diff --git a/Dockerfile b/Dockerfile index a357c8a..bedeba5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM alpine:3.15.0 -# Install required dependencies and build unbound (and install bind-tools for dig in healthcheck) -RUN apk --update add --no-cache alpine-sdk bind-tools expat-dev git openssl-dev && \ +# Install required dependencies and build unbound (and install bind-tools for dig in healthcheck), clean up after +RUN apk --update add --no-cache alpine-sdk bind-tools dns-root-hints expat-dev git openssl-dev && \ # Clone and build unbound source (https://github.com/NLnetLabs/unbound) git clone --depth 1 --branch 'release-1.14.0' https://github.com/NLnetLabs/unbound.git /tmp/unbound && \ cd /tmp/unbound && \ @@ -13,16 +13,12 @@ RUN apk --update add --no-cache alpine-sdk bind-tools expat-dev git openssl-dev rm -rf /tmp/* && \ apk del alpine-sdk expat-dev git openssl-dev -# Prepare unbound files +# Prepare image COPY entrypoint.sh / -RUN mkdir -p /srv/unbound +RUN addgroup -S unbound +RUN adduser -S -G unbound unbound +RUN mkdir -p /srv/unbound/conf COPY unbound.conf /srv/unbound/unbound.conf -# Prepare -RUN adduser -S unbound --disabled-password - -# Health -HEALTHCHECK --interval=60s --timeout=3s --retries=2 \ - CMD dig ns1.gkcld.net @127.0.0.1 +dnssec || exit 1 - +HEALTHCHECK --interval=60s --timeout=3s --retries=2 CMD dig ns1.gkcld.net @127.0.0.1 +dnssec || exit 1 ENTRYPOINT ["sh", "/entrypoint.sh"] diff --git a/README.md b/README.md index 23613f3..dc82852 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,9 @@ # A recursive, caching DNS resolver with some optimizations -Needs to run with `--privileged` to allow increased cache size \ No newline at end of file +Needs to run with `--privileged` to allow increased cache size + +Pull a new version of the image every 3-6 months to keep the provided root hints up to date + +Options: +- Add additional config files to the `/srv/unbound/conf` container directory +- Override the default config by mounting a `/srv/unbound/unbound.conf` file \ No newline at end of file diff --git a/unbound.conf b/unbound.conf index 08aaef9..c8dc1c4 100644 --- a/unbound.conf +++ b/unbound.conf @@ -1,4 +1,6 @@ # https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound +include: /srv/unbound/conf/*.conf + server: # If no logfile is specified, syslog is used #logfile: "/var/log/unbound/unbound.log" @@ -15,10 +17,6 @@ server: # Terredo tunnels your web browser should favor IPv4 for the same reasons prefer-ip6: no - # Use this when you want to maually add/update the root.hints file - # Otherwise, the hints included in the unbound package at the time the image was built will be used - #root-hints: "/var/lib/unbound/root.hints" - # Trust glue only if it is within the server's authority harden-glue: yes