CoreDNS
CoreDNS is a DNS server/forwarder, written in Go, that chains plugins. Each plugin performs a (DNS) function.
CoreDNS can listen for DNS requests coming in over:
- UDP/TCP (go’old DNS).
- TLS - DoT (RFC 7858).
- DNS over HTTP/2 - DoH (RFC 8484).
- DNS over QUIC - DoQ (RFC 9250).
- gRPC (not a standard).
Configuration
When starting CoreDNS without any configuration, it loads the whoami and log plugins and starts listening on port 53 (override with -dns.port), it should show the following:
.:53
CoreDNS-1.6.6
linux/amd64, go1.16.10, aa8c32
The following could be used to query the CoreDNS server that is running now:
dig @127.0.0.1 -p 53 www.example.comAny query sent to port 53 should return some information; your sending address, port and protocol used. The query should also be logged to standard output.
The configuration of CoreDNS is done through a file named Corefile. When CoreDNS starts, it will look for the Corefile from the current working directory. A Corefile for CoreDNS server that listens on port 53 and enables whoami plugin is:
.:53 {
whoami
}
Sometimes port number 53 is occupied by system processes. In that case you can start the CoreDNS server while modifying the Corefile as given below so that the CoreDNS server starts on port 1053.
.:1053 {
whoami
}
If you have a Corefile without a port number specified it will, by default, use port 53, but you can override the port with the -dns.port flag: coredns -dns.port 1053, runs the server on port 1053.
You may import other text files into the Corefile using the import directive. You can use globs to match multiple files with a single import directive.
.:53 {
import example1.txt
}
import example2.txt
You can use environment variables in the Corefile with {$VARIABLE}. Note that each environment variable is inserted into the Corefile as a single token. For example, an environment variable with a space in it will be treated as a single token, not as two separate tokens.
.:53 {
{$ENV_VAR}
}
A Corefile for a CoreDNS server that forward any queries to an upstream DNS (e.g., 8.8.8.8) is as follows:
.:53 {
forward . 8.8.8.8:53
log
}
Start CoreDNS and then query on that port (53). The query should be forwarded to 8.8.8.8 and the response will be returned. Each query should also show up in the log which is printed on standard output.
To serve the (NSEC) DNSSEC-signed example.org on port 1053, with errors and logging sent to standard output. Allow zone transfers to everybody, but specifically mention 1 IP address so that CoreDNS can send notifies to it.
example.org:1053 {
file /var/lib/coredns/example.org.signed
transfer {
to * 2001:500:8f::53
}
errors
log
}
Serve example.org on port 1053, but forward everything that does not match example.org to a recursive nameserver and rewrite ANY queries to HINFO.
example.org:1053 {
file /var/lib/coredns/example.org.signed
transfer {
to * 2001:500:8f::53
}
errors
log
}
. {
any
forward . 8.8.8.8:53
errors
log
}
IP addresses are also allowed. They are automatically converted to reverse zones:
10.0.0.0/24 {
whoami
}
Means you are authoritative for 0.0.10.in-addr.arpa..
This also works for IPv6 addresses. If for some reason you want to serve a zone named 10.0.0.0/24 add the closing dot: 10.0.0.0/24. as this also stops the conversion.
This even works for CIDR (See RFC 1518 and 1519) addressing, i.e. 10.0.0.0/25, CoreDNS will then check if the in-addr request falls in the correct range.
Listening on TLS (DoT) and for gRPC? Use:
tls://example.org grpc://example.org {
whoami
}
Similarly, for QUIC (DoQ):
quic://example.org {
whoami
tls mycert mykey
}
And for DNS over HTTP/2 (DoH) use:
https://example.org {
whoami
tls mycert mykey
}
in this setup, the CoreDNS will be responsible for TLS termination
you can also start DNS server serving DoH without TLS termination (plain HTTP), but beware that in such scenario there has to be some kind of TLS termination proxy before CoreDNS instance, which forwards DNS requests otherwise clients will not be able to communicate via DoH with the server
https://example.org {
whoami
}
Specifying ports works in the same way:
grpc://example.org:1443 https://example.org:1444 {
# ...
}
When no transport protocol is specified the default dns:// is assumed.