diff --git a/.env b/.env index 13d8130..b3bbd23 100644 --- a/.env +++ b/.env @@ -1,2 +1,21 @@ -LOCAL_STACK_DIR=/srv/docker/volumes/dnscrypt-server +# Global (optional) +LOCAL_STACK_DIR=/srv/docker/volumes/dns +TZ=Europe/Berlin +# dnscrypt-server (optional) +DCRS_IMG= +DCRS_TAG= +DCRS_CONTAINER_NAME= +DCRS_RESTART= + +# unbound (optional) +UB_IMG= +UB_TAG= +UB_CONTAINER_NAME= +UB_RESTART= + +# doh (optional) +DOH_BLD_NGINX_IMG= +DOH_BLD_NGINX_TAG= +DOH_CONTAINER_NAME= +DOH_RESTART= diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..bb1c8aa --- /dev/null +++ b/.env.example @@ -0,0 +1,21 @@ +# Global (optional) +LOCAL_STACK_DIR= +TZ= + +# dnscrypt-server (optional) +DCRS_IMG= +DCRS_TAG= +DCRS_CONTAINER_NAME= +DCRS_RESTART= + +# unbound (optional) +UB_IMG= +UB_TAG= +UB_CONTAINER_NAME= +UB_RESTART= + +# doh (optional) +DOH_BLD_NGINX_IMG= +DOH_BLD_NGINX_TAG= +DOH_CONTAINER_NAME= +DOH_RESTART= diff --git a/docker-compose.yml b/docker-compose.yml index 5a7d4ce..9d80de5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,9 +2,9 @@ version: "3" services: dnscrypt-server: - image: jedisct1/dnscrypt-server:latest - container_name: dnscrypt-server - restart: unless-stopped + image: ${DCRS_IMG:-jedisct1/dnscrypt-server}:${DCRS_TAG:-latest} + container_name: ${DCRS_CONTAINER_NAME:-dnscrypt-server} + restart: ${DCRS_RESTART:-unless-stopped} expose: - "8443/tcp" ports: @@ -13,16 +13,16 @@ services: - dnscrypt volumes: - ./encrypted-dns.toml.in:/opt/encrypted-dns/etc/encrypted-dns.toml.in:ro - - ${LOCAL_STACK_DIR}/dnscrypt-server/keys:/opt/encrypted-dns/etc/keys - - ${LOCAL_STACK_DIR}/dnscrypt-server/lists:/opt/encrypted-dns/etc/lists + - ${LOCAL_STACK_DIR:-./volumes}/dnscrypt-server/keys:/opt/encrypted-dns/etc/keys + - ${LOCAL_STACK_DIR:-./volumes}/dnscrypt-server/lists:/opt/encrypted-dns/etc/lists command: "init -N dncr.eracolatore.tk -E 173.249.32.7:8443" environment: - - TZ='Europe/Berlin' + - TZ=${TZ:-Etc/UTC} unbound: - image: mvance/unbound:latest - container_name: unbound - restart: unless-stopped + image: ${UB_IMG:-mvance/unbound}:${UB_TAG:-latest} + container_name: ${UB_CONTAINER_NAME:-unbound} + restart: ${UB_RESTART:-unless-stopped} expose: - "53/tcp" - "53/udp" @@ -30,18 +30,20 @@ services: - default - dnscrypt volumes: - - ./volumes/unbound/etc/unbound:/opt/unbound/etc/unbound + - ${LOCAL_STACK_DIR:-./volumes}/unbound/etc/unbound:/opt/unbound/etc/unbound healthcheck: disable: true + environment: + - TZ=${TZ:-Etc/UTC} - dnscrypt-server-doh: + doh: build: context: nginx/. args: - - IMAGE=${NGINX_IMG:-nginx} - - TAG=${NGINX_TAG:-alpine} - container_name: dnscrypt-server-doh - restart: ${NGINX_RESTART:-unless-stopped} + - IMAGE=${DOH_BLD_NGINX_IMG:-nginx} + - TAG=${DOH_BLD_NGINX_TAG:-alpine} + container_name: ${DOH_CONTAINER_NAME:-doh} + restart: ${DOH_RESTART:-unless-stopped} expose: - 8080 environment: diff --git a/volumes/unbound/etc/unbound/a-records.conf b/volumes/unbound/etc/unbound/a-records.conf deleted file mode 100644 index e69de29..0000000 diff --git a/volumes/unbound/etc/unbound/forward-records.conf b/volumes/unbound/etc/unbound/forward-records.conf deleted file mode 100644 index e69de29..0000000 diff --git a/volumes/unbound/etc/unbound/srv-records.conf b/volumes/unbound/etc/unbound/srv-records.conf deleted file mode 100644 index e69de29..0000000 diff --git a/volumes/unbound/etc/unbound/unbound.conf b/volumes/unbound/etc/unbound/unbound.conf deleted file mode 100644 index c530514..0000000 --- a/volumes/unbound/etc/unbound/unbound.conf +++ /dev/null @@ -1,313 +0,0 @@ -server: -do-ip6: no - ########################################################################### - # BASIC SETTINGS - ########################################################################### - # Time to live maximum for RRsets and messages in the cache. If the maximum - # kicks in, responses to clients still get decrementing TTLs based on the - # original (larger) values. When the internal TTL expires, the cache item - # has expired. Can be set lower to force the resolver to query for data - # often, and not trust (very large) TTL values. - cache-max-ttl: 86400 - - # Time to live minimum for RRsets and messages in the cache. If the minimum - # kicks in, the data is cached for longer than the domain owner intended, - # and thus less queries are made to look up the data. Zero makes sure the - # data in the cache is as the domain owner intended, higher values, - # especially more than an hour or so, can lead to trouble as the data in - # the cache does not match up with the actual data any more. - cache-min-ttl: 300 - - # Set the working directory for the program. - directory: "/opt/unbound/etc/unbound" - - # RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer - # size. This is the value put into datagrams over UDP towards peers. - # The actual buffer size is determined by msg-buffer-size (both for TCP and - # UDP). Do not set higher than that value. - # Default is 1232 which is the DNS Flag Day 2020 recommendation. - # Setting to 512 bypasses even the most stringent path MTU problems, but - # is seen as extreme, since the amount of TCP fallback generated is - # excessive (probably also for this resolver, consider tuning the outgoing - # tcp number). - edns-buffer-size: 1232 - - # Listen to for queries from clients and