chrisss404/powerdns
chrisss404
PowerDNS dnsdist, recursor, authoritative, and admin interface. Supports DNSCrypt, DoH, and DoT.
4 次收藏下载次数: 0状态:社区镜像维护者:chrisss404仓库类型:镜像最近更新:12 天前
Introduction
Get your own secure nameserver up and running within minutes, using this dockerized installation of the PowerDNS nameserver.
Source code of PowerDNS here: https://github.com/PowerDNS/pdns
Private Recursor
Simple example of an ad blocking private recursor that is listening for DNSCrypt and DNS-over-TLS (DoT) queries. Easy setup for any desktop OS using https://github.com/jedisct1/***/wiki/Installation#os-specific-instructions and Android 9 has native support for DoT.
Create private-recursor.yml like this:
version: '2.1' services: gateway: image: jwilder/nginx-proxy:alpine volumes: - "/var/run/docker.sock:/tmp/docker.sock:ro" - "/etc/nginx/vhost.d" - "/usr/share/nginx/html" - "/etc/nginx/certs" ports: - "80:80" letsencrypt: image: jrcs/letsencrypt-nginx-proxy-companion:latest volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" volumes_from: - gateway dnsdist: image: chrisss404/powerdns:latest-dnsdist environment: - VIRTUAL_HOST=dot.example.com - VIRTUAL_PORT=9999 - LETSENCRYPT_EMAIL=*** - LETSENCRYPT_HOST=dot.example.com - DNSDIST_DNSCRYPT=yes - DNSDIST_DNS_OVER_TLS=yes - DNSDIST_DNS_OVER_TLS_DOMAIN=dot.example.com volumes: - "./blacklist.txt:/etc/dnsdist/blacklist.txt:ro" volumes_from: - gateway:ro networks: - recursor ports: - "853:853/tcp" - "8443:8443/udp" - "8443:8443/tcp" recursor: image: chrisss404/powerdns:latest-recursor sysctls: - net.ipv6.route.max_size=*** networks: recursor: ipv4_address: 172.31.117.117 networks: recursor: ipam: driver: default config: - subnet: "172.31.117.0/24"
Create blacklist.txt like this:
googleadservices.com ...
Then you can do the following:
# start secure recursor (restart dnsdist after the let's encrypt certificate is created) docker-compose -f private-recursor.yml up # get DNSCrypt provider public key fingerprint docker-compose -f private-recursor.yml exec dnsdist dnsdist -e 'printDNSCryptProviderFingerprint("/var/lib/dnsdist/providerPublic.key")' # create DNS stamp using python dnsstamps library or visit [***] dnsstamp.py dnscrypt -s -a 1.2.3.4:8443 -n 2.dnscrypt-cert.example.com -k 2251:468C:FE4C:C39F:9DF3:C2BA:7C95:ED8F:94F6:06BC:7A24:0493:D168:DE9E:7682:E8AD
Connect using DNSCrypt Proxy
- Install dnscrypt proxy as described https://github.com/jedisct1/***/wiki/Installation#os-specific-instructions.
- Configure dnscrypt proxy to use previously created dnsstamp, e.g.: vim /etc//.toml
diff-server_names = ['cisco', 'cloudflare'] +server_names = ['example'] [static] + [static.'example'] + stamp = 'sdns://AQEAAAAAAAAADDEuMi4zLjQ6ODQ0MyAiUUaM_kzDn53zwrp8le2PlPYGvHokBJPRaN6edoLorRsyLmRuc2NyeXB0LWNlcnQuZXhhbXBsZS5jb20'
Connect using Android
- Go to
Settings>Network & Internet>Advanced>Private DNS>Private DNS provider hostname - Enter DoT hostname:
dot.example.com
https://raw.githubusercontent.com/chrisss404/powerdns/master/android-dot.png
Private Authoritative Server
Simple example of full powerdns stack including private authoritative nameserver and admin interface for editing DNS records.
