All my Docker containers are using the same macvlan (brige) on the server. Before bringing my Nginx up, I'm running this small script first:
echo "- attatching our busy0 interface to the parent via bridge;"
sudo ip link add busy0 link enp0s25 type macvlan mode bridge
echo "- giving a specific IP to our busy0 interface ending in .99;"
sudo ip addr add 192.168.50.99/24 dev busy0
echo "- bringing busy0 interface up;"
sudo ifconfig busy0 up
My local DNS servers are 2 vms with Centos 7 and bind9.
Setup:
Asus router: 192.168.50.1; from here, I gave static IPs to the server host and name servers;
Server (Ubuntu 22.04), host of the container: 192.168.50.30;
ho.me (nginx:alpine), IP: 192.168.50.2;
ns1.ho.me (Centos 7, bind9, Proxmox vm1), IP: 192.168.50.41;
ns2.ho.me (Centos 7, bind9, Proxmox vm1), IP: 192.168.50.42.
my Nginx Alpine Dockerfile:
# Pull latest Alpine linux image
FROM nginx:alpine
# Upgrade
RUN apk add --update && \
apk upgrade
# Copy the Nginx config
COPY default.conf /etc/nginx/conf.d/
COPY index.html /usr/share/nginx/html/
# Expose the port for access
EXPOSE 80/tcp
STOPSIGNAL SIGQUIT
# Run the Nginx server
CMD ["/usr/sbin/nginx", "-g", "daemon off;"]
- nginx, default.conf:
server {
listen 80;
listen 127.0.0.1:80;
listen 192.168.50.2:80;
listen [::]:80;
server_name ho.me www.ho.me;
access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /courses {
alias /usr/share/nginx/html/courses/;
autoindex on;
}
location /share {
alias /usr/share/nginx/html/share/;
autoindex on;
}
}
- ns1, /etc/named.conf:
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.conf.options";
include "/etc/named.conf.local";
- ns1, /etc/named.conf.options:
acl trusted {
192.168.50.0/24;
};
options {
# IP or localhost
listen-on port 53 { 192.168.50.41; };
#listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { trusted; };
allow-transfer { 192.168.50.42; };
recursion yes;
dnssec-enable yes;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
forwarders {
8.8.8.8;
8.8.4.4;
};
};
- ns1, /etc/named.conf.local:
zone "ho.me" IN {
type master;
# The path to your domain zone file
file "/etc/named/ho.me.zone";
# The IP address of the future DNS slave
allow-transfer { 192.168.50.42; };
};
zone "168.192.in-addr.arpa" IN {
type master;
# 192.168.50.0/24 subnet
file "/etc/named/192.168.zone";
# The IP address of the DNS slave
allow-transfer { 192.168.50.42; };
};
- ns1, /etc/named/ho.me.zone
$TTL 604800
@ IN SOA ns1.ho.me. root.ho.me. (
29
604800
86400
2419200
604800 )
; name servers – NS records
@ IN NS ns1.ho.me.
@ IN NS ns2.ho.me.
; 192.168.50.0/24 – A records
router IN A 192.168.50.1
www.ho.me. IN A 192.168.50.2
@ IN A 192.168.50.2
transmission IN A 192.168.50.3
jellyfin IN A 192.168.50.4
;
ns1 IN A 192.168.50.41
ns2 IN A 192.168.50.42
- ns1, /etc/named/192.168.zone
$TTL 604800
@ IN SOA ns1.ho.me. root.ho.me. (
28; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers – NS records
@ IN NS ns1.ho.me.
@ IN NS ns2.ho.me.
; 192.168.50.0/24 – A records
router IN A 192.168.50.1
www IN A 192.168.50.2
@ IN A 192.168.50.2
transmission IN A 192.168.50.3
jellyfin IN A 192.168.50.4
; name server resolution
ns1 IN A 192.168.50.41
ns2 IN A 192.168.50.42
;chromebook.ho.me. IN A 192.168.50.200
; PTR records
1.50 IN PTR router.ho.me. ; referring to 192.168.50.1
2.50 IN PTR ho.me. ; 192.168.50.2
3.50 IN PTR transmission.ho.me. ; 192.168.50.3
4.50 IN PTR jellyfin.ho.me. ; 192.168.50.4
41.50 IN PTR ns1.ho.me. ; 192.168.50.41
42.50 IN PTR ns2.ho.me. ; 192.168.50.42
- ns2, /etc/named.conf:
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.conf.options";
include "/etc/named.conf.local";
- ns2, /etc/named.conf.options:
acl trusted {
192.168.50.0/24;
};
options {
# IP or localhost
listen-on port 53 { 192.168.50.42; };
#listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { trusted; };
allow-transfer { none; };
allow-recursion { trusted; };
recursion yes;
dnssec-enable yes;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
forwarders {
192.168.50.41;
8.8.4.4;
};
};
- ns2, /etc/named.conf.local:
zone "ho.me" in {
type slave;
masterfile-format text;
file "/etc/named/ho.me.zone";
masters { 192.168.50.41; };
};
zone "168.192.in-addr.arpa" {
type slave;
masterfile-format text;
file "/etc/named/192.168.zone";
masters { 192.168.50.41; };
};
- ns2, /etc/named/ho.me.zone
$TTL 604800
@ IN SOA ns2.ho.me. root.ho.me. (
28; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers – NS records
IN NS ns1.ho.me.
IN NS ns2.ho.me.
; 192.168.50.0/24 – A records
router IN A 192.168.50.1
www IN A 192.168.50.2
@ IN A 192.168.50.2
transmission IN A 192.168.50.3
jellyfin IN A 192.168.50.4
;
ns1 IN A 192.168.50.41
ns2 IN A 192.168.50.42
- ns2, /etc/named/192.168.zone
$TTL 604800
@ IN SOA ns2.ho.me. root.ho.me. (
26; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers – NS records
@ IN NS ns1.ho.me.
