Install CoreDNS from Binary on Debian 12

Name: Daniel Gorbe - System Administrator, Ethical Hacker, Go Developer
Address: Városház tér 1, Győr, 9021, HU
Telephone: +36203323371
Price range: $

Create user

Create a new user for CoreDNS to run as an unprivileged user.

adduser --system --group --shell "/usr/sbin/nologin" --comment "CoreDNS" --home "/etc/coredns" coredns

Install binary

Download the latest binary from the releases.

wget https://github.com/coredns/coredns/releases/download/v1.11.1/coredns_1.11.1_linux_arm64.tgz

wget https://github.com/coredns/coredns/releases/download/v1.11.1/coredns_1.11.1_linux_arm64.tgz.sha256

Check the SHA256 sum of the downloaded file.

sha256sum -c coredns_1.11.1_linux_arm64.tgz.sha256

Extract the the binary from the downloaded archive:

tar -xvf coredns_1.11.1_linux_arm64.tgz 

Install the binary:

install coredns /usr/bin/

Corefile

Open /etc/coredns/Corefile:

nano /etc/coredns/Corefile

Write the lines below for a basic configuration:

. {
    forward . 1.1.1.1 8.8.8.8 9.9.9.9
    log
}

systemd service

`coredns.service`

[Unit]
Description=CoreDNS Server
Documentation=https://coredns.io/manual/
After=network-online.target
Wants=network-online.target

[Service]
User=coredns
Group=coredns
AmbientCapabilities=CAP_NET_BIND_SERVICE
Restart=always
WorkingDirectory=/etc/coredns
ExecStart=/usr/bin/coredns 
ExecReload=/usr/bin/kill -USR1 $MAINPID

[Install]
WantedBy=multi-user.target

Create service

Open /etc/systemd/system/coredns.service:

nano /etc/systemd/system/coredns.service

Write the lines found under coredns.service.

Start the service

Reload systemd

systemctl daemon-reload

Start coredns.service:

systemctl start coredns.service

Enable CoreDNS

To start CoreDNS at system startup, enable it:

systemctl enable coredns.service

Firewall

nftables

Below is an example for nftables:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

    chain inbound_ipv4 {
        icmp type echo-request limit rate 5/second accept
    }

    chain inbound_ipv6 {
        icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
        icmpv6 type echo-request limit rate 5/second accept
    }

    chain input {
        type filter hook input priority 0; policy drop;
        ct state { established, related } accept
        iifname lo accept
        meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
        tcp dport 22 accept
        tcp dport 53 accept
        udp dport 53 accept
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0;
    }
}

Create user​

Install binary​

Corefile​

systemd service​

coredns.service​

Create service​

Start the service​

Enable CoreDNS​

Firewall​

nftables​