Setting Up Alpine Linux DNS Configuration
DNS (Domain Name System) is crucial for network connectivity, translating domain names to IP addresses. Let’s configure DNS on Alpine Linux for optimal performance and reliability! 🚀
Understanding DNS in Alpine Linux
Alpine Linux DNS components:
- resolv.conf: Primary DNS configuration file
- hosts file: Local hostname resolution
- nsswitch.conf: Name service switch configuration
- DNS clients: Tools for DNS queries
- Local DNS servers: Running your own DNS resolver
DNS Configuration Files
Key Configuration Locations
/etc/resolv.conf # DNS resolver configuration
/etc/hosts # Static hostname mappings
/etc/nsswitch.conf # Name service order
/etc/hostname # System hostname
/etc/conf.d/hostname # Hostname service config
Step 1: Basic DNS Client Configuration
Configure resolv.conf
# Edit DNS configuration
sudo nano /etc/resolv.conf
Add DNS servers:
# Primary and secondary DNS servers
nameserver 8.8.8.8
nameserver 8.8.4.4
# Local domain search
search local.domain example.com
# DNS options
options timeout:2
options attempts:3
options rotate
options edns0
Make DNS Configuration Persistent
# Prevent DHCP from overwriting resolv.conf
sudo chattr +i /etc/resolv.conf
# Or use resolv.conf.head
cat > /etc/resolv.conf.head << EOF
# Custom DNS servers
nameserver 1.1.1.1
nameserver 1.0.0.1
EOF
Step 2: Configure Local Hostname Resolution
Edit hosts file
# Configure local hosts
sudo nano /etc/hosts
Add entries:
# IPv4 localhost
127.0.0.1 localhost
127.0.1.1 alpine.local alpine
# IPv6 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# Custom entries
192.168.1.10 server1.local server1
192.168.1.11 server2.local server2
192.168.1.100 nas.local nas
Set System Hostname
# Set hostname
sudo hostname alpine-server
# Make it persistent
echo "alpine-server" | sudo tee /etc/hostname
# Update hosts file
sudo sed -i "s/127.0.1.1.*/127.0.1.1\talpine-server/g" /etc/hosts
Step 3: Install DNS Tools
Essential DNS Utilities
# Install DNS tools
sudo apk add bind-tools
# Additional utilities
sudo apk add drill
sudo apk add ldns-tools
Test DNS Resolution
# Using nslookup
nslookup google.com
# Using dig
dig google.com
dig @8.8.8.8 google.com
dig +short google.com
# Using host
host google.com
# Using drill
drill google.com
Step 4: Configure DNS Caching
Install dnsmasq
# Install dnsmasq
sudo apk add dnsmasq
# Backup default config
sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.bak
Configure dnsmasq
# Edit dnsmasq configuration
sudo nano /etc/dnsmasq.conf
Add configuration:
# DNS Configuration
listen-address=127.0.0.1,192.168.1.1
bind-interfaces
# Upstream DNS servers
server=8.8.8.8
server=8.8.4.4
server=1.1.1.1
# Cache settings
cache-size=1000
neg-ttl=3600
# Domain configuration
local=/local/
domain=local
expand-hosts
# DHCP Configuration (optional)
dhcp-range=192.168.1.100,192.168.1.200,12h
dhcp-option=option:router,192.168.1.1
dhcp-option=option:dns-server,192.168.1.1
# Logging
log-queries
log-facility=/var/log/dnsmasq.log
Start dnsmasq Service
# Enable and start dnsmasq
sudo rc-update add dnsmasq default
sudo rc-service dnsmasq start
# Check status
sudo rc-service dnsmasq status
Step 5: Setup Unbound DNS Resolver
Install Unbound
# Install unbound
sudo apk add unbound unbound-doc
# Download root hints
sudo wget -O /etc/unbound/root.hints https://www.internic.net/domain/named.cache
Configure Unbound
# Edit unbound configuration
sudo nano /etc/unbound/unbound.conf
Add configuration:
server:
# Network interfaces
interface: 127.0.0.1
interface: ::1
interface: 192.168.1.1
# Access control
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.0/24 allow
access-control: ::1 allow
# Port configuration
port: 53
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
# Root hints
root-hints: "/etc/unbound/root.hints"
# Security
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
# Performance
num-threads: 2
cache-min-ttl: 3600
cache-max-ttl: 86400
prefetch: yes
prefetch-key: yes
# Privacy
qname-minimisation: yes
rrset-roundrobin: yes
minimal-responses: yes
# Logging
verbosity: 1
log-queries: no
# Local zones
local-zone: "local." static
local-data: "router.local. A 192.168.1.1"
local-data: "nas.local. A 192.168.1.100"
# Forward zones (optional)
forward-zone:
name: "."
