Skip to main content
  1. Posts/

Install CoreDNS on Debian 12

·266 words·2 mins

Install #

Create user #

Create a new user for CoreDNS to run as an unprivileged user.

adduser --system --group --shell "/usr/sbin/nologin" --comment "CoreDNS" --home "/etc/coredns" coredns

Install binary #

  1. Download the latest binary from the releases.
  1. Check the SHA256 sum of the downloaded file.
sha256sum -c coredns_1.11.1_linux_arm64.tgz.sha256
  1. Extract the the binary from the downloaded archive:
tar -xvf coredns_1.11.1_linux_arm64.tgz 
  1. Install the binary:
install coredns /usr/bin/

Corefile #

  1. Open /etc/coredns/Corefile:
nano /etc/coredns/Corefile
  1. Write the lines below for a basic configuration:
. {
    forward .

systemd service #

coredns.service #

Description=CoreDNS Server

ExecReload=/usr/bin/kill -USR1 $MAINPID


Create service #

  1. Open /etc/systemd/system/coredns.service:
nano /etc/systemd/system/coredns.service
  1. Write the lines found under coredns.service.

Start the service #

  1. Reload systemd
systemctl daemon-reload
  1. Start coredns.service:
systemctl start coredns.service

Enable CoreDNS #

To start CoreDNS at system startup, enable it:

systemctl enable coredns.service

Firewall #

nftables #

Below is an example for nftables:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

    chain inbound_ipv4 {
        icmp type echo-request limit rate 5/second accept

    chain inbound_ipv6 {
        icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
        icmpv6 type echo-request limit rate 5/second accept

    chain input {
        type filter hook input priority 0; policy drop;
        ct state { established, related } accept
        iifname lo accept
        meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
        tcp dport 22 accept
        tcp dport 53 accept
        udp dport 53 accept

    chain forward {
        type filter hook forward priority 0; policy drop;

    chain output {
        type filter hook output priority 0;