I have been using djbdns for several years now and I still love it. Tiny, secure, maybe not as beginner friendly but I don't mind that. I previously used an RPM file that I first build on Enterprise Linux 6 which cleanly build on EL7 as well, but EL8 is another issue. Now the end of life for EL7 is still two years out when writing this blog, I was still interested in a more long term solution. Enter containers. As a user of EL for servers, both professionally and privately, I switched to podman i.o. Docker, just because the daemonless nature of podman yield a more secure system and it's even possible to run the containers rootless, but in this case that comes at a price.
Rootfull vs rootless containers
Wherever I use containers I try to use them rootless, but in certain scenarios it is an issue with running a DNS. Most importantly, running a djbdns container rootlessly means that it is not possible to distinguish the source of DNS queries. That means that you cannot use a split horizon or limit AXFR access to specific IP addresses. The logging will also show a source query address in the network namespace of the container (usually 10.0.2.0/24). If neither are required, running a container with tinydns and axfrdns rootlessly is a good idea.
Another issue with a rootless container is the fact that dnscache cannot forward queries to another rootless container with tinydns on the same host since they both listen on port 53 and there is no way to distinguish between the networks.
If tinydns and axfrdns are run in a rootless container, both TCP and UDP port 53 must be published on some high host port. Via a NAT firewall rule a query to port 53 of the host can be redirected to the published port.
When using a rootfull container, the container can be defined with its own IP address within a podman network and in this case port 53 does not need to be published on a host port, port 53 on the container IP is reachable and a DNAT firewall rule can be used to send the DNS query to the container. If you use a second rootfull container with dnscache the DNS queries that should be handled by tinydns or axfrdns can be forwarded to the IP addres of the tinydns container.
Creating the container.
If I run a container, I want it small. I started with the Dockerfile that was published by Yasuo Ohgaki to install djbdns, ucspi-tcp and daemontools on Alpine Linux. For this, gcc etc had to be installed to compile the code, but I want it two changes on that: first I wanted to apply some patches and second, I wanted only the compiled result, not the source nor gcc, perl and the like. To achieve that I modified the Dockerfile to a multi stage version where first a container is used to compile the data and then a second container is created where the compiled result is copied to.
The containerfile downloads the software and some patches from the original websites, so to verify that the correct files are actually downloaded I check the SHA256 checksums of the download.
For daemontools 0.76 I applied a single
patch to replace "
extern int errno;" by "
This is needed to be able to compile the software with
gcc (this goes for ucspi-tcp and djbdns as well). After compiling and
installing, the various binaries stay in the source tree and there were symlinks
from the "
/command" directory to the compiled binaries in the source
tree and there were symlinks from
/usr/local/bin to the symlinks in the
/command directory. I deleted the symlinks from
and did a "
cp -L" from
/command directory to
On djbdns 1.05 I applied quite a few more
patches. First, I applied Fefe's (test28) patch to
enable IPv6 for tinydns. Second, I installed Peter Conrad's DNSSEC
patch for tinydns (version 1.8) which requires
Fefe's patch. I have yet to enable DNSSEC. A third patch that I applied is
Guilherme Balena Versiani's NAPTR
extension to Michael Handler's SRV patch which allows easy creation of both
resource records. Since Guilherme published a patched version of djbdns-1.05,
I re-calculated the patch and applied it to my patched source. This yielded a
few rejected hunks that were easily fixable. I also added a second parameter
to his "
rr_finish()" statements because lacking those generated
compile errors. The final patch against my Fefe + DNSSEC version is a collection
of various patches that I collected. I applied them all manually to what I had
until then and used
git diff to generate a big patch with all of them. The
patches are named in the top of this collective patch file, but for most of them
I can no longer find the original online.
The modified version of Guilherme's patch and the patch collective, along with two scripts and the containerfile are available via this Gitlab snippet.
After compiling all these I copied the content of
/usr/local/bin to the
destination image. I added two scripts to this directory: a script to start the
required djbdns daemon (
startdjb.sh) and a second one to build the djbdns
databases from within the container (
Recreating the image yourself is trivial. Clone the snippet repository and build the image from within the cloned directory like so:
git clone https://gitlab.com/snippets/2232485.git cd 2232485
and then either
docker build -f Containerfile -t yourtagname .
buildah bud -f Containerfile -t yourtagname
This should yield an 8MB container. If you want to try a ready-made image, a
saved image is available via this link.
The image can be recreated via
podman load < tarfile or
docker load < tarfile.
Using the containers
The containers expose TCP and UDP ports 53 and
be mapped to a directory on the host. If you use podman on a system with
SELinux enabled (I hope you do), make sure the directory that is mapped to the
/usr/local/etc has a writable content type (I use
DJBMODE environment variable, you can define which djbdns daemon
should run in the container. If no value is provided, the value
assumed which starts both tinydns and axfrdns. For the dnscache, walldns or
rbldns daemons, you should use the values dnscache, walldns or rbldns
To run the container rootlessly, use a command line like:
podman create --rm --name djbdns -p 5553:53/tcp -p 5553:53/udp \ -v /var/podman:/usr/local/etc -e DJBMODE=tinydns alpine-djbdns
On the first run, the
/var/podman will be populated with a
axfrdns tree. Make sure that the administrator
redirects TCP and UDP queries to the port(s) as specified.
If you run a rootfull container, you can assign an IP address to the
container. By default, podman installs a network named "
podman" with an IP
10.88.0.0/16. To find out, you can use
podman network ls
podman network inspect networkname
to see which IP space is available. To create an own network, you use something like
podman network create --subnet 172.25.1.0/24 --gateway 172.25.1.1 djbnet
Creating the container with an IP address goes something like this:
podman create --rm --ip 172.25.1.10 --network djbnet --name djbdns \ -v /var/podman:/usr/local/etc -e DJBMODE=tinydns alpine-djbdns
If you also need dnscache you can create the container similarly but with a different IP address in the same network. The exposed ports do not need to be published on a host port, port 53 is available on the container's IP address. To reach the container, the routing tables need to know how to reach the container, or the host running the container needs DNAT rules when the server is queried on the DNS port (don't forget to set the DJBMODE variable to dnscache for that to work).
It is advisable to generate systemd files with
podman generate systemd --files --new --name containername
With this systemd can be used to start, stop and monitor the containers.
With rootfull containers, it is possible to create forward files for dnscache to be
handled by tinydns or axfrdns. If, e.g., the tinydns container listens on IP
172.25.1.10 and serves DNS records for
you can create the file
172.25.1.10 as content.
After first running the tinydns container, the tinydns and axfrdns databases
are still missing. They can be created externally and copied to
respectively, or the source files
tcp can be edited
after which you run "
makeall.sh" in the running container with
podman exec -it containername /usr/local/bin/makeall.sh