Ryan Malloy
066ba1892a
- New Corefile snippet (common) shared across plain DNS / DoT / DoH so zone-loading + forward + cache stay DRY across all three transports - scripts/generate-certs.sh: openssl-only self-signed RSA cert with SANs for localhost / 127.0.0.1 / ::1 / coredns / dns.local. Idempotent — skips regeneration if cert is valid >24h ahead; FORCE=1 to rotate. - Key chmod is 0644 so the CoreDNS container's nonroot user can read it via the bind mount. Acceptable for local dev; production should mount real certs with proper UID/GID. - DOT_PORT=8853, DOH_PORT=8443 (avoids Caddy already-on-443 collision) - Makefile: `make certs`, `make test-tls` - All three transports verified end-to-end (dig +tls, dig +https, curl with raw RFC 8484 wire format)
24 lines
645 B
YAML
24 lines
645 B
YAML
services:
|
|
coredns:
|
|
image: ${COREDNS_IMAGE}
|
|
container_name: coredns
|
|
restart: unless-stopped
|
|
command: ["-conf", "/etc/coredns/Corefile"]
|
|
ports:
|
|
- "${DNS_PORT}:53/udp"
|
|
- "${DNS_PORT}:53/tcp"
|
|
- "${DOT_PORT}:853/tcp"
|
|
- "${DOH_PORT}:443/tcp"
|
|
- "${METRICS_PORT}:9153/tcp"
|
|
- "${HEALTH_PORT}:8080/tcp"
|
|
volumes:
|
|
- ./Corefile:/etc/coredns/Corefile:ro
|
|
- ./zones-prepared:/zones:ro
|
|
- ./certs:/etc/coredns/certs:ro
|
|
healthcheck:
|
|
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8080/health"]
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 3
|
|
start_period: 10s
|