run -d --name pihole --link nxfilter1:nxfilter1 -e ServerIP=192.168.11.200 --restart unless-stopped docker.io/pihole/pihole

At this point I needed the IP for pihole so nxfilter could talk to it.

[root@nas ~]# docker network inspect bridge
[
    {
        "Name": "bridge",
        "Id": "df9b6f05e9235b5ebad28d0b65450ebe004fa8c9d63842fb839708dd2c41f393",
        "Created": "2018-11-01T15:18:52.428399954-04:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
...
        "Containers": {
            "5e542bce4e209d40862ef7b1254efc69eba6da5b52fb327b07fa933b22879b40": {
                "Name": "nxfilter1",
                "EndpointID": "2553aab75a787bb1182b0ffcabe2cb4e1f9db002a9ef72922e4a0e21739c639f",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            },
            "ea1649c074c1911f14ff765c9e9fec754a3c561781908a5ad5ea27c8fcfdf37f": {
                "Name": "pihole",
                "EndpointID": "c7ea37ea17a17714b61cb75254775af8805e00b789f2439db832f9d380ad5f9f",
                "MacAddress": "02:42:ac:11:00:03",
                "IPv4Address": "172.17.0.3/16",
                "IPv6Address": ""
            }
...

Which allowed me to update my nxfilter dns config with the new upstream IP address of 172.17.0.3. This worked.

Just for fun, AdGuard

Next I wanted to play around with AdGuard[2] DNS blocking. I am skeptical about these people, but no harm done using them at home. Updated pihole to use them as upstream DNS.

docker exec pihole sed -i 's/PIHOLE_DNS_1=8\.8\.8\.8/PIHOLE_DNS_1=176\.103\.130\.130/; s/PIHOLE_DNS_2=8\.8\.4\.4/PIHOLE_DNS_2=176\.103\.130\.131/' /etc/pihole/setupVars.conf
docker restart pihole

So now I have

  • NXFilter Ad blocking -> PiHole -> Adguard
  • https://docs.docker.com/storage/bind-mounts/#start-a-container-with-a-bind-mount
  • https://adguard.com/en/adguard-dns/overview.html