@ IN NS ns2.ho.me.
; 192.168.50.0/24 – A records
router IN A 192.168.50.1
ho IN A 192.168.50.2
transmission IN A 192.168.50.3
jellyfin IN A 192.168.50.4
; name server resolution
ns1 IN A 192.168.50.41
ns2 IN A 192.168.50.42
;chromebook IN A 192.168.50.200
; PTR records
1.50 IN PTR router.ho.me. ; referring to 192.168.50.1
2.50 IN PTR ho.me. ; 192.168.50.2
3.50 IN PTR transmission.ho.me. ; 192.168.50.3
4.50 IN PTR jellyfin.ho.me. ; 192.168.50.4
41.50 IN PTR ns1.ho.me. ; 192.168.50.41
42.50 IN PTR ns2.ho.me. ; 192.168.50.42
- I entered the Nginx container and ran nginx -t and the output was successful;
- on ns1, ns2, I ran named-checkconf and named-checkzone and had no issue;
- on ns1 and ns2: tail -f /var/log/messages doesn't say anything special, all zones ok;
Mar 31 18:27:12 ns1 named[25522]: automatic empty zone: B.E.F.IP6.ARPA
Mar 31 18:27:12 ns1 named[25522]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Mar 31 18:27:12 ns1 named[25522]: automatic empty zone: EMPTY.AS112.ARPA
Mar 31 18:27:12 ns1 named[25522]: automatic empty zone: HOME.ARPA
Mar 31 18:27:12 ns1 named[25522]: none:104: 'max-cache-size 90%' - setting to 3410MB (out of 3789MB)
Mar 31 18:27:12 ns1 named[25522]: configuring command channel from '/etc/rndc.key'
Mar 31 18:27:12 ns1 named[25522]: command channel listening on 127.0.0.1#953
Mar 31 18:27:12 ns1 named[25522]: managed-keys-zone: journal file is out of date: removing journal file
Mar 31 18:27:12 ns1 named[25522]: managed-keys-zone: loaded serial 22
Mar 31 18:27:12 ns1 named[25522]: zone 0.in-addr.arpa/IN: loaded serial 0
Mar 31 18:27:12 ns1 named[25522]: zone 168.192.in-addr.arpa/IN: loaded serial 28
Mar 31 18:27:12 ns1 named[25522]: zone localhost.localdomain/IN: loaded serial 0
Mar 31 18:27:12 ns1 named[25522]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Mar 31 18:27:12 ns1 named[25522]: zone localhost/IN: loaded serial 0
Mar 31 18:27:12 ns1 named[25522]: zone ho.me/IN: loaded serial 29
Mar 31 18:27:12 ns1 named[25522]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Mar 31 18:27:12 ns1 named[25522]: all zones loaded
Mar 31 18:27:12 ns1 named[25522]: running
Mar 31 18:27:12 ns1 systemd: Started Berkeley Internet Name Domain (DNS).
Mar 31 18:27:12 ns1 named[25522]: zone ho.me/IN: sending notifies (serial 29)
Mar 31 18:27:12 ns1 named[25522]: zone 168.192.in-addr.arpa/IN: sending notifies (serial 28)
Mar 31 18:27:12 ns1 named[25522]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
- ns1, ns2: systemctl status named.service, again, nothing special:
[root@ns1 ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2023-03-31 18:27:12 CEST; 52s ago
Process: 25505 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 25520 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 25518 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 25522 (named)
Tasks: 4
CGroup: /system.slice/named.service
└─25522 /usr/sbin/named -u named -c /etc/named.conf -4
Mar 31 18:27:12 ns1.ho.me named[25522]: zone localhost/IN: loaded serial 0
Mar 31 18:27:12 ns1.ho.me named[25522]: zone ho.me/IN: loaded serial 29
Mar 31 18:27:12 ns1.ho.me named[25522]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Mar 31 18:27:12 ns1.ho.me named[25522]: all zones loaded
Mar 31 18:27:12 ns1.ho.me named[25522]: running
Mar 31 18:27:12 ns1.ho.me systemd[1]: Started Berkeley Internet Name Domain (DNS).
Mar 31 18:27:12 ns1.ho.me named[25522]: zone ho.me/IN: sending notifies (serial 29)
Mar 31 18:27:12 ns1.ho.me named[25522]: zone 168.192.in-addr.arpa/IN: sending notifies (serial 28)
Mar 31 18:27:12 ns1.ho.me named[25522]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Mar 31 18:27:12 ns1.ho.me named[25522]: resolver priming query complete
- after configuring the name servers, I've setup the router to advertise them first and then his own; and I've tested this - I'm connecting from the work laptop to the router network, leaving all settings default to DHCP on this work laptop and when I'm looking to see what IPs it got from the network, I can see 3 DNSs in this order: .41, .42 and .1; I can't ping my local ho.me, I'm receiving the IP from the actual ho.me parked domain out there;
- now, since the router is advertising first my name servers and then its own, the server host (.30) of the Nginx container (.2), should be using my own name servers but it's not, because I can't ping ho.me from here - I'm receiving the IP of the actual parked domain of ho.me;
- in the router (.1), I've then went and manually assigned ns1 to my server host (.30); now, I can ping ho.me and the rest of those DNS host records (jellyfin.ho.me, transmission.ho.me, etc.) and yet, still, I can't reach http://ho.me or www.ho.me in my browser;
- again, in the router (.1), I then went ahead and assigned the Nginx container itself, my ns1; nothing.
I'm not sure what am I missing out.
