From ef2e780434d68ac114efd95f579817a9e9522504 Mon Sep 17 00:00:00 2001
From: Gurulandia <gurulandia@outlook.com>
Date: Tue, 4 Mar 2025 20:50:41 +0200
Subject: [PATCH] Add Technitum DNS

---
 docker/env/technitum-dns-stack.env |  9 ++++
 docker/env/technitum-dns.env       | 66 ++++++++++++++++++++++++++++++
 docker/technitum-dns/compose.yaml  | 60 +++++++++++++++++++++++++++
 3 files changed, 135 insertions(+)
 create mode 100644 docker/env/technitum-dns-stack.env
 create mode 100644 docker/env/technitum-dns.env
 create mode 100644 docker/technitum-dns/compose.yaml

diff --git a/docker/env/technitum-dns-stack.env b/docker/env/technitum-dns-stack.env
new file mode 100644
index 0000000..d032319
--- /dev/null
+++ b/docker/env/technitum-dns-stack.env
@@ -0,0 +1,9 @@
+TECHNITUM_DNS_NETWORk_ID=proxy
+TECHNITUM_DNS_HOSTNAME=komodo
+
+TECHNITUM_DNS_RESTART_POLICY=unless-stopped
+
+##### Komodo Core Container
+TECHNITUM_DNS_CONTAINER_NAME=dns-server
+TECHNITUM_DNS_IMAGE=technitium/dns-server
+TECHNITUM_DNS_TAG=latest
\ No newline at end of file
diff --git a/docker/env/technitum-dns.env b/docker/env/technitum-dns.env
new file mode 100644
index 0000000..ee261fb
--- /dev/null
+++ b/docker/env/technitum-dns.env
@@ -0,0 +1,66 @@
+# The primary domain name used by this DNS Server to identify itself.
+DNS_SERVER_DOMAIN=lab.gurulandia.eu
+
+# DNS web console admin user password.
+# DNS_SERVER_ADMIN_PASSWORD=password
+
+# The path to a file that contains a plain text password for the DNS web console admin user.
+DNS_SERVER_ADMIN_PASSWORD_FILE = /run/secrets/technitium_admin_password
+
+# DNS Server will use IPv6 for querying whenever possible with this option enabled.
+# DNS_SERVER_PREFER_IPV6=false
+
+# Comma separated list of network interface IP addresses that you want the web service to listen on for requests. 
+# The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. 
+# Note! This must be used only with "host" network mode.      
+# DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1
+
+# The TCP port number for the DNS web console over HTTP protocol.
+# DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 
+
+# The TCP port number for the DNS web console over HTTPS protocol.
+# DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
+
+# Enables HTTPS for the DNS web console.
+# DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false
+
+# Enables self signed TLS certificate for the DNS web console.
+# DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false 
+
+# Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
+# DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false 
+
+# Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL.
+# DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks 
+
+# Comma separated list of IP addresses or network addresses to allow access.
+# Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet.
+# The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback.
+# Valid only for `UseSpecifiedNetworkACL` recursion option.
+# DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2
+
+# Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.
+# This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
+# DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24
+
+# Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.
+# This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
+# DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24
+
+# Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
+# DNS_SERVER_ENABLE_BLOCKING=false 
+
+# Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
+# DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false
+
+# A comma separated list of block list URLs.
+# DNS_SERVER_BLOCK_LIST_URLS= 
+
+# Comma separated list of forwarder addresses.
+# DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8
+
+# Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
+# DNS_SERVER_FORWARDER_PROTOCOL=Tcp
+
+# Enable this option to use local time instead of UTC for logging.
+DNS_SERVER_LOG_USING_LOCAL_TIME=true
\ No newline at end of file
diff --git a/docker/technitum-dns/compose.yaml b/docker/technitum-dns/compose.yaml
new file mode 100644
index 0000000..bddcaff
--- /dev/null
+++ b/docker/technitum-dns/compose.yaml
@@ -0,0 +1,60 @@
+secrets:
+  technitium_admin_password:
+    file: ${SECRETSDIR}/technitum-dns/admin_password
+services:
+  dns-server:
+    container_name: ${TECHNITUM_DNS_CONTAINER_NAME}
+    image: ${TECHNITUM_DNS_IMAGE}:${TECHNITUM_DNS_TAG}
+    restart: ${TECHNITUM_DNS_RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - dns
+    # For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them
+    # network_mode: "host"
+    ports:
+      - "5380:5380/tcp" #DNS web console (HTTP)
+      # - "53443:53443/tcp" #DNS web console (HTTPS)
+      - "53:53/udp" #DNS service
+      - "53:53/tcp" #DNS service
+      # - "853:853/udp" #DNS-over-QUIC service
+      # - "853:853/tcp" #DNS-over-TLS service
+      # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3)
+      # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)
+      # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal)
+      # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy)
+      # - "67:67/udp" #DHCP service
+    environment:
+      - DNS_SERVER_DOMAIN
+      # - DNS_SERVER_ADMIN_PASSWORD=password #DNS web console admin user password.
+      # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user.
+      - DNS_SERVER_ADMIN_PASSWORD_FILE
+      # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.
+      # - DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1 #Comma separated list of network interface IP addresses that you want the web service to listen on for requests. The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. Note! This must be used only with "host" network mode.
+      # - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol.
+      # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
+      # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console.
+      # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console.
+      # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
+      # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL.
+      # - DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2 #Comma separated list of IP addresses or network addresses to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback. Valid only for `UseSpecifiedNetworkACL` recursion option.
+      # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
+      # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.  This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
+      # - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
+      # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
+      # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs.
+      # - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses.
+      # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
+      - DNS_SERVER_LOG_USING_LOCAL_TIME
+    volumes:
+      - config:/etc/dns
+    sysctls:
+      - net.ipv4.ip_local_port_range=1024 65000
+    secrets:
+      - technitium_admin_password
+
+volumes:
+    config:
+networks:
+  dns:
+    name: dns
\ No newline at end of file