diff --git a/docker/README.md b/docker/README.md
new file mode 100644
index 0000000..3680216
--- /dev/null
+++ b/docker/README.md
@@ -0,0 +1,36 @@
+# docker based deployment
+
+## Prerequisites
+
+* Docker 1.12.x or later (*Docker Swarm Mode*)
+
+## Setup
+
+First decide which nodes you are going to run coredns on and set appropriate
+labels on your nodes. I use `iface=extern` as labels on nodes with external
+facing interfaces and `iface=intern` for internal facing nodes.
+
+```#!bash
+$ docker node inspect node1 | jq '.[0].Spec.Labels'
+{
+  "iface": "extern"
+}
+```
+
+## Deploy
+
+Connect to a "manager" node:
+(*I use `docker-machine` for this*)
+
+```#!bash
+$ eval $(docker-machine env node1)
+$ docker stack deploy -c dns.yml dns
+```
+
+## Verify
+
+Verify your setup works:
+
+```#!bash
+$ dig @<node1> google.com IN A +short
+```
diff --git a/docker/dns.yml b/docker/dns.yml
new file mode 100644
index 0000000..d6db8f6
--- /dev/null
+++ b/docker/dns.yml
@@ -0,0 +1,23 @@
+version: "3.2"
+
+services:
+  coredns:
+    image: coredns/coredns
+    command: -conf /data/Corefile
+    ports:
+      - "53:53/udp"
+      - "53:53/tcp"
+      - "9153:9153/tcp"
+    volumes:
+      - coredns:/data
+    deploy:
+      mode: global
+      placement:
+        constraints:
+          - "node.labels.iface != extern"
+      restart_policy:
+        condition: on-failure
+
+volumes:
+  coredns:
+    external: true