Initial commit

master
Meliurwen 3 years ago
commit 40472ae6f7
Signed by: meliurwen
GPG Key ID: 818A8B35E9F1CE10
  1. 2
      .env
  2. 1
      .gitignore
  3. 56
      docker-compose.yml
  4. 257
      encrypted-dns.toml.in
  5. 0
      volumes/unbound/etc/unbound/a-records.conf
  6. 0
      volumes/unbound/etc/unbound/forward-records.conf
  7. 0
      volumes/unbound/etc/unbound/srv-records.conf
  8. 313
      volumes/unbound/etc/unbound/unbound.conf
  9. 1
      volumes/unbound/etc/unbound/unbound.pid

@ -0,0 +1,2 @@
LOCAL_STACK_DIR=/srv/docker/volumes/dnscrypt-server

1
.gitignore vendored

@ -0,0 +1 @@
volumes/unbound/etc/unbound/var

@ -0,0 +1,56 @@
version: "3"
services:
dnscrypt-server:
image: jedisct1/dnscrypt-server:latest
container_name: dnscrypt-server
restart: unless-stopped
expose:
- "8443/tcp"
ports:
- "8443:8443/udp"
networks:
- dnscrypt
volumes:
- ./encrypted-dns.toml.in:/opt/encrypted-dns/etc/encrypted-dns.toml.in:ro
- ${LOCAL_STACK_DIR}/dnscrypt-server/keys:/opt/encrypted-dns/etc/keys
- ${LOCAL_STACK_DIR}/dnscrypt-server/lists:/opt/encrypted-dns/etc/lists
command: "init -N dncr.eracolatore.tk -E 173.249.32.7:8443"
environment:
- TZ='Europe/Berlin'
unbound:
image: mvance/unbound:latest
container_name: unbound
restart: unless-stopped
expose:
- "53/tcp"
- "53/udp"
networks:
- default
- dnscrypt
volumes:
- ./volumes/unbound/etc/unbound:/opt/unbound/etc/unbound
dnscrypt-server-doh:
image: satishweb/doh-server:latest
container_name: dnscrypt-server-doh
environment:
- DEBUG=0
- UPSTREAM_DNS_SERVER=udp:unbound:53
- DOH_HTTP_PREFIX=/dns-query
- DOH_SERVER_LISTEN=0.0.0.0:8053
- DOH_SERVER_TIMEOUT=10
- DOH_SERVER_TRIES=3
- DOH_SERVER_VERBOSE=true
- VIRTUAL_HOST=doh.dns.eracolatore.tk
- VIRTUAL_PORT=8053
- LETSENCRYPT_HOST=doh.dns.eracolatore.tk
- LETSENCRYPT_EMAIL=meliurwen+letsencrypt@gmail.com
networks:
default:
external:
name: ${NETWORK:-webservices}
dnscrypt:

