Replaces the built-in RouterOS DNS forwarder. Plain forwarding resolver with selective AAAA suppression: AAAA is suppressed by default so clients prefer IPv4 (avoiding the HE tunnel's datacenter-flagged egress), while our own zone and any whitelisted domains keep AAAA for native IPv6.

Source: coredns/. Image built by Woodpecker CI (.woodpecker/coredns-build.yaml), pushed to gitea.lumpiasty.xyz/lumpiasty/coredns-mikrotik.

The Corefile is baked into the image — edit coredns/Corefile and push; the pipeline rebuilds and pushes a new image. Custom-built with a minimal plugin set (~6-8 MB vs the official ~20 MB image) to fit the CRS flash.

See docs/coredns.md for design rationale, including why the earlier NAT64/DNS64 approach was removed.

Why not the official coredns/coredns image?

The official image ships ~40 plugins and weighs ~20 MB compressed. A custom build with the 7 plugins we actually need fits in ~6-8 MB — important for the CRS internal flash.

Deployment

The router configuration (container definitions, veth interfaces, bridge ports, DNS settings, firewall) is managed declaratively via Ansible, not by manual CLI commands. See ansible/roles/routeros/ and run:

cd ansible && ansible-playbook playbooks/routeros.yml

Containers do not auto-start on first image pull; after the initial deploy, start manually once (subsequent boots are handled by start-on-boot=yes):

/container/start [find name=coredns]