From 698e8bc5f7a53dc3f75aaebd0879d901ee8cffc9 Mon Sep 17 00:00:00 2001 From: Gertjan Date: Sat, 22 Jan 2022 00:23:55 +0100 Subject: [PATCH] Initial commit --- .gitignore | 1 + .gitlab-ci.yml | 34 +++++++++++++++++++++++++++++++ Dockerfile | 27 +++++++++++++++++++++++++ README.md | 3 +++ changelog.md | 10 +++++++++ entrypoint.sh | 5 +++++ unbound.conf | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 135 insertions(+) create mode 100644 .gitignore create mode 100644 .gitlab-ci.yml create mode 100644 Dockerfile create mode 100644 README.md create mode 100644 changelog.md create mode 100644 entrypoint.sh create mode 100644 unbound.conf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..62c8935 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea/ \ No newline at end of file diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..3652cdb --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,34 @@ +stages: + - test + - release + +# Test if the image can be built +test:build: + stage: test + tags: + - test + - build + image: docker:latest + script: + - docker build . + interruptible: true + only: + - master + +# Push images of tags to private registry +release:image: + stage: release + tags: + - release + - build + image: docker:latest + script: + - docker login -u "${DOCKER_USERNAME}" -p "${DOCKER_PASSWORD}" "${DOCKER_REGISTRY_HOST}" + - echo "Building image..." + - docker build -t "${DOCKER_REGISTRY_HOST}"/gkcld/unbound:"${CI_COMMIT_TAG}" -t "${DOCKER_REGISTRY_HOST}"/gkcld/unbound:latest . + - echo "Pushing tags..." + - docker push "${DOCKER_REGISTRY_HOST}"/gkcld/unbound:"${CI_COMMIT_TAG}" + - docker push "${DOCKER_REGISTRY_HOST}"/gkcld/unbound:latest + interruptible: false + only: + - tags \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..61c5721 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,27 @@ +FROM alpine:3.15.0 + +# Install required dependencies to build unbound (and bind-tools for dig in healthcheck) +RUN apk update && apk add --no-cache alpine-sdk bind-tools expat-dev git libressl-dev + +# Clone and build unbound source (https://github.com/NLnetLabs/unbound) +RUN mkdir -p /tmp/unbound +RUN git clone --depth 1 --branch 'release-1.14.0' https://github.com/NLnetLabs/unbound.git /tmp/unbound +RUN cd /tmp/unbound && ./configure && make && make install + +# Cleanup build tools +RUN apk del alpine-sdk expat-dev git +RUN rm -rf /tmp/* + +# Prepare unbound files +COPY entrypoint.sh / +RUN mkdir -p /srv/unbound +COPY unbound.conf /srv/unbound/unbound.conf + +# Prepare +RUN adduser unbound --disabled-password + +# Health +HEALTHCHECK --interval=60s --timeout=3s --retries=2 \ + CMD dig ns1.gkcld.net @127.0.0.1 +dnssec || exit 1 + +ENTRYPOINT ["sh", "/entrypoint.sh"] diff --git a/README.md b/README.md new file mode 100644 index 0000000..23613f3 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# A recursive, caching DNS resolver with some optimizations + +Needs to run with `--privileged` to allow increased cache size \ No newline at end of file diff --git a/changelog.md b/changelog.md new file mode 100644 index 0000000..a7cd2b2 --- /dev/null +++ b/changelog.md @@ -0,0 +1,10 @@ +# Changelog +All notable changes to this project will be documented in this file. + +## [Unreleased] + +## [1.14.0] +- Initial release with `unbound 1.14.0` [major] + +## [0.0.1] - 2022-01-22 +- Birth of the project! [patch] diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..3fc6921 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +echo 'Starting unbound...' +unbound -V +unbound -c /srv/unbound/unbound.conf -d diff --git a/unbound.conf b/unbound.conf new file mode 100644 index 0000000..08aaef9 --- /dev/null +++ b/unbound.conf @@ -0,0 +1,55 @@ +# https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound +server: + # If no logfile is specified, syslog is used + #logfile: "/var/log/unbound/unbound.log" + verbosity: 0 + + interface: 0.0.0.0 + port: 53 + do-ip4: yes + do-ip6: no + do-udp: yes + do-tcp: yes + + # You want to leave this to no unless you have *native* IPv6. With 6to4 and + # Terredo tunnels your web browser should favor IPv4 for the same reasons + prefer-ip6: no + + # Use this when you want to maually add/update the root.hints file + # Otherwise, the hints included in the unbound package at the time the image was built will be used + #root-hints: "/var/lib/unbound/root.hints" + + # Trust glue only if it is within the server's authority + harden-glue: yes + + # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS + harden-dnssec-stripped: yes + + # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details + use-caps-for-id: no + + # Reduce EDNS reassembly buffer size. + # Suggested by the unbound man page to reduce fragmentation reassembly problems + edns-buffer-size: 1472 + + # Perform prefetching of close to expired message cache entries + # This only applies to domains that have been frequently queried + prefetch: yes + + # Reduce latency by serving the outdated record before updating it + serve-expired: yes + + # more cache memory, rrset=msg*2 + rrset-cache-size: 64m + msg-cache-size: 32m + + # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. + num-threads: 1 + + # Larger socket buffer. OS may need config. + so-rcvbuf: 2m + so-sndbuf: 2m + + # Allow from adguard subnet (see docker-compose adguard network) + access-control: 0.0.0.0/0 allow