@ -0,0 +1,257 @@
####################################################
# #
# Encrypted DNS Server configuration #
# #
####################################################
##################################
# Global settings #
##################################
## IP addresses and ports to listen to, as well as their external IP
## If there is no NAT involved, `local` and `external` can be the same.
## As many addresses as needed can be configured here, IPv4 and/or IPv6.
## You should at least change the `external` IP address.
### Example with both IPv4 and IPv6 addresses:
# listen_addrs = [
# { local = "0.0.0.0:443", external = "198.51.100.1:443" },
# { local = "[::]:443", external = "[2001:db8::1]:443" }
# ]
listen_addrs = [
@LISTEN_ADDRESSES@
]
## Upstream DNS server and port
upstream_addr = "172.30.0.3:53"
## File name to save the state to
state_file = "/opt/encrypted-dns/etc/keys/state/encrypted-dns.state"
## UDP timeout in seconds
udp_timeout = 10
## TCP timeout in seconds
tcp_timeout = 10
## Maximum active UDP sockets
udp_max_active_connections = 1000
## Maximum active TCP connections
tcp_max_active_connections = 100
## Optional IP address to connect to upstream servers from.
## Leave commented/undefined to automatically select it.
# external_addr = "0.0.0.0"
## Built-in DNS cache capacity
cache_capacity = 150000
## DNS cache: minimum TTL
cache_ttl_min = 3600
## DNS cache: max TTL
cache_ttl_max = 86400
## DNS cache: error TTL
cache_ttl_error = 600
## DNS cache: to avoid bursts of traffic for popular queries when an
## RRSET expires, hold a TTL received from an upstream server for
## `client_ttl_holdon` seconds before decreasing it in client responses.
client_ttl_holdon = 60
## Run as a background process
daemonize = false
## Log file
# log_file = "/tmp/encrypted-dns.log"
## PID file
# pid_file = "/tmp/encrypted-dns.pid"
## User name to drop privileges to, when started as root.
user = "_encrypted-dns"
## Group name to drop privileges to, when started as root.
group = "_encrypted-dns"
## Path to chroot() to, when started as root.
## The path to the state file is relative to the chroot base.
# chroot = "/var/empty"
## Queries sent to that name will return the client IP address.
## This can be very useful for debugging, or to check that relaying works.
# my_ip = "my.ip"
####################################
# DNSCrypt settings #
####################################
[dnscrypt]
## Provider name (with or without the `2.dnscrypt-cert.` prefix)
provider_name = "@PROVIDER_NAME@"
## Does the server support DNSSEC?
dnssec = true
## Does the server always returns correct answers (no filtering, including ad blocking)?
no_filters = true
## Set to `true` if the server doesn't keep any information that can be used to identify users
no_logs = true
## Key cache capacity, per certificate
key_cache_capacity = 10000
###############################
# TLS settings #
###############################
[tls]
## Where to proxy TLS connections to (e.g. DoH server)
# upstream_addr = "127.0.0.1:4343"
@TLS_PROXY_CONFIGURATION@
#######################################
# Server-side filtering #
#######################################
[filtering]
## List of domains to block, one per line
@DOMAIN_BLACKLIST_CONFIGURATION@
## List of undelegated TLDs
## This is the list of nonexistent TLDs that queries are frequently observed for,
## but will never resolve to anything. The server will immediately return a
## synthesized NXDOMAIN response instead of hitting root servers.
undelegated_list = "/opt/encrypted-dns/etc/undelegated.txt"
## Ignore A and AAAA queries for unqualified host names.
ignore_unqualified_hostnames = true
#########################
# Metrics #
#########################
[metrics]
type = "prometheus"
listen_addr = "@METRICS_ADDRESS@"
path = "/metrics"
################################
# Anonymized DNS #
################################
[anonymized_dns]
# Enable relaying support for Anonymized DNS
enabled = @ANONDNS_ENABLED@
# Allowed upstream ports
# This is a list of commonly used ports for encrypted DNS services
allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ]
# Allow all ports >= 1024 in addition to the list above
allow_non_reserved_ports = false
# Blacklisted upstream IP addresses
blacklisted_ips = [ @ANONDNS_BLACKLISTED_IPS@ ]
################################
# Access control #
################################
[access_control]
# Enable access control
enabled = false
# Only allow access to client queries including one of these random tokens
# Tokens can be configured in the `query_meta` section of `dnscrypt-proxy` as
# `query_meta = ["token:..."]` -- Replace ... with the token to use by the client.
# Example: `query_meta = ["token:Y2oHkDJNHz"]`
tokens = ["IQdjF6Cqt2fZuVMF", "CUKJAloBTkTRm2aH", "ZlRuzSNoALoAvxyB"]

