Private DNS Server for Android 9
Android 9 also known as Android Pie comes with many new features but most importantly full support for DNS over TLS.
How to create your own Private DNS Server for Android 9 running on Docker.
Download and install Docker
sudo apt-get update
sudo apt-get -y install \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt-get update
sudo apt-get -y install docker-ce docker-ce-cli containerd.io docker-compose
Create Let’s Encrypt Certificate
sudo apt-get -y update
sudo apt-get -y install software-properties-common
sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get update
sudo apt-get -y install certbot
sudo certbot certonly --no-eff-emai --agree-tos --email <your email> --standalone --non-interactive --domain <your domain>
cp /etc/letsencrypt/live/<your domain>/privkey.pem .
cp /etc/letsencrypt/live/<your domain>/fullchain.pem .
Unbound Configuration
vim unbound.conf
Inside, paste the following script:
server:
username: "unbound"
chroot: ""
directory: /etc/unbound/
pidfile: "/var/run/unbound.pid"
logfile: "/var/log/unbound.log"
verbosity: 1
log-queries: yes
num-threads: 4
verbosity: 2
interface: 0.0.0.0@853
access-control: 0.0.0.0/0 allow
tls-service-key: "/etc/unbound/privkey.pem"
tls-service-pem: "/etc/unbound/fullchain.pem"
tls-port: 853
minimal-responses: yes
cache-max-ttl: 14400
cache-min-ttl: 900
do-tcp: yes
hide-identity: yes
hide-version: yes
minimal-responses: yes
prefetch: yes
prefetch-key: yes
qname-minimisation: yes
incoming-num-tcp: 4096
num-queries-per-thread: 4096
rrset-roundrobin: yes
use-caps-for-id: yes
harden-glue: yes
harden-short-bufsize: yes
harden-large-queries: yes
harden-algo-downgrade: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: no
do-not-query-localhost: no
statistics-cumulative: yes
extended-statistics: yes
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 8.8.8.8@853
forward-addr: 8.8.4.4@853
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 9.9.9.9@853
remote-control:
control-enable: no
CMD Script
vim unbound.sh
#!/bin/bash
/usr/sbin/unbound -d -c /etc/unbound/unbound.conf
Dockerfile
vim Dockerfile
Inside, paste the following script:
FROM ubuntu:18.04
MAINTAINER Andreas Christoforou
ENV DEBIAN_FRONTEND noninteractive
ENV UNBOUND_VERSION 1.9.3
ENV UNBOUND_SHA256 1b55dd9170e4bfb327fb644de7bbf7f0541701149dff3adf1b63ffa785f16dfa
RUN set -x \
&& apt update \
&& apt -y upgrade \
&& apt -y install build-essential libssl-dev libexpat-dev libsodium-dev libevent-dev openssl wget knot-dnsutils \
&& groupadd -g 88 unbound \
&& useradd -c "Unbound DNS resolver" -d /var/lib/unbound -u 88 -g unbound -s /bin/false unbound \
&& wget http://www.unbound.net/downloads/unbound-${UNBOUND_VERSION}.tar.gz \
&& echo "${UNBOUND_SHA256} unbound-${UNBOUND_VERSION}".tar.gz | sha256sum --check \
&& tar -xvf unbound* \
&& cd unbound-1.*/ \
&& ./configure --with-libevent --enable-dnscrypt --prefix=/usr --sysconfdir=/etc --disable-static --with-pidfile=/run/unbound.pid \
&& make \
&& make install \
&& mv -v /usr/sbin/unbound-host /usr/bin/ \
&& unbound-anchor /etc/unbound/root.key ; true\
&& unbound-control-setup \
&& unbound-checkconf \
&& rm -rf /unbound-${UNBOUND_VERSION}.tar.gz \
&& rm -rf unbound-* \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get clean
COPY ./unbound.conf /etc/unbound/unbound.conf
COPY ./privkey.pem /etc/unbound/privkey.pem
COPY ./fullchain.pem /etc/unbound/fullchain.pem
COPY ./unbound.sh /unbound.sh
WORKDIR /etc/unbound/
EXPOSE 853
CMD ["/unbound.sh"]
Build Image
docker build -t unbound-tls:1.9.3 .
Docker Compose
vim docker-compose.yml
Inside, paste the following script:
version: '3'
services:
unbound-tls:
image: unbound-tls:1.9.3
container_name: unbound-tls
restart: always
ports:
- "853:853"
Run image
docker-compose up -d