Skip to main content
  1. Posts/

Install CoreDNS on Debian 12

·266 words·2 mins

Install #

Create user #

Create a new user for CoreDNS to run as an unprivileged user.

adduser --system --group --shell "/usr/sbin/nologin" --comment "CoreDNS" --home "/etc/coredns" coredns

Install binary #

  1. Download the latest binary from the releases.
wget https://github.com/coredns/coredns/releases/download/v1.11.1/coredns_1.11.1_linux_arm64.tgz
wget https://github.com/coredns/coredns/releases/download/v1.11.1/coredns_1.11.1_linux_arm64.tgz.sha256
  1. Check the SHA256 sum of the downloaded file.
sha256sum -c coredns_1.11.1_linux_arm64.tgz.sha256
  1. Extract the the binary from the downloaded archive:
tar -xvf coredns_1.11.1_linux_arm64.tgz 
  1. Install the binary:
install coredns /usr/bin/

Corefile #

  1. Open /etc/coredns/Corefile:
nano /etc/coredns/Corefile
  1. Write the lines below for a basic configuration:
. {
    forward . 1.1.1.1 8.8.8.8 9.9.9.9
    log
}

systemd service #

coredns.service #

[Unit]
Description=CoreDNS Server
Documentation=https://coredns.io/manual/
After=network-online.target
Wants=network-online.target

[Service]
User=coredns
Group=coredns
AmbientCapabilities=CAP_NET_BIND_SERVICE
Restart=always
WorkingDirectory=/etc/coredns
ExecStart=/usr/bin/coredns 
ExecReload=/usr/bin/kill -USR1 $MAINPID

[Install]
WantedBy=multi-user.target

Create service #

  1. Open /etc/systemd/system/coredns.service:
nano /etc/systemd/system/coredns.service
  1. Write the lines found under coredns.service.

Start the service #

  1. Reload systemd
systemctl daemon-reload
  1. Start coredns.service:
systemctl start coredns.service

Enable CoreDNS #

To start CoreDNS at system startup, enable it:

systemctl enable coredns.service

Firewall #

nftables #

Below is an example for nftables:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

    chain inbound_ipv4 {
        icmp type echo-request limit rate 5/second accept
    }

    chain inbound_ipv6 {
        icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
        icmpv6 type echo-request limit rate 5/second accept
    }

    chain input {
        type filter hook input priority 0; policy drop;
        ct state { established, related } accept
        iifname lo accept
        meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
        tcp dport 22 accept
        tcp dport 53 accept
        udp dport 53 accept
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0;
    }
}