answer from this network interface - # and port. - interface: 0.0.0.0@53 - - # Rotates RRSet order in response (the pseudo-random number is taken from - # the query ID, for speed and thread safety). - rrset-roundrobin: yes - - # Drop user privileges after binding the port. - username: "_unbound" - - ########################################################################### - # LOGGING - ########################################################################### - - # Do not print log lines to inform about local zone actions - log-local-actions: no - - # Do not print one line per query to the log - log-queries: yes - - # Do not print one line per reply to the log - log-replies: no - - # Do not print log lines that say why queries return SERVFAIL to clients - log-servfail: no - - # Further limit logging - #logfile: /dev/null - logfile: /var/unbound.log - - # Only log errors - verbosity: 0 - - ########################################################################### - # PRIVACY SETTINGS - ########################################################################### - - # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other - # denials, using information from previous NXDO-MAINs answers. In other - # words, use cached NSEC records to generate negative answers within a - # range and positive answers from wildcards. This increases performance, - # decreases latency and resource utilization on both authoritative and - # recursive servers, and increases privacy. Also, it may help increase - # resilience to certain DoS attacks in some circumstances. - aggressive-nsec: yes - - # Extra delay for timeouted UDP ports before they are closed, in msec. - # This prevents very delayed answer packets from the upstream (recursive) - # servers from bouncing against closed ports and setting off all sort of - # close-port counters, with eg. 1500 msec. When timeouts happen you need - # extra sockets, it checks the ID and remote IP of packets, and unwanted - # packets are added to the unwanted packet counter. - delay-close: 10000 - - # Prevent the unbound server from forking into the background as a daemon - do-daemonize: no - - # Add localhost to the do-not-query-address list. - do-not-query-localhost: no - - # Number of bytes size of the aggressive negative cache. - neg-cache-size: 4M - - # Send minimum amount of information to upstream servers to enhance - # privacy (best privacy). - qname-minimisation: yes - - ########################################################################### - # SECURITY SETTINGS - ########################################################################### - # Only give access to recursion clients from LAN IPs - access-control: 127.0.0.1/32 allow - access-control: 192.168.0.0/16 allow - access-control: 172.16.0.0/12 allow - access-control: 10.0.0.0/8 allow - # access-control: fc00::/7 allow - # access-control: ::1/128 allow - - # File with trust anchor for one zone, which is tracked with RFC5011 - # probes. - auto-trust-anchor-file: "var/root.key" - - # Enable chroot (i.e, change apparent root directory for the current - # running process and its children) - chroot: "/opt/unbound/etc/unbound" - - # Deny queries of type ANY with an empty response. - deny-any: yes - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. - harden-algo-downgrade: yes - - # RFC 8020. returns nxdomain to queries for a name below another name that - # is already known to be nxdomain. - harden-below-nxdomain: yes - - # Require DNSSEC data for trust-anchored zones, if such data is absent, the - # zone becomes bogus. If turned off you run the risk of a downgrade attack - # that disables security for a zone. - harden-dnssec-stripped: yes - - # Only trust glue if it is within the servers authority. - harden-glue: yes - - # Ignore very large queries. - harden-large-queries: yes - - # Perform additional queries for infrastructure data to harden the referral - # path. Validates the replies if trust anchors are configured and the zones - # are signed. This enforces DNSSEC validation on nameserver NS sets and the - # nameserver addresses that are encountered on the referral path to the - # answer. Experimental option. - harden-referral-path: no - - # Ignore very small EDNS buffer sizes from queries. - harden-short-bufsize: yes - - # Refuse id.server and hostname.bind queries - hide-identity: yes - - # Refuse version.server and version.bind queries - hide-version: yes - - # Report this identity rather than the hostname of the server. - identity: "DNS" - - # These private network addresses are not allowed to be returned for public - # internet names. Any occurrence of such addresses are removed from DNS - # answers. Additionally, the DNSSEC validator may mark the answers bogus. - # This protects against DNS Rebinding - private-address: 10.0.0.0/8 - private-address: 172.16.0.0/12 - private-address: 192.168.0.0/16 - private-address: 169.254.0.0/16 - # private-address: fd00::/8 - # private-address: fe80::/10 - # private-address: ::ffff:0:0/96 - - # Enable ratelimiting of queries (per second) sent to nameserver for - # performing recursion. More queries are turned away with an error - # (servfail). This stops recursive floods (e.g., random query names), but - # not spoofed reflection floods. Cached responses are not rate limited