@ -0,0 +1,313 @@
server:
do-ip6: no
###########################################################################
# BASIC SETTINGS
###########################################################################
# Time to live maximum for RRsets and messages in the cache. If the maximum
# kicks in, responses to clients still get decrementing TTLs based on the
# original (larger) values. When the internal TTL expires, the cache item
# has expired. Can be set lower to force the resolver to query for data
# often, and not trust (very large) TTL values.
cache-max-ttl: 86400
# Time to live minimum for RRsets and messages in the cache. If the minimum
# kicks in, the data is cached for longer than the domain owner intended,
# and thus less queries are made to look up the data. Zero makes sure the
# data in the cache is as the domain owner intended, higher values,
# especially more than an hour or so, can lead to trouble as the data in
# the cache does not match up with the actual data any more.
cache-min-ttl: 300
# Set the working directory for the program.
directory: "/opt/unbound/etc/unbound"
# RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer
# size. This is the value put into datagrams over UDP towards peers.
# The actual buffer size is determined by msg-buffer-size (both for TCP and
# UDP). Do not set higher than that value.
# Default is 1232 which is the DNS Flag Day 2020 recommendation.
# Setting to 512 bypasses even the most stringent path MTU problems, but
# is seen as extreme, since the amount of TCP fallback generated is
# excessive (probably also for this resolver, consider tuning the outgoing
# tcp number).
edns-buffer-size: 1232
# Listen to for queries from clients and answer from this network interface
# and port.
interface: 0.0.0.0@53
# Rotates RRSet order in response (the pseudo-random number is taken from
# the query ID, for speed and thread safety).
rrset-roundrobin: yes
# Drop user privileges after binding the port.
username: "_unbound"
###########################################################################
# LOGGING
###########################################################################
# Do not print log lines to inform about local zone actions
log-local-actions: no
# Do not print one line per query to the log
log-queries: yes
# Do not print one line per reply to the log
log-replies: no
# Do not print log lines that say why queries return SERVFAIL to clients
log-servfail: no
# Further limit logging
#logfile: /dev/null
logfile: /var/unbound.log
# Only log errors
verbosity: 0
###########################################################################
# PRIVACY SETTINGS
###########################################################################
# RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
# denials, using information from previous NXDO-MAINs answers. In other
# words, use cached NSEC records to generate negative answers within a
# range and positive answers from wildcards. This increases performance,
# decreases latency and resource utilization on both authoritative and
# recursive servers, and increases privacy. Also, it may help increase
# resilience to certain DoS attacks in some circumstances.
aggressive-nsec: yes
# Extra delay for timeouted UDP ports before they are closed, in msec.
# This prevents very delayed answer packets from the upstream (recursive)
# servers from bouncing against closed ports and setting off all sort of
# close-port counters, with eg. 1500 msec. When timeouts happen you need
# extra sockets, it checks the ID and remote IP of packets, and unwanted
# packets are added to the unwanted packet counter.
delay-close: 10000
# Prevent the unbound server from forking into the background as a daemon
do-daemonize: no
# Add localhost to the do-not-query-address list.
do-not-query-localhost: no
# Number of bytes size of the aggressive negative cache.
neg-cache-size: 4M
# Send minimum amount of information to upstream servers to enhance
# privacy (best privacy).
qname-minimisation: yes
###########################################################################
# SECURITY SETTINGS
###########################################################################
# Only give access to recursion clients from LAN IPs
access-control: 127.0.0.1/32 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
# access-control: fc00::/7 allow
# access-control: ::1/128 allow
# File with trust anchor for one zone, which is tracked with RFC5011
# probes.
auto-trust-anchor-file: "var/root.key"
# Enable chroot (i.e, change apparent root directory for the current
# running process and its children)
chroot: "/opt/unbound/etc/unbound"
# Deny queries of type ANY with an empty response.
deny-any: yes
# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record.
harden-algo-downgrade: yes
# RFC 8020. returns nxdomain to queries for a name below another name that
# is already known to be nxdomain.
harden-below-nxdomain: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the
# zone becomes bogus. If turned off you run the risk of a downgrade attack
# that disables security for a zone.
harden-dnssec-stripped: yes
# Only trust glue if it is within the servers authority.
harden-glue: yes
# Ignore very large queries.
harden-large-queries: yes
# Perform additional queries for infrastructure data to harden the referral
# path. Validates the replies if trust anchors are configured and the zones
# are signed. This enforces DNSSEC validation on nameserver NS sets and the
# nameserver addresses that are encountered on the referral path to the
# answer. Experimental option.
harden-referral-path: no
# Ignore very small EDNS buffer sizes from queries.
harden-short-bufsize: yes
# Refuse id.server and hostname.bind queries
hide-identity: yes
# Refuse version.server and version.bind queries
hide-version: yes
# Report this identity rather than the hostname of the server.
identity: "DNS"
