Archives
/
dnscrypt-server-docker
mirror of https://github.com/dnscrypt/dnscrypt-server-docker
2
0
Fork 0
Code Issues Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13 Commits
3 Branches
1 Tag
32 MiB
Shell 82.2%
Dockerfile 17.8%
 
 
master
lucenera-patch-1
new-server
v1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fa9f6254af'
${ noResults }
Go to file
Frank Denis fa9f6254af Have Unbound refuse queries for the provider name 
since certificates are served by dnscrypt-wrapper.
 		9 years ago
Dockerfile ADD -> COPY 9 years ago
LICENSE Initial commit 9 years ago
README.md Regular 9 years ago
dnscrypt-wrapper.sh Certificates are now only valid for 24 hours. 9 years ago
entrypoint.sh Initial import 9 years ago
key-rotation.sh Initial import 9 years ago
unbound-check.sh Initial import 9 years ago
unbound.sh Have Unbound refuse queries for the provider name 9 years ago
watchdog.sh Increase the grace period 9 years ago

README.md

DNSCrypt server Docker image

Run your own caching, non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS resolver virtually anywhere!

If you are already familiar with Docker, it shouldn't take more than 5 minutes to get your resolver up and running.

Installation

Download the Docker image source:

$ git clone https://github.com/jedisct1/dnscrypt-server-docker.git

Build the image:

$ docker build -t dnscrypt-server-image .

Think about a name. This is going to be part of your DNSCrypt provider name. If you are planning to make your resolver publicly accessible, this name will be public. It has to look like a domain name (example.com), but it doesn't have to be a registered domain.

Let's pick example.com here.

Create and initialize the container, once and for all:

$ docker run --name=dnscrypt-server -p 443:443/udp -p 443:443/tcp \
    dnscrypt-server-image init -N example.com

This will only accept connections via DNSCrypt. Containers on the same virtual network can directly access the DNS cache on the standard DNS port (53), but to create a regular, non-authenticated public DNS resolver, this extra port has to be explicitly exposed (-p 53:53/udp -p 53:53/tcp).

Now, to start the whole stack:

$ docker start dnscrypt-server

Done.

To check that your DNSCrypt-enabled DNS resolver is accessible, run the DNSCrypt client proxy on another host:

# dnscrypt-proxy \
    --provider-key=<provider key, as displayed when the container was initialized> \
    --resolver-address=<your resolver's public IP address> \
    --provider-name=2.dnscrypt-cert.example.com

And try using 127.0.0.1 as a DNS resolver.

Note that the actual provider name for DNSCrypt is 2.dnscrypt-cert.example.com, not just example.com as initially entered. The full name has to start with 2.dnscrypt-cert. for the client and the server to use the same version of the protocol.

Let the world know about your server

Is your brand new DNS resolver publicly accessible?

Fork the dnscrypt-proxy repository, edit the dnscrypt.csv file to add your resolver's informations, and submit a pull request to have it included in the list of public DNSCrypt resolvers!

Details

  • Caching resolver: Unbound, with DNSSEC, prefetching, and no logs. The number of threads and memory usage are automatically adjusted. Latest stable version, compiled from source.
  • LibreSSL - Latest stable version, compiled from source.
  • libsodium - Latest stable version, minimal build compiled from source.
  • dnscrypt-wrapper - Latest stable version, compiled from source.
  • dnscrypt-proxy - Latest stable version, compiled from source.

Keys and certificate are automatically rotated every 12 hour.

Coming up next

  • Namecoin support, by linking a distinct image with namecore and ncdns.
  • Metrics
  • Better isolation of the certificate signing process, in a dedicated container.