Posted on by Tom

Docker stubby, run on start systemd; Raspbian

Hi,

Lets get the first question out of the way, why run stubby in a container:  I was hoping I wouldn’t have to compile from source (https://github.com/getdnsapi/getdns),  but stubby isn’t in stable Debian or Raspbian repositories; although buster works fine with Debian (x86), this is not the case with Raspbian (arm) had issues with dhcpd & iptables,  there are probably more issues, but I went back to stable before investigating further. The docker image compiles the source,  but the build environment is predefined; so this is a good compromise for me.

The second question: Why use systemd to start the container,  I like systemd and understand it; I don’t think any other reasons are required?

Setup

Install docker:

https://docs.docker.com/install/linux/docker-ce/debian/

sudo apt-get install git

git clone https://github.com/juzam/docker-getdns-stubby.git

cd ~/docker-getdns-stubby

The Dockerfile,  pulls the development branch (which on 29/11/18, wouldn’t compile);  Fixed by the developer 30/11/18, so we just need to change the exposed port:

mv Dockerfile Dockerfile.bak

nano or vi  Dockerfile

FROM debian:buster
MAINTAINER "Giovanni Angoli <[email protected]>"

RUN apt-get update && apt-get install -y libyaml-dev libssl-dev libtool-bin autoconf git make && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*

RUN git clone https://github.com/getdnsapi/getdns.git

WORKDIR getdns

RUN git checkout develop && git submodule update --init && libtoolize -ci && autoreconf -fi && mkdir build
WORKDIR build
RUN ../configure --without-libidn --without-libidn2 --enable-stub-only --with-stubby && make && make install && ldconfig

COPY stubby.yml /usr/local/etc/stubby/stubby.yml

EXPOSE 53

CMD [ "/usr/local/bin/stubby" ]

If you wish to use to stubby with with pihole, then change EXPOSE to:

EXPOSE 5353

The stubby.yml provided this git repository uses IPv6, so needs updating if like myself using IPv4:

mv stubby.yml stubby.yml.bak

nano or vi stubby.yml

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256

edns_client_subnet_private: 1
idle_timeout: 10000
round_robin_upstreams: 0

listen_addresses:
  - 127.0.0.1@53
upstream_recursive_servers:
  - address_data: 9.9.9.9
    tls_auth_name: "dns.quad9.net"

If you wish to use to stubby with with pihole, I advise updating listen_addresses; as follows:

listen_addresses: 
  - 127.0.2.2@5353

sudo docker build -t getdns-stubby .

Systemd

nano or vi /lib/systemd/system/docker-stubby.service

[Unit]
Description=Stubby Container
After=docker.service

[Service]
RemainAfterExit=yes
ExecStart=/usr/bin/docker run -it -d --net=host getdns-stubby
ExecStop=/home/pi/stop-stubby.sh
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

nano or vi /home/pi/stop-stubby.sh

#!/bin/bash
/usr/bin/docker ps -q --filter ancestor=getdns-stubby | xargs -r docker stop

systemctl daemon-reload

systemctl enable docker-stubby

systemctl start docker-stubby

Testing

sudo apt-get install dnsutils

dig @127.0.0.1 quad9.net

expected result:

; <<>> DiG 9.10.3-P4-Raspbian <<>> @127.0.0.1 quad9.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51250
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65535
;; QUESTION SECTION:
;quad9.net. IN A

;; ANSWER SECTION:
quad9.net. 1200 IN A 216.21.3.77

;; Query time: 174 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 21 00:03:58 UTC 2018
;; MSG SIZE rcvd: 63

If result is  different, please check the above instructions.

Now what?

You could now use the host which you have setup as a dns resolver, but I suggest going beyond that and use pihole:

https://pi-hole.net/

with stubby:

https://blog.sandchaschte.ch/en/pi-hole-with-dns-over-tls

Updating Stubby:

Every time docker-stubby. is started (including restarts), a new container is created, so when updating a clean up seems like a good idea; please follow the instructions below:

if using pihole:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1

I suggest adding another nameserver temporarily, for example quad9:

nano or vi /etc/resolv.conf

nameserver 9.9.9.9

If docker-stubby. is the only docker on the host, then:

sudo systemctl stop docker-stubby.service
sudo docker system prune (and y)
sudo docker image rm getdns-stubby
cd ~/docker-getdns-stubby
sudo docker build -t getdns-stubby .
sudo systemctl start docker-stubby.service

if not:

sudo systemctl stop docker-stubby
docker ps -a
remove all containers for getdns-stubby with sudo docker rm for example:
sudo docker rm bf3aa2dd8bb1
sudo docker image rm getdns-stubby
cd ~/docker-getdns-stubby
sudo docker build -t getdns-stubby .
sudo systemctl start docker-stubby.service

Thanks Tom.

P.S Please feel free to comment.

Sources:

https://github.com/juzam/docker-getdns-stubby
https://blog.sandchaschte.ch/en/pi-hole-with-dns-over-tls
https://pi-hole.net/
https://github.com/getdnsapi/getdns.git
https://docs.docker.com/install/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.