by - # this setting. Experimental option. - ratelimit: 1000 - - # Use this certificate bundle for authenticating connections made to - # outside peers (e.g., auth-zone urls, DNS over TLS connections). - tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - - # Set the total number of unwanted replies to eep track of in every thread. - # When it reaches the threshold, a defensive action of clearing the rrset - # and message caches is taken, hopefully flushing away any poison. - # Unbound suggests a value of 10 million. - unwanted-reply-threshold: 10000 - - # Use 0x20-encoded random bits in the query to foil spoof attempts. This - # perturbs the lowercase and uppercase of query names sent to authority - # servers and checks if the reply still has the correct casing. - # This feature is an experimental implementation of draft dns-0x20. - # Experimental option. - use-caps-for-id: yes - - # Help protect users that rely on this validator for authentication from - # potentially bad data in the additional section. Instruct the validator to - # remove data from the additional section of secure messages that are not - # signed properly. Messages that are insecure, bogus, indeterminate or - # unchecked are not affected. - val-clean-additional: yes - - ########################################################################### - # PERFORMANCE SETTINGS - ########################################################################### - # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ - # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/ - - # Number of slabs in the infrastructure cache. Slabs reduce lock contention - # by threads. Must be set to a power of 2. - infra-cache-slabs: 2 - - # Number of incoming TCP buffers to allocate per thread. Default - # is 10. If set to 0, or if do-tcp is "no", no TCP queries from - # clients are accepted. For larger installations increasing this - # value is a good idea. - incoming-num-tcp: 10 - - # Number of slabs in the key cache. Slabs reduce lock contention by - # threads. Must be set to a power of 2. Setting (close) to the number - # of cpus is a reasonable guess. - key-cache-slabs: 2 - - # Number of bytes size of the message cache. - # Unbound recommendation is to Use roughly twice as much rrset cache memory - # as you use msg cache memory. - msg-cache-size: 165713237 - - # Number of slabs in the message cache. Slabs reduce lock contention by - # threads. Must be set to a power of 2. Setting (close) to the number of - # cpus is a reasonable guess. - msg-cache-slabs: 2 - - # The number of queries that every thread will service simultaneously. If - # more queries arrive that need servicing, and no queries can be jostled - # out (see jostle-timeout), then the queries are dropped. - # This is best set at half the number of the outgoing-range. - # This Unbound instance was compiled with libevent so it can efficiently - # use more than 1024 file descriptors. - num-queries-per-thread: 4096 - - # The number of threads to create to serve clients. - # This is set dynamically at run time to effectively use available CPUs - # resources - num-threads: 1 - - # Number of ports to open. This number of file descriptors can be opened - # per thread. - # This Unbound instance was compiled with libevent so it can efficiently - # use more than 1024 file descriptors. - outgoing-range: 8192 - - # Number of bytes size of the RRset cache. - # Use roughly twice as much rrset cache memory as msg cache memory - rrset-cache-size: 331426474 - - # Number of slabs in the RRset cache. Slabs reduce lock contention by - # threads. Must be set to a power of 2. - rrset-cache-slabs: 2 - - # Do no insert authority/additional sections into response messages when - # those sections are not required. This reduces response size - # significantly, and may avoid TCP fallback for some responses. This may - # cause a slight speedup. - minimal-responses: yes - - # # Fetch the DNSKEYs earlier in the validation process, when a DS record - # is encountered. This lowers the latency of requests at the expense of - # little more CPU usage. - prefetch: yes - - # Fetch the DNSKEYs earlier in the validation process, when a DS record is - # encountered. This lowers the latency of requests at the expense of little - # more CPU usage. - prefetch-key: yes - - # Have unbound attempt to serve old responses from cache with a TTL of 0 in - # the response without waiting for the actual resolution to finish. The - # actual resolution answer ends up in the cache later on. - serve-expired: yes - - # Open dedicated listening sockets for incoming queries for each thread and - # try to set the SO_REUSEPORT socket option on each socket. May distribute - # incoming queries to threads more evenly. - so-reuseport: yes - - ########################################################################### - # LOCAL ZONE - ########################################################################### - - # Include file for local-data and local-data-ptr - include: /opt/unbound/etc/unbound/a-records.conf - include: /opt/unbound/etc/unbound/srv-records.conf - - ########################################################################### - # FORWARD ZONE - ########################################################################### - - include: /opt/unbound/