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 8.8.4.4@853#dns.google
forward-tls-upstream: yes
Start Unbound
# Enable and start unbound
sudo rc-update add unbound default
sudo rc-service unbound start
# Test configuration
sudo unbound-checkconf
Step 6: Configure DNS over TLS/HTTPS
DNS over TLS with Unbound
# Add to unbound.conf
server:
# DNS over TLS
tls-upstream: yes
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 8.8.4.4@853#dns.google
DNS over HTTPS with cloudflared
# Install cloudflared
cd /tmp
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64
sudo mv cloudflared-linux-amd64 /usr/local/bin/cloudflared
sudo chmod +x /usr/local/bin/cloudflared
# Create service
sudo nano /etc/init.d/cloudflared
Add service script:
#!/sbin/openrc-run
name="cloudflared"
description="Cloudflare DNS over HTTPS proxy"
command="/usr/local/bin/cloudflared"
command_args="proxy-dns --port 5053 --upstream https://1.1.1.1/dns-query"
command_background="yes"
pidfile="/run/${RC_SVCNAME}.pid"
depend() {
need net
after firewall
}
Enable service:
sudo chmod +x /etc/init.d/cloudflared
sudo rc-update add cloudflared default
sudo rc-service cloudflared start
Step 7: Configure Split DNS
Setup Split DNS with dnsmasq
# Corporate network DNS
server=/corp.example.com/192.168.1.10
server=/internal.local/192.168.1.10
# Public DNS for everything else
server=8.8.8.8
server=8.8.4.4
# Conditional forwarding
address=/router.local/192.168.1.1
address=/nas.local/192.168.1.100
Step 8: DNS Security Configuration
Enable DNSSEC
# In unbound.conf
server:
# DNSSEC Configuration
auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-clean-additional: yes
val-permissive-mode: no
val-log-level: 2
# DNSSEC trust anchors
trust-anchor-file: "/etc/unbound/trusted-key.key"
Configure DNS Firewall
# Create DNS firewall rules
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
# Rate limiting
sudo iptables -A INPUT -p udp --dport 53 -m recent --set --name DNS
sudo iptables -A INPUT -p udp --dport 53 -m recent --update --seconds 1 --hitcount 10 --name DNS -j DROP
Step 9: Monitoring and Troubleshooting
DNS Query Logging
# Enable query logging in dnsmasq
echo "log-queries" >> /etc/dnsmasq.conf
echo "log-facility=/var/log/dnsmasq.log" >> /etc/dnsmasq.conf
# Create log rotation
cat > /etc/logrotate.d/dnsmasq << EOF
/var/log/dnsmasq.log {
daily
rotate 7
compress
delaycompress
postrotate
/etc/init.d/dnsmasq restart
endscript
}
EOF
DNS Monitoring Script
#!/bin/sh
# dns-monitor.sh - DNS health check script
DNS_SERVERS="8.8.8.8 1.1.1.1 192.168.1.1"
TEST_DOMAINS="google.com cloudflare.com github.com"
echo "=== DNS Health Check ==="
echo "Date: $(date)"
echo
for server in $DNS_SERVERS; do
echo "Testing DNS server: $server"
for domain in $TEST_DOMAINS; do
result=$(dig @$server $domain +short +time=2 2>/dev/null)
if [ -n "$result" ]; then
echo " ✓ $domain: OK"
else
echo " ✗ $domain: FAILED"
fi
done
echo
done
# Check cache statistics
if pgrep dnsmasq > /dev/null; then
echo "=== DNSMasq Statistics ==="
sudo pkill -USR1 dnsmasq
tail -20 /var/log/messages | grep dnsmasq
fi
Troubleshooting Commands
# Test DNS resolution
dig google.com +trace
drill -T google.com
# Check DNS server response time
dig @8.8.8.8 google.com | grep "Query time"
# Test reverse DNS
dig -x 8.8.8.8
# Check DNSSEC validation
dig +dnssec google.com
# Flush DNS cache
# For dnsmasq
sudo rc-service dnsmasq restart
# For unbound
sudo unbound-control flush google.com
Step 10: Performance Optimization
Optimize DNS Caching
# dnsmasq optimization
cache-size=2000
min-cache-ttl=300
max-cache-ttl=3600
neg-ttl=300
# Prefetch popular domains
host-record=google.com,142.250.185.46
host-record=github.com,140.82.112.3
Network Performance
# Increase UDP buffer size
echo "net.core.rmem_max = 134217728" | sudo tee -a /etc/sysctl.conf
echo "net.core.wmem_max = 134217728" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Common DNS Issues and Solutions
Issue 1: Slow DNS Resolution
# Test DNS response time
time nslookup google.com
# Use faster DNS servers
echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf
# Enable DNS caching
sudo apk add dnsmasq
sudo rc-service dnsmasq start
Issue 2: DNS Not Resolving
# Check connectivity
ping -c 1 8.8.8.8
# Verify resolv.conf
cat /etc/resolv.conf
# Test with specific server
nslookup google.com 8.8.8.8
Issue 3: Intermittent DNS Failures
# Check for duplicate DNS servers
cat /etc/resolv.conf | sort | uniq -d
# Monitor DNS queries
tcpdump -i any -n port 53
Best Practices
- Use Multiple DNS Servers: Always configure backup DNS servers
- Enable DNS Caching: Reduces latency and load
- Secure DNS Queries: Use DNS over TLS/HTTPS
- Monitor DNS Health: Set up regular health checks
- Document Configuration: Keep records of DNS settings
- Regular Updates: Keep DNS software updated
- Test Changes: Always test DNS changes before production
Conclusion
You’ve successfully mastered DNS configuration on Alpine Linux! You can now:
✅ Configure DNS clients and servers ✅ Set up DNS caching for performance ✅ Implement secure DNS with DoT/DoH ✅ Troubleshoot DNS issues effectively ✅ Monitor DNS health and performance
Proper DNS configuration is essential for reliable network connectivity. Keep your DNS infrastructure well-maintained! 🌐