diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f3939eac625ad18ad00c32160c0c4a0801ec4468..ad72a209d051f892a6b807c4dae40a35200b5a59 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -244,3 +244,19 @@ push-workbench:
   needs:
     - job: build-workbench
       artifacts: true
+
+# resolver image:
+
+build-resolver:
+  extends: .container-build
+  variables:
+    CONTEXT: resolver
+
+push-resolver:
+  extends: .container-push
+  variables:
+    CONTEXT: resolver
+    IMAGE: resolver
+  needs:
+    - job: build-resolver
+      artifacts: true
diff --git a/resolver/.dockerignore b/resolver/.dockerignore
new file mode 100644
index 0000000000000000000000000000000000000000..91445b94f5921ddc8269189c6eda60e8ddd65531
--- /dev/null
+++ b/resolver/.dockerignore
@@ -0,0 +1,2 @@
+*
+!entrypoint
diff --git a/resolver/Dockerfile b/resolver/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..de9f8467270be37b492d9fad2823d03f2a68ff0e
--- /dev/null
+++ b/resolver/Dockerfile
@@ -0,0 +1,20 @@
+FROM alpine:3.13
+# hadolint ignore=DL3018
+RUN echo '@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories && \
+    echo '@community http://dl-cdn.alpinelinux.org/alpine/edge/community' >> /etc/apk/repositories && \
+    apk add --update --no-cache \
+        bash \
+        dma@testing \
+        gosu@testing \
+        iproute2 \
+        knot-resolver@community \
+        knot-utils \
+        mailx \
+        mtr \
+    && \
+    ln -s /usr/bin/kdig /usr/local/bin/dig && \
+    ln -s /usr/bin/khost /usr/local/bin/host
+COPY entrypoint /usr/local/sbin/entrypoint
+WORKDIR /
+ENTRYPOINT [ "entrypoint" ]
+CMD [ "bash", "--login" ]
diff --git a/resolver/README.md b/resolver/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..ae799d2b34b47e2b2d3286e97d1d9e58fce62c27
--- /dev/null
+++ b/resolver/README.md
@@ -0,0 +1,23 @@
+# Resolver
+
+[![pipeline status](https://git.shore.co.il/nimrod/resolver/badges/master/pipeline.svg)](https://git.shore.co.il/nimrod/resolver/-/commits/master)
+
+Testing DNS with a clean cache resolver. More info at
+https://www.shore.co.il/blog/resolver/.
+
+## Usage
+
+```
+docker run --rm -it registry.shore.co.il/resolver
+```
+
+## License
+
+This software is licensed under the MIT license (see `LICENSE.txt`).
+
+## Author Information
+
+Nimrod Adar, [contact me](mailto:nimrod@shore.co.il) or visit my
+[website](https://www.shore.co.il/). Patches are welcome via
+[`git send-email`](http://git-scm.com/book/en/v2/Git-Commands-Email). The repository
+is located at: <https://git.shore.co.il/explore/>.
diff --git a/resolver/entrypoint b/resolver/entrypoint
new file mode 100755
index 0000000000000000000000000000000000000000..be040bd7cef39488e47421767dfdb776401e84a8
--- /dev/null
+++ b/resolver/entrypoint
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -eux
+kresd --addr '127.0.0.1' --noninteractive &
+echo 'nameserver 127.0.0.1' > /etc/resolv.conf
+# shellcheck disable=SC2294
+eval exec gosu nobody:nobody "$@"