Create private-authoritative.yml like this:
version: '2.1' services: admin: image: chrisss404/powerdns:latest-admin depends_on: - admin-db - authoritative environment: - ADMIN_PDNS_API_KEY=api-secret-authoritative - ADMIN_USER_PASSWORD=very-secret networks: - admin-db - authoritative ports: - "80:3031" admin-db: image: postgres:12.1-alpine environment: - POSTGRES_DB=pda - POSTGRES_INITDB_ARGS=--data-checksums - POSTGRES_PASSWORD=pda - POSTGRES_USER=pda networks: - admin-db authoritative: image: chrisss404/powerdns:latest-authoritative depends_on: - authoritative-db environment: - AUTHORITATIVE_API=yes - AUTHORITATIVE_API_KEY=api-secret-authoritative - AUTHORITATIVE_WEBSERVER=yes - AUTHORITATIVE_WEBSERVER_PASSWORD=web-secret-authoritative networks: authoritative: ipv4_address: 172.31.118.118 authoritative-db: ports: - "8081:8081/tcp" authoritative-db: image: postgres:12.1-alpine environment: - POSTGRES_DB=pdns - POSTGRES_INITDB_ARGS=--data-checksums - POSTGRES_PASSWORD=pdns - POSTGRES_USER=pdns networks: - authoritative-db dnsdist: image: chrisss404/powerdns:latest-dnsdist environment: - DNSDIST_API_KEY=api-secret-dnsdist - DNSDIST_PLAIN=yes - DNSDIST_QUIET=no - DNSDIST_WEBSERVER=yes - DNSDIST_WEBSERVER_PASSWORD=web-secret-dnsdist networks: - recursor ports: - "1053:53/tcp" - "1053:53/udp" - "8083:8083/tcp" recursor: image: chrisss404/powerdns:latest-recursor environment: - RECURSOR_API_KEY=api-secret-recursor - RECURSOR_DNSSEC=validate - RECURSOR_FORWARD_ZONES=sys=172.31.118.118 - RECURSOR_QUIET=no - RECURSOR_TRUST_ANCHORS=sys=54970 13 1 27efe1c1a790c3cbb43b947d6d6dfac62507097e - RECURSOR_WEBSERVER=yes - RECURSOR_WEBSERVER_PASSWORD=web-secret-recursor sysctls: - net.ipv6.route.max_size=*** networks: recursor: ipv4_address: 172.31.117.117 authoritative: ports: - "8082:8082/tcp" networks: admin-db: authoritative: ipam: driver: default config: - subnet: "172.31.118.0/24" authoritative-db: recursor: ipam: driver: default config: - subnet: "172.31.117.0/24"
Then you can do the following:
# start powerdns stack docker-compose -f private-authoritative.yml up # send DNS queries dig -p 1053 example.com # PowerDNS admin interface http://localhost:80 # PowerDNS authoritative stats http://localhost:8081 # PowerDNS recursor stats http://localhost:8082 # PowerDNS dnsdist stats http://localhost:8083
Settings
Admin
| Env-Variable | Description |
|---|---|
| ADMIN_DB_HOST | Postgres host (default: admin-db) |
| ADMIN_DB_NAME | Postgres database (default: pda) |
| ADMIN_DB_PASS | Postgres password (default: pda) |
| ADMIN_DB_PORT | Postgres port (default: 5432) |
| ADMIN_DB_USER | Postgres username (default: pda) |
| ADMIN_PDNS_API_KEY | PowerDNS API key (default: pdns) |
| ADMIN_PDNS_API_URL | PowerDNS API URL (default: [***] |
| ADMIN_PDNS_VERSION | PowerDNS version number (default: 4.2.1) |
| ADMIN_SIGNUP_ENABLED | Allow users to sign up (default: no) |
| ADMIN_USER_EMAIL | Email address of admin user (default: ***) |
| ADMIN_USER_FIRSTNAME | First name of admin user (default: Administrator) |
| ADMIN_USER_LASTNAME | Last name of admin user (default: User) |
| ADMIN_USER_PASSWORD | Password of admin user (default: admin) |
Authoritative
| Env-Variable | Description |
|---|---|
| AUTHORITATIVE_ALLOW_AXFR_IPS | Allow zonetransfers only to these subnets (default: 127.0.0.0/8,::1) |
| AUTHORITATIVE_ALLOW_NOTIFY_FROM | Allow AXFR NOTIFY from these IP ranges (default: 0.0.0.0/0,::/0) |
| AUTHORITATIVE_API | Enable/disable the REST API (default: no) |
| AUTHORITATIVE_API_KEY | Static pre-shared authentication key for access to the REST API (default: pdns) |
