🐑 Commons Host



Dohnut with Docker

Use Docker to run Dohnut in a container. Multi-arch Docker container images are provided for: ARMv6, ARMv7, ARMv8, and x86-64 (Intel/AMD).

Docker image: commonshost/dohnut

$ docker run [DOCKER_OPTIONS] commonshost/dohnut [DOHNUT_OPTIONS]

Any options before the image name commonshost/dohnut are for Docker. Any options after the image name are for Dohnut.

Table of Contents


Run forever as a background service, listen on port 53/udp on all network interfaces, and DNS proxy queries to Commons Host DoH.

$ docker run --detach --restart unless-stopped --net=host commonshost/dohnut --listen --doh commonshost --bootstrap

Test the service by performing a DNS query on the Docker host system.

$ dig @localhost example.com

; <<>> DiG 9.10.6 <<>> @ example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32488
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;example.com.           IN  A

example.com.        86236   IN  A

;; Query time: 13 msec
;; WHEN: Tue Feb 19 15:44:53 +08 2019
;; MSG SIZE  rcvd: 56

Dohnut CLI Options

See the Dohnut command line interface reference.

Docker CLI Options

See the Docker reference documentation for docker run arguments.

Background Service Daemon

Using the --detach or -d Docker option to run Dohnut as a background service, aka daemon.

The --restart unless-stopped Docker option automatically runs Dohnut when Docker starts (i.e. at system boot), and restart the process if it crashes.


Use the --bootstrap [DNS server IP address] for the initial DNS lookup of the DoH resolver.

Dohnut resolves the DoH service's address using plaintext DNS over UDP, as per the operating system's DNS settings, unless overridden with the --bootstrap option. This lookup will fail if Dohnut itself is part of the OS' DNS chain. For example if Dohnut is configured as the upstream resolver to Pi-hole, or used directly as the operating system's DNS server via DHCP or static network configuration. In such cases, a circular DNS dependency is created which prevents Dohnut from connecting to its DoH resolver.

The bootstrap DNS service is only used for the initial connection to the DoH resolver. All subsequent queries are encrypted and sent directly to the DoH resolver.

Example error: Without the bootstrap option, Dohnut is unable to resolve the domain commons.host which is set as its DoH resolver.

Worker 1: session error getaddrinfo EAI_AGAIN commons.host commons.host:443

Solution: Set the --bootstrap option to the IP address of a public DNS service, for example (Cloudflare) or (Google).

$ dohnut [...] --bootstrap


Dohnut run inside a container so Docker needs to map its listening ports to the host's network.

The simplest method is to expose the host network directly to the container.

$ docker run --detach --restart unless-stopped --net=host commonshost/dohnut --listen --doh commonshost --bootstrap

Service using IPv4:

$ docker run --detach --restart unless-stopped --publish commonshost/dohnut --listen --doh commonshost --bootstrap

Service using IPv6:

$ docker run --detach --restart unless-stopped --publish [::]:53:53/udp commonshost/dohnut --listen [::]:53 --doh commonshost --bootstrap

Please ensure that Dohnut is only exposed to a private LAN or localhost. Running a public, open DNS resolver exposed to public Internet traffic is strongly discouraged. Plaintext DNS/UDP is a potential source of traffic amplification in DDoS attacks.

Expose Dohnut on or for localhost-only or all network interfaces respectively.

DNS uses port 53 by default but one use case of re-mapping to another port is when Dohnut is used as a local proxy for another resolver like resolved or Pi-hole. For example to run Dohnut on port 53000 and only be accessible from the local host:

$ docker run --detach --restart unless-stopped --publish commonshost/dohnut --listen --doh commonshost --bootstrap