Initial commit
commit
698e8bc5f7
|
|
@ -0,0 +1 @@
|
|||
.idea/
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
stages:
|
||||
- test
|
||||
- release
|
||||
|
||||
# Test if the image can be built
|
||||
test:build:
|
||||
stage: test
|
||||
tags:
|
||||
- test
|
||||
- build
|
||||
image: docker:latest
|
||||
script:
|
||||
- docker build .
|
||||
interruptible: true
|
||||
only:
|
||||
- master
|
||||
|
||||
# Push images of tags to private registry
|
||||
release:image:
|
||||
stage: release
|
||||
tags:
|
||||
- release
|
||||
- build
|
||||
image: docker:latest
|
||||
script:
|
||||
- docker login -u "${DOCKER_USERNAME}" -p "${DOCKER_PASSWORD}" "${DOCKER_REGISTRY_HOST}"
|
||||
- echo "Building image..."
|
||||
- docker build -t "${DOCKER_REGISTRY_HOST}"/gkcld/unbound:"${CI_COMMIT_TAG}" -t "${DOCKER_REGISTRY_HOST}"/gkcld/unbound:latest .
|
||||
- echo "Pushing tags..."
|
||||
- docker push "${DOCKER_REGISTRY_HOST}"/gkcld/unbound:"${CI_COMMIT_TAG}"
|
||||
- docker push "${DOCKER_REGISTRY_HOST}"/gkcld/unbound:latest
|
||||
interruptible: false
|
||||
only:
|
||||
- tags
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
FROM alpine:3.15.0
|
||||
|
||||
# Install required dependencies to build unbound (and bind-tools for dig in healthcheck)
|
||||
RUN apk update && apk add --no-cache alpine-sdk bind-tools expat-dev git libressl-dev
|
||||
|
||||
# Clone and build unbound source (https://github.com/NLnetLabs/unbound)
|
||||
RUN mkdir -p /tmp/unbound
|
||||
RUN git clone --depth 1 --branch 'release-1.14.0' https://github.com/NLnetLabs/unbound.git /tmp/unbound
|
||||
RUN cd /tmp/unbound && ./configure && make && make install
|
||||
|
||||
# Cleanup build tools
|
||||
RUN apk del alpine-sdk expat-dev git
|
||||
RUN rm -rf /tmp/*
|
||||
|
||||
# Prepare unbound files
|
||||
COPY entrypoint.sh /
|
||||
RUN mkdir -p /srv/unbound
|
||||
COPY unbound.conf /srv/unbound/unbound.conf
|
||||
|
||||
# Prepare
|
||||
RUN adduser unbound --disabled-password
|
||||
|
||||
# Health
|
||||
HEALTHCHECK --interval=60s --timeout=3s --retries=2 \
|
||||
CMD dig ns1.gkcld.net @127.0.0.1 +dnssec || exit 1
|
||||
|
||||
ENTRYPOINT ["sh", "/entrypoint.sh"]
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# A recursive, caching DNS resolver with some optimizations
|
||||
|
||||
Needs to run with `--privileged` to allow increased cache size
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
# Changelog
|
||||
All notable changes to this project will be documented in this file.
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
## [1.14.0]
|
||||
- Initial release with `unbound 1.14.0` [major]
|
||||
|
||||
## [0.0.1] - 2022-01-22
|
||||
- Birth of the project! [patch]
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
echo 'Starting unbound...'
|
||||
unbound -V
|
||||
unbound -c /srv/unbound/unbound.conf -d
|
||||
|
|
@ -0,0 +1,55 @@
|
|||
# https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound
|
||||
server:
|
||||
# If no logfile is specified, syslog is used
|
||||
#logfile: "/var/log/unbound/unbound.log"
|
||||
verbosity: 0
|
||||
|
||||
interface: 0.0.0.0
|
||||
port: 53
|
||||
do-ip4: yes
|
||||
do-ip6: no
|
||||
do-udp: yes
|
||||
do-tcp: yes
|
||||
|
||||
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
|
||||
# Terredo tunnels your web browser should favor IPv4 for the same reasons
|
||||
prefer-ip6: no
|
||||
|
||||
# Use this when you want to maually add/update the root.hints file
|
||||
# Otherwise, the hints included in the unbound package at the time the image was built will be used
|
||||
#root-hints: "/var/lib/unbound/root.hints"
|
||||
|
||||
# Trust glue only if it is within the server's authority
|
||||
harden-glue: yes
|
||||
|
||||
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
|
||||
harden-dnssec-stripped: yes
|
||||
|
||||
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
|
||||
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
|
||||
use-caps-for-id: no
|
||||
|
||||
# Reduce EDNS reassembly buffer size.
|
||||
# Suggested by the unbound man page to reduce fragmentation reassembly problems
|
||||
edns-buffer-size: 1472
|
||||
|
||||
# Perform prefetching of close to expired message cache entries
|
||||
# This only applies to domains that have been frequently queried
|
||||
prefetch: yes
|
||||
|
||||
# Reduce latency by serving the outdated record before updating it
|
||||
serve-expired: yes
|
||||
|
||||
# more cache memory, rrset=msg*2
|
||||
rrset-cache-size: 64m
|
||||
msg-cache-size: 32m
|
||||
|
||||
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
|
||||
num-threads: 1
|
||||
|
||||
# Larger socket buffer. OS may need config.
|
||||
so-rcvbuf: 2m
|
||||
so-sndbuf: 2m
|
||||
|
||||
# Allow from adguard subnet (see docker-compose adguard network)
|
||||
access-control: 0.0.0.0/0 allow
|
||||
Loading…
Reference in New Issue