CoreDNS

From ArchWiki
Jump to navigation Jump to search

CoreDNS is a DNS server/forwarder, written in Go, that chains plugins. Each plugin performs a (DNS) function.

CoreDNS is a fast and flexible DNS server. The key word here is flexible: with CoreDNS you are able to do what you want with your DNS data by utilizing plugins. If some functionality is not provided out of the box you can add it by writing a plugin.

CoreDNS can listen for DNS requests coming in over UDP/TCP (go'old DNS), TLS (RFC 7858), also called DoT, DNS over HTTP/2 - DoH - (RFC 8484)

Installation

Install the corednsAUR, or coredns-binAUR, or coredns-gitAUR package.

Configuration

Currently only coredns-gitAUR provides an example configuration file. You can find that here: Example CoreDNS configuration file

systemd will look in /etc/coredns/Corefile, save the above configuration file in that location.

Start/enable coredns.service.

systemctl --now enable coredns.service

With the example configuration CoreDNS will start on port 1053. You can use the drill command to verify to use CoreDNS is working: drill www.archlinux.org @127.0.0.1 -p 1053

NextDNS as upstream resolver

If you would like to encrypt your recursive requests, edit the Corefile and remove lines 6 through 12 in the example configuration. forward . tls://45.90.28.0 tls://45.90.30.0 { tls_servername dns.nextdns.io }

You can use any dns53 or DoT resolver in the forward. as the local resolver, edit /etc/coredns/Corefile and change .:1053 to .:53 you can then configure 127.0.0.1 as your nameserver (see see Domain name resolution). systemctl restart coredns.service

Using journalctl -u coredns to verify things are working by default, the resolver will now listen on port 53. If the resolver should be accessible from other hosts, configure other network interfaces in /etc/coredns/Corefile with bind. Also the acl plugin can be used to block ranges that should be use the server for recursion. Refer to CoreDNS plugin documentation for more information.

Note: Unless you specifically want to run an open DNS resolver, do not configure the resolver to listen on a public (internet-facing) IP address.

If the resolver should respect entries from the /etc/hosts file, add a hosts line to /etc/coredns/Corefile.

Example Configuration

This is a configuration with useful plugins:

/etc/coredns/Corefile
.:53 {
       bind 127.0.53.1 192.168.1.254 192.0.0.1 
       bufsize 1232 
       acl { 
               allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 192.0.0.0/24
               block
       }
       hosts { 
               reload 0
               fallthrough
       }
       loadbalance
       forward . tls://45.90.28.0 tls://45.90.30.0 {
               tls_servername dns.nextdns.io
       }
       cache {
               success 4096
               denial  1024
               prefetch 512
       }
       prometheus :9153
       errors
       log
}

See also