docker-composednscloudflarebind9

Bind9 in a container and host with cloudflared. Why external resolution is unencrypted?

a few days ago I was doing some experiments with bind9 on docker and I encountered some anomalous behavior While waiting for bind to update to stable 9.20 with support for DOH also on upstream servers, I have always used this guide in my DNS servers: Cloudflared Guide

I always got this result when I checked 1.1.1.1/help DOHOK

However, if I run docker bind9 on a host running cloudflared I get this result

DOHKO

My named.conf:

tls local-tls {
   key-file "/etc/bind/ssl/privkey.pem";
   cert-file "/etc/bind/ssl/fullchain.pem";
};

options {
        listen-on port 53 {any;};
        listen-on port 443 tls local-tls http default {any;};
        allow-query {any;};
        recursion yes;
        forwarders {
                127.0.0.1 port 5053;
        };
};

Also tried to use:

tls local-tls {
   key-file "/etc/bind/ssl/privkey.pem";
   cert-file "/etc/bind/ssl/fullchain.pem";
};

options {
        listen-on port 53 {any;};
        listen-on port 443 tls local-tls http default {any;};
        allow-query {any;};
        recursion yes;
        forwarders {
                172.17.0.1 port 5053;
        };
};

But the outcome is the same

My docker compose file:

version: '3'

services:
  bind9:
    image: ubuntu/bind9
    container_name: bind9
    environment:
      - BIND9_USER=root
      - TZ=Europe/Rome
    ports:
      - "53:53"
      - "53:53/udp"
      - "443:443/tcp"
    volumes:
      - ./config:/etc/bind
      - ./cache:/var/cache/bind
      - ./records:/var/lib/bind
      - ./ssl:/etc/bind/ssl
      - ./zones:/etc/bind/zones
      - ./keys:/etc/bind/keys
      - ./run:/var/run
    restart: unless-stopped

Sameone can point me in the right direction? Thanks :)

Enable DOH in upstream server in a dockerized BIND9 enviroment

Solution

  • I have find a solution

    In this file /etc/default/cloudflared

    Add the option -address 0.0.0.0 This way:

    CLOUDFLARED_OPTS=-address 0.0.0.0 --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query

    Then go to the named.conf file and add the docker host address ad forwarder, generally is 172.17.0.1

        forwarders {
            172.17.0.1 port 5053;
    };

    Now it works!!!

    For better security you can also use the 172.17.0.1 address in the -address option. In this way the dns proxy only accept connections from the docker network.

    CLOUDFLARED_OPTS=-address 172.17.0.1 --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query