🐑 Commons Host



Dohnut with Docker

Use Docker to run Dohnut in a container. Multi-arch Docker container images are provided for: ARMv6, ARMv7, ARMv8, and x86-64 (Intel/AMD).

Docker image: commonshost/dohnut

$ docker run [DOCKER_OPTIONS] commonshost/dohnut [DOHNUT_OPTIONS]

Any options before the image name commonshost/dohnut are for Docker. Any options after the image name are for Dohnut.

Table of Contents


Run forever as a background service, listen on port 53/udp on all network interfaces, and DNS proxy queries to Commons Host DoH.

$ docker run --detach --restart unless-stopped --net=host commonshost/dohnut --listen --doh commonshost

Test the service by performing a DNS query on the Docker host system.

$ dig @localhost example.com

; <<>> DiG 9.10.6 <<>> @ example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32488
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;example.com.           IN  A

example.com.        86236   IN  A

;; Query time: 13 msec
;; WHEN: Tue Feb 19 15:44:53 +08 2019
;; MSG SIZE  rcvd: 56

Dohnut Options

See the command line interface reference.

Docker Options

See the Docker reference documentation for docker run.

Background Service Daemon

Using the --detach or -d Docker option to run Dohnut as a background service, aka daemon.

The --restart unless-stopped Docker option automatically runs Dohnut when Docker starts (i.e. at system boot), and restart the process if it crashes.


Dohnut run inside a container so Docker needs to map its listening ports to the host's network.

The simplest method is to expose the host network directly to the container.

$ docker run --detach --restart unless-stopped --net=host commonshost/dohnut --listen --doh commonshost

Service using IPv4:

$ docker run --detach --restart unless-stopped --publish commonshost/dohnut --listen --doh commonshost

Service using IPv6:

$ docker run --detach --restart unless-stopped --publish [::]:53:53/udp commonshost/dohnut --listen [::]:53 --doh commonshost

Please ensure that Dohnut is only exposed to a private LAN or localhost. Running a public, open DNS resolver exposed to public Internet traffic is strongly discouraged. Plaintext DNS/UDP is a potential source of traffic amplification in DDoS attacks.

Expose Dohnut on or for localhost-only or all network interfaces respectively.

DNS uses port 53 by default but one use case of re-mapping to another port is when Dohnut is used as a local proxy for another resolver like resolved or Pi-hole. For example to run Dohnut on port 53000 and only be accessible from the local host:

$ docker run --detach --restart unless-stopped --publish commonshost/dohnut --listen --doh commonshost