CoreDNS: A Howto

Welcome one and all. I’ve searched high and lo for a simple howto guide for CoreDNS, and I’ve come up short. So, here we are!

At home, I’ve long used bind9 for my DNS server. Its hard to use, clunky but it works, right? I never bothered to look for something better – until I tried to get DNS-over-TLS as an upstream forwarder working. In the end, which didnt take a while to arrive at, I decided to trial out CoreDNS to see what the fuss is about. Most of the literature you’ll read is k8s-based, and built for massive scale. Thats great, but sometimes you just want to get started.

This blog shows how to install on a Debian 10 server. The steps should be similar for other Linux distro’s.

First, install the dependencies:

apt-get -y install build-essential debhelper dh-systemd jq

Next, clone the CoreDNS deployment repository:

git clone https://github.com/coredns/deployment

Next, build your deb package. Note: you’ll need to be within the /deployment/ folder (i.e. run the commands once you’ve ‘cd deployment/’):

dpkg-buildpackage -us -uc -b

This will build you an installable debian package in the parent directory:

cd .. 
dpkg -i coredns_1.6.9-0~100_amd64.deb

Once installed, you’ll now have a systemd job for starting, stopping, etc, you’ll have a binary at /usr/bin/coredns, and most importantly, a config file at /etc/coredns/Corefile.

In this file, I’ve put a few very simple items which give me DNS-over-TLS to Cloudflare, and also a list of my VM’s and their IP’s (this can and should be split off into sub-config files, I was just messing around in the inital stages):

root@server:/# cat /etc/coredns/Corefile
# Default Corefile, see https://coredns.io for more information.

# Answer every below the root, with the whoami plugin. Log all queries
# and errors on standard output.
#. {
#    whoami  # coredns.io/plugins/whoami
#    log     # coredns.io/plugins/log
#    errors  # coredns.io/plugins/errors
#}
. {
    forward . tls://1.1.1.1 tls://1.0.0.1 {
    tls_servername tls.cloudflare-dns.com
       health_check 5s
    }
        cache {
        success 5000
        denial 2500
    }
}

mydomain.hosts mydomain.uk.local {
    hosts {
        192.168.0.1 VM1.mydomain.uk.local
	192.168.0.2 VM2.mydomain.uk.local
        fallthrough
    }
    whoami
}
root@server:/#

Finally, kick the service and away you go:

root@server:/# service coredns start

You can test the service out by using dig:

root@server:/# dig @192.168.0.1 google.com

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @192.168.0.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27106
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ("...............................................................................................................................................................................................................................................................................................................................................................................................................")
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		73	IN	A	172.217.169.46

;; Query time: 10 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Apr 21 21:07:43 BST 2020
;; MSG SIZE  rcvd: 468

root@server:/#

Any issues, hit me up via the contact form.

(Again, this is just a quick and easy get-started guide!).

sam

Leave a Reply Cancel reply

Press ESC to close

Share Article:

sam

Allow only Cloudflare IP’s using iptables & ipset

Leave a Reply Cancel reply