Skip to Content
DocsCloud OSServer ModeDNS Server

DNS Server πŸ”’

Paid feature. The DNS Server is gated by the orbit_dns flag and requires Orbit Pro or above. See Orbit Pro for the full tier matrix and upgrade flow.

Quazzar’s DNS Server embeds CoreDNSΒ  as a supervised process on your node. You get three things out of the box:

  1. Local zones β€” serve private names (e.g. router.home.local) without hairpinning through your router’s DNS.
  2. Curated blocklists β€” AdGuard-style blocking backed by a small, vetted set of community-maintained hosts lists (StevenBlack, OISD basic, URLhaus, Phishing Army).
  3. Live query log β€” every resolution shown with rcode, client IP, and duration in the Quazzar UI.

Opening the DNS page

Dock β†’ Infra β†’ DNS. The console has three tabs:

  • Zones β€” create zones and manage their A / AAAA / CNAME / MX / TXT records.
  • Blocklists β€” flip individual lists on/off. Changes take effect on the next CoreDNS reload (automatic, via sysctl).
  • Query log β€” newest 200 queries refresh every 5 s.

Installing CoreDNS

Quazzar does not bundle the CoreDNS binary. Install it separately:

# Debian/Ubuntu
sudo apt install coredns
 
# Arch
sudo pacman -S coredns
 
# Upstream release (any distro)
curl -sSL https://github.com/coredns/coredns/releases/latest/download/coredns_linux_amd64.tgz \
  | sudo tar -xz -C /usr/local/bin

The Quazzar DNS supervisor finds coredns by $PATH and manages it through systemd (systemctl kill -s HUP coredns). On Debian/Ubuntu the distro package ships a service unit already; on other distros you may need to write one.

Freeing port 53

Most modern Linux distros pin systemd-resolved to 127.0.0.1:53. Quazzar’s CoreDNS binds the same address + port by default; you need to move resolved first:

sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/quazzar.conf <<'EOF'
[Resolve]
DNSStubListener=no
EOF
sudo systemctl restart systemd-resolved

Then point /etc/resolv.conf at 127.0.0.1 so host-level lookups go through the new CoreDNS.

Where Quazzar stores state

Everything lives under <data_dir>/dns:

<data_dir>/dns/
β”œβ”€β”€ Corefile           # auto-generated from zones + options
β”œβ”€β”€ zones/
β”‚   └── home.local.zone
β”œβ”€β”€ blocklist.hosts    # concatenated enabled blocklists
└── queries.log        # CoreDNS `log` plugin output, tailed for the UI

The files are rewritten atomically on every zone / blocklist mutation; the supervisor then asks sysctl to SIGHUP CoreDNS. Idle reconciles (Corefile bytes unchanged) skip the SIGHUP.

Security

  • All actuator calls flow through the sysctl whitelist β€” coredns.reload is the only action the DNS Server can trigger.
  • Blocklist fetches run on the server with a 24 h cadence and honour each upstream’s license (we proxy through the hosts directive, not a DNS-level redirect).
  • DoH/DoT upstream is not enabled by default β€” forwarders go to Cloudflare + Google plaintext. The roadmap includes DoT on upgrade.

Troubleshooting

  • /api/dns/* returns 402 β€” You’re on Community; the feature is paid. Open the dialog from the lock card to upgrade.
  • Queries tab is empty β€” CoreDNS may be down, or no clients have pointed at the resolver yet. Check systemctl status coredns and that the node’s /etc/resolv.conf sends lookups through 127.0.0.1.
  • Blocklists show 0 entries β€” The initial fetch failed; check outbound HTTPS to GitHub + abuse.ch from the node, and wait for the next 24 h refresh cycle or re-toggle the list.
Cron, Terminal & SensorsMail Relay