| AUTHORITATIVE_API_READONLY | Disallow data modification through the REST API when set (default: no) |
| AUTHORITATIVE_DB_HOST | Postgres host (default: authoritative-db) |
| AUTHORITATIVE_DB_NAME | Postgres database (default: pdns) |
| AUTHORITATIVE_DB_PASS | Postgres password (default: pdns) |
| AUTHORITATIVE_DB_PORT | Postgres port (default: 5432) |
| AUTHORITATIVE_DB_USER | Postgres username (default: pdns) |
| AUTHORITATIVE_DEFAULT_KSK_ALGORITHM | Default KSK algorithm (default: ecdsa256) |
| AUTHORITATIVE_DEFAULT_KSK_SIZE | Default KSK size (default: 0) |
| AUTHORITATIVE_DEFAULT_PUBLISH_CDNSKEY | Default value for PUBLISH-CDNSKEY (default: ) |
| AUTHORITATIVE_DEFAULT_PUBLISH_CDS | Default value for PUBLISH-CDS (default: ) |
| AUTHORITATIVE_DEFAULT_ZSK_ALGORITHM | Default ZSK algorithm (default: ) |
| AUTHORITATIVE_DEFAULT_ZSK_SIZE | Default ZSK size (default: 0) |
| AUTHORITATIVE_DIRECT_DNSKEY | Fetch DNSKEY, CDS and CDNSKEY RRs from backend during DNSKEY or CDS/CDNSKEY synthesis (default: no) |
| AUTHORITATIVE_DISABLE_AXFR | Disable zonetransfers but do allow TCP queries (default: yes) |
| AUTHORITATIVE_DNAME_PROCESSING | If we should support DNAME records (default: no) |
| AUTHORITATIVE_EXPAND_ALIAS | Expand ALIAS records (default: no) |
| AUTHORITATIVE_LOG_DNS_DETAILS | If PDNS should log DNS non-erroneous details (default: no) |
| AUTHORITATIVE_LOG_DNS_QUERIES | If PDNS should log all incoming DNS queries (default: no) |
| AUTHORITATIVE_LOGLEVEL | Amount of logging. Higher is more. Do not set below 3 (default: 4) |
| AUTHORITATIVE_MASTER | Act as a master (default: no) |
| AUTHORITATIVE_MAX_TCP_CONNECTION_DURATION | Maximum time in seconds that a TCP DNS connection is allowed to stay open (default: 0) |
| AUTHORITATIVE_MAX_TCP_CONNECTIONS | Maximum number of TCP connections (default: 20) |
| AUTHORITATIVE_QUERY_LOGGING | Hint backends that queries should be logged (default: no) |
| AUTHORITATIVE_RECEIVER_THREADS | Default number of receiver threads to start (default: 1) |
| AUTHORITATIVE_RESOLVER | Use this resolver for ALIAS and the internal stub resolver (default: no) |
| AUTHORITATIVE_RETRIEVAL_THREADS | Number of AXFR-retrieval threads for slave operation (default: 2) |
| AUTHORITATIVE_REUSEPORT | Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket (default: no) |
| AUTHORITATIVE_SLAVE | Act as a slave (default: no) |
| AUTHORITATIVE_SIGNING_THREADS | Default number of signer threads to start (default: 3) |
| AUTHORITATIVE_TCP_FAST_OPEN | Enable TCP Fast Open support on the listening sockets (default: 0) |
| AUTHORITATIVE_WEBSERVER | Start a webserver for monitoring on port 8081 (default: no) |
| AUTHORITATIVE_WEBSERVER_PASSWORD | Password required for accessing the webserver (default: pdns) |
Dnsdist
| Env-Variable | Description |
|---|---|
| DNSDIST_API_KEY | Static pre-shared authentication key for access to the REST API (default: pdns) |
| DNSDIST_DNSCRYPT | Listen for DNSCrypt queries on port 8443 (default: no) |
| DNSDIST_DNSCRYPT_PROVIDER_NAME | DNSCrypt provider name (default: 2.dnscrypt-cert.example.com) |
| DNSDIST_DNS_OVER_HTTPS | Listen for DNS-over-HTTPS queries on port 443 (default: no) |
| DNSDIST_DNS_OVER_HTTPS_DOMAIN | Domain name of DNS server. |
| DNSDIST_DNS_OVER_HTTPS_PATH | The absolute URI path. (default: /dns-query) |
| DNSDIST_DNS_OVER_TLS | Listen for DNS-over-TLS queries on port 853 (default: no) |
| DNSDIST_DNS_OVER_TLS_DOMAIN | Domain name of DNS server. |
| DNSDIST_PLAIN | Listen for plain DNS queries on port 53 (default: no) |
