Deploy dnsmasq using Docker containers orchestrated by Ansible.
Note: dnsmasq does not have an official Docker image. Community images exist, or you can build from source. See the Docker setup guide for manual deployment.
ansible-galaxy collection install community.docker
---
- name: Deploy dnsmasq with Docker
hosts: dnsmasq_servers
become: true
gather_facts: true
vars:
dnsmasq_image: "jpillora/dnsmasq:latest"
dnsmasq_container_name: "dnsmasq"
dnsmasq_config_dir: "/opt/dnsmasq"
dnsmasq_listen_address: "0.0.0.0"
dnsmasq_upstream_dns: "8.8.8.8"
tasks:
- name: Install Docker dependencies
package:
name:
- docker
- docker-compose-plugin
state: present
- name: Ensure Docker service is running
systemd:
name: docker
state: started
enabled: true
- name: Create directories
file:
path: "{{ item }}"
state: directory
mode: '0755'
loop:
- "{{ dnsmasq_config_dir }}"
- "{{ dnsmasq_config_dir }}/config"
- "{{ dnsmasq_config_dir }}/config/dnsmasq.d"
- name: Deploy Docker Compose file
template:
src: docker-compose.yml.j2
dest: "{{ dnsmasq_config_dir }}/docker-compose.yml"
mode: '0644'
- name: Deploy dnsmasq.conf
template:
src: dnsmasq.conf.j2
dest: "{{ dnsmasq_config_dir }}/config/dnsmasq.conf"
mode: '0644'
notify: Restart dnsmasq
- name: Start container
community.docker.docker_compose_v2:
project_src: "{{ dnsmasq_config_dir }}"
state: present
- name: Verify dnsmasq is responding
command: dig @127.0.0.1 google.com +short
register: dig_result
retries: 5
delay: 3
until: dig_result.rc == 0
changed_when: false
handlers:
- name: Restart dnsmasq
community.docker.docker_compose_v2:
project_src: "{{ dnsmasq_config_dir }}"
state: present
restarted: true
services:
dnsmasq:
image: "{{ dnsmasq_image }}"
container_name: "{{ dnsmasq_container_name }}"
ports:
- "53:53/udp"
- "53:53/tcp"
volumes:
- ./config/dnsmasq.conf:/etc/dnsmasq.conf
- ./config/dnsmasq.d:/etc/dnsmasq.d
restart: unless-stopped
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
read_only: true
# Listen on all interfaces
listen-address={{ dnsmasq_listen_address }}
# Upstream DNS
server={{ dnsmasq_upstream_dns }}
# Cache
cache-size=1000
# DNSSEC (requires v2.70+)
dnssec
dnssec-check-unsigned
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
# DNS-0x20 cache poisoning protection (v2.91+, default-off)
# dns-0x20
# Log queries
log-queries
log-facility=/var/log/dnsmasq.log
# Run the playbook
ansible-playbook -i inventory.ini site.yml
# Verify deployment
docker ps | grep dnsmasq
dig @127.0.0.1 google.com
latest. Verify image provenance.read_only: true.NET_BIND_SERVICE is added; all others dropped.jpillora/dnsmasq) or self-built images are required.Beyond this playbook, we offer:
Contact our automation team: office@linux-server-admin.com