DNS caching server connected to DNS over TLS (IPv4) servers with DNSSEC, DNS rebinding protection, built-in Docker healthcheck and malicious IPs + hostnames blocking

It can be connected to one of all the DNS-over-TLS providers:

• Google
• Quad9
• Quadrant
• CleanBrowsing

It also uses DNS rebinding protection and DNSSEC Validation:

You can also block additional domains of your choice, amongst other things, see the Extra section

Diagrams are shown for router and client-by-client configurations in the Connect clients to it section.

docker run -it --rm -p 53:53/udp -e VERBOSITY=3 -e VERBOSITY_DETAILS=3 qmcgaw/cloudflare-dns-server

More environment variables are described in the environment variables section.

You can check the verbose output with:

docker logs -f cloudflare-dns-tls

See the Connect clients to it section to finish testing, and you can refer to the Verify DNS connection section if you want.

docker run -d -p 53:53/udp qmcgaw/cloudflare-dns-server

or use docker-compose.yml with:

docker-compose up -d

More environment variables are described in the environment variables section.

Block the UDP 53 outgoing port on your router firewall so that all DNS traffic must go through this container.

All machines connected to your router will use the 1.1.1.1 encrypted DNS by default

Configure your router to use the LAN IP address of your Docker host as its primary DNS address.

• Access your router page, usually at http://192.168.1.1 and login with your credentials
• Change the DNS settings, which are usually located in Connection settings / Advanced / DNS server
• If a secondary fallback DNS address is required, use a dull ip address such as the router's IP 192.168.1.1 to force traffic to only go through this container

You have to configure each machine connected to your router to use the Docker host as their DNS server.

Connect other Docker containers by specifying the DNS to be the host IP address 127.0.0.1:

docker run -it --rm --dns=127.0.0.1 alpine

For docker-compose.yml:

version: '3'
services:
  test:
    image: alpine:3.9
    network_mode: bridge
    dns:
      - 127.0.0.1

If the containers are in the same virtual network, you can simply set the dns to the LAN IP address of the DNS container (i.e. 10.0.0.5)

1. Open the control panel and follow the instructions shown on the screenshots below.

Enter the IP Address of your Docker host as the Preferred DNS server (192.168.1.210 in my case) You can set the Cloudflare DNS server address 1.1.1.1 as an alternate DNS server although you might want to leave this blank so that no domain name request is in plaintext.

When closing, Windows should try to identify any potential problems. If everything is fine, you should see the following message:

Follow the instructions at https://support.apple.com/kb/PH25577

You probably know how to do that. Otherwise you can usually modify the first line of /etc/resolv.conf by changing the IP address of your DNS server.

See this

See this

1. Create a file on your host include.conf

2. Write the following to the file to block youtube.com for example:

   local-zone: "youtube.com" static

3. Change the ownership and permissions of include.conf:

   chown 1000:1000 include.conf
   chmod 400 include.conf

4. Launch the Docker container with:

   docker run -it --rm -p 53:53/udp -v $(pwd)/include.conf:/etc/unbound/include.conf  qmcgaw/cloudflare-dns-server

docker build -t qmcgaw/cloudflare-dns-server https://github.com/qdm12/cloudflare-dns-server.git

This container requires the following connections:

• UDP 53 Inbound (only if used externally)
• TCP 853 Outbound to 1.1.1.1 and 1.0.0.1

1. Verify that you use Cloudflare DNS servers: https://www.dnsleaktest.com with the Standard or Extended test
2. Verify that DNS SEC is enabled: https://en.internet.nl/connection

Note that https://1.1.1.1/help does not work as the container is not a client to Cloudflare servers but a forwarder intermediary. Hence https://1.1.1.1/help does not detect a direct connection to them.

• Build Unbound binary at image build stage