# These private network addresses are not allowed to be returned for public
# internet names. Any occurrence of such addresses are removed from DNS
# answers. Additionally, the DNSSEC validator may mark the answers bogus.
# This protects against DNS Rebinding
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
# private-address: fd00::/8
# private-address: fe80::/10
# private-address: ::ffff:0:0/96
# Enable ratelimiting of queries (per second) sent to nameserver for
# performing recursion. More queries are turned away with an error
# (servfail). This stops recursive floods (e.g., random query names), but
# not spoofed reflection floods. Cached responses are not rate limited by
# this setting. Experimental option.
ratelimit: 1000
# Use this certificate bundle for authenticating connections made to
# outside peers (e.g., auth-zone urls, DNS over TLS connections).
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
# Set the total number of unwanted replies to eep track of in every thread.
# When it reaches the threshold, a defensive action of clearing the rrset
# and message caches is taken, hopefully flushing away any poison.
# Unbound suggests a value of 10 million.
unwanted-reply-threshold: 10000
# Use 0x20-encoded random bits in the query to foil spoof attempts. This
# perturbs the lowercase and uppercase of query names sent to authority
# servers and checks if the reply still has the correct casing.
# This feature is an experimental implementation of draft dns-0x20.
# Experimental option.
use-caps-for-id: yes
# Help protect users that rely on this validator for authentication from
# potentially bad data in the additional section. Instruct the validator to
# remove data from the additional section of secure messages that are not
# signed properly. Messages that are insecure, bogus, indeterminate or
# unchecked are not affected.
val-clean-additional: yes
###########################################################################
# PERFORMANCE SETTINGS
###########################################################################
# https://nlnetlabs.nl/documentation/unbound/howto-optimise/
# https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/
# Number of slabs in the infrastructure cache. Slabs reduce lock contention
# by threads. Must be set to a power of 2.
infra-cache-slabs: 2
# Number of incoming TCP buffers to allocate per thread. Default
# is 10. If set to 0, or if do-tcp is "no", no TCP queries from
# clients are accepted. For larger installations increasing this
# value is a good idea.
incoming-num-tcp: 10
# Number of slabs in the key cache. Slabs reduce lock contention by
# threads. Must be set to a power of 2. Setting (close) to the number
# of cpus is a reasonable guess.
key-cache-slabs: 2
# Number of bytes size of the message cache.
# Unbound recommendation is to Use roughly twice as much rrset cache memory
# as you use msg cache memory.
msg-cache-size: 165713237
# Number of slabs in the message cache. Slabs reduce lock contention by
# threads. Must be set to a power of 2. Setting (close) to the number of
# cpus is a reasonable guess.
msg-cache-slabs: 2
# The number of queries that every thread will service simultaneously. If
# more queries arrive that need servicing, and no queries can be jostled
# out (see jostle-timeout), then the queries are dropped.
# This is best set at half the number of the outgoing-range.
# This Unbound instance was compiled with libevent so it can efficiently
# use more than 1024 file descriptors.
num-queries-per-thread: 4096
# The number of threads to create to serve clients.
# This is set dynamically at run time to effectively use available CPUs
# resources
num-threads: 1
# Number of ports to open. This number of file descriptors can be opened
# per thread.
# This Unbound instance was compiled with libevent so it can efficiently
# use more than 1024 file descriptors.
outgoing-range: 8192
# Number of bytes size of the RRset cache.
# Use roughly twice as much rrset cache memory as msg cache memory
rrset-cache-size: 331426474
# Number of slabs in the RRset cache. Slabs reduce lock contention by
# threads. Must be set to a power of 2.
rrset-cache-slabs: 2
# Do no insert authority/additional sections into response messages when
# those sections are not required. This reduces response size
# significantly, and may avoid TCP fallback for some responses. This may
# cause a slight speedup.
minimal-responses: yes
# # Fetch the DNSKEYs earlier in the validation process, when a DS record
# is encountered. This lowers the latency of requests at the expense of
# little more CPU usage.
prefetch: yes
# Fetch the DNSKEYs earlier in the validation process, when a DS record is
# encountered. This lowers the latency of requests at the expense of little
# more CPU usage.
prefetch-key: yes
# Have unbound attempt to serve old responses from cache with a TTL of 0 in
# the response without waiting for the actual resolution to finish. The
# actual resolution answer ends up in the cache later on.
serve-expired: yes
# Open dedicated listening sockets for incoming queries for each thread and
# try to set the SO_REUSEPORT socket option on each socket. May distribute
# incoming queries to threads more evenly.
so-reuseport: yes
###########################################################################
# LOCAL ZONE
###########################################################################
# Include file for local-data and local-data-ptr
include: /opt/unbound/etc/unbound/a-records.conf
include: /opt/unbound/etc/unbound/srv-records.conf
###########################################################################
# FORWARD ZONE
###########################################################################
include: /opt/unbound/etc/unbound/forward-records.conf
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "var/root.zone"
remote-control:
control-enable: no
Loading…
Cancel
Save