Using LetsEncrypt Boulder as a DNS Server

Question

I have a local docker-compose setup in which i am testing some HTTPS requirements. To setup the same, LetsEncrypt Boulder Docker image was used as a local CA. I have tested CertBot with the same and I am able to generate certificates.

In addition, traefik is being used as a reverse proxy system which tries to verify the HTTPS TXT, AAAA, etc on the DNS server.

I need to know if i can use Boulder as a local DNS server and if yes then if there is any documentation on the same.

Also I am currently using DNSMASQ as a local DNS server. is there any way i can update the TXT values and all in DNSMASQ on run time..?

Thanks in advance

Answer 1

Yes, you can. Check this docker-compose.yml file:

version: "3"

networks:
  test:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.77.77.0/24

services:
  boulder:
    # To minimize fetching this should be the same version used below
    image: containous/boulder:containous-acmev2
    environment:
      FAKE_DNS: 10.77.77.1
      PKCS11_PROXY_SOCKET: tcp://boulder-hsm:5657
    restart: unless-stopped
    extra_hosts:
      - docker.com:10.77.77.66
      - boulder:10.77.77.77
    ports:
      - 4000:4000 # ACME
      - 4001:4001 # ACMEv2
      - 4002:4002 # OCSP
      - 4003:4003 # OCSP
      - 4430:4430 # ACME via HTTPS
      - 4431:4431 # ACMEv2 via HTTPS
      - 8055:8055 # dns-test-srv updates
    depends_on:
      - bhsm
      - bmysql
    networks:
      test:
        ipv4_address: 10.77.77.77
        aliases:
          - sa2.boulder
          - ca2.boulder
          - ra2.boulder
          - va2.boulder
          - publisher2.boulder

  bhsm:
    # To minimize fetching this should be the same version used above
    image: letsencrypt/boulder-tools:2018-03-07
    hostname: boulder-hsm
    environment:
      PKCS11_DAEMON_SOCKET: tcp://0.0.0.0:5657
    command: /usr/local/bin/pkcs11-daemon /usr/lib/softhsm/libsofthsm2.so
    expose:
      - 5657
    networks:
      test:
        aliases:
          - boulder-hsm

  bmysql:
    image: mariadb:10.1
    hostname: boulder-mysql
    environment:
      MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
    command: mysqld --bind-address=0.0.0.0
    logging:
        driver: none
    networks:
      test:
        aliases:
          - boulder-mysql

  proxy:
    image: containous/traefik
    depends_on:
      - boulder
    extra_hosts:
      - traefik.boulder.com:10.77.77.77
    networks:
      test:
        ipv4_address: 10.77.77.66
    ports:
      - "0.0.0.0:80:80"
      - "5002:80"
      - "0.0.0.0:443:443"
      - "0.0.0.0:8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.toml:/traefik.toml
      - "./acme/:/acme/:rw"

  consul:
    image: consul
    networks:
      - test
    command: agent -server -bootstrap -ui -client 0.0.0.0 -log-level debug
    ports:
      - "8400:8400"
      - "0.0.0.0:8500:8500"
      - "8600:53/udp"
    expose:
      - "8300"
      - "8301"
      - "8301/udp"
      - "8302"
      - "8302/udp"

  whoami:
    image: containous/whoami
    networks:
      - test
    labels:
      - traefik.enable=true
      - traefik.port=80
      - traefik.backend=whoami
      - traefik.network=test
      - traefik.frontend.rule=Host:whoami.docker.com

  storeconfig:
    image: containous/traefik
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    - ./traefik.toml:/traefik.toml
    - "./acme/:/acme/:rw"
    command: storeconfig --debug --configfile=/traefik.toml --logLevel="DEBUG"
    networks:
      - test