| DNSDIST_QUIET | Suppress logging of questions and answers (default: no) |
| DNSDIST_WEBSERVER | Start a webserver for REST API on port 8083 (default: no) |
| DNSDIST_WEBSERVER_PASSWORD | Password required for accessing the webserver (default: pdns) |
Recursor
| Env-Variable | Description |
|---|---|
| RECURSOR_ALLOW_FROM | If set, only allow these comma separated netmasks to recurse |
| RECURSOR_API_KEY | Static pre-shared authentication key for access to the REST API (default: pdns) |
| RECURSOR_API_READONLY | Disallow data modification through the REST API when set (default: yes) |
| RECURSOR_DNSSEC | DNSSEC mode: off / process-no-validate (default) / process / log-fail / validate |
| RECURSOR_FORWARD_ZONES | Zones for which we forward queries, comma separated domain=ip pairs |
| RECURSOR_FORWARD_ZONES_RECURSE | Zones for which we forward queries with recursion bit, comma separated domain=ip pairs |
| RECURSOR_LOGLEVEL | Amount of logging. Higher is more. Do not set below 3 (default: 3) |
| RECURSOR_QUIET | Suppress logging of questions and answers (default: no) |
| RECURSOR_TCP_FAST_OPEN | Enable TCP Fast Open support on the listening sockets, using the supplied numerical value as the queue size |
| RECURSOR_THREADS | Launch this number of threads |
| RECURSOR_TRUST_ANCHORS | Trust anchors for private zones when using DNSSEC validation, comma separated domain=ds-key pairs |
| RECURSOR_WEBSERVER | Start a webserver for REST API on port 8082 (default: no) |
| RECURSOR_WEBSERVER_PASSWORD | Password required for accessing the webserver (default: pdns) |
powerdns/dnsdist-18
powerdns
PowerDNS DNSdist v1.8.x是一款功能强大的DNS负载均衡器,提供高性能DNS流量管理、负载均衡与流量控制功能,适用于DNS服务器集群的流量分配、优化及高可用性保障。
4 次收藏10万+ 次下载
1 年前更新
powerdns/pdns-recursor-48
powerdns
PowerDNS Recursor是一款高性能DNS递归解析服务器,支持DNSSEC、Lua脚本和多种后端,适用于构建可靠、可扩展的DNS解析基础设施,遵循GNU GPLv2许可。
1 次收藏10万+ 次下载
1 年前更新
powerdns/pdns-auth-49
powerdns
PowerDNS Authoritative Server是一款功能强大的开源DNS权威服务器,支持多种后端(如MySQL、PostgreSQL、Bind),采用GPLv2许可,适用于构建可靠的域名解析服务。
4 次收藏10万+ 次下载
1 个月前更新
powerdns/dnsdist-19
powerdns
PowerDNS DNSdist是一款DNS流量管理工具,提供负载均衡、流量控制及安全防护功能,用于优化DNS服务性能与可用性。
2 次收藏10万+ 次下载
16 天前更新
powerdns/pdns-recursor-52
powerdns
PowerDNS Recursor v5.2.x 是一款高性能DNS递归服务器,能够高效处理DNS递归查询,提供可靠的域名解析服务,适用于各类网络环境。
10万+ 次下载
2 个月前更新
powerdns/pdns-recursor-49
powerdns
PowerDNS是一个开源DNS解决方案,包含权威服务器、递归解析器(Recursor)和dnsdist负载均衡器,支持多种后端与模块,适用于构建高性能、可扩展的DNS服务基础设施。
5万+ 次下载
1 年前更新
轩辕镜像配置手册
探索更多轩辕镜像的使用方法,找到最适合您系统的配置方式
Docker 配置
登录仓库拉取
通过 Docker 登录认证访问私有仓库
专属域名拉取
无需登录使用专属域名
K8s Containerd
Kubernetes 集群配置 Containerd
K3s
K3s 轻量级 Kubernetes 镜像加速
Dev Containers
VS Code Dev Containers 配置
Podman
Podman 容器引擎配置
Singularity/Apptainer
HPC 科学计算容器配置
其他仓库配置
ghcr、Quay、nvcr 等镜像仓库
Harbor 镜像源配置
Harbor Proxy Repository 对接专属域名
Portainer 镜像源配置
Portainer Registries 加速拉取
Nexus 镜像源配置
Nexus3 Docker Proxy 内网缓存
系统配置
需要其他帮助?请查看我们的 常见问题Docker 镜像访问常见问题解答 或 提交工单
镜像拉取常见问题
使用与功能问题
错误码与失败问题
docker pull 提示 manifest unknown 怎么办?
manifest unknown
docker pull 提示 no matching manifest 怎么办?
no matching manifest(架构)
镜像已拉取完成,却提示 invalid tar header 或 failed to register layer 怎么办?
invalid tar header(解压)
Docker pull 时 HTTPS / TLS 证书验证失败怎么办?
TLS 证书失败
Docker pull 时 DNS 解析超时或连不上仓库怎么办?
DNS 超时
Docker 拉取出现 410 Gone 怎么办?
410 Gone 排查
出现 402 或「流量用尽」提示怎么办?
402 与流量用尽
Docker 拉取提示 UNAUTHORIZED(401)怎么办?
401 认证失败
遇到 429 Too Many Requests(请求太频繁)怎么办?
429 限流
docker login 提示 Cannot autolaunch D-Bus,还算登录成功吗?
D-Bus 凭证提示
为什么会出现「单层超过 20GB」或 413,无法加速拉取?
413 与超大单层
账号 / 计费 / 权限
用户好评
来自真实用户的反馈,见证轩辕镜像的优质服务
oldzhang
运维工程师
Linux服务器
5
"Docker访问体验非常流畅,大镜像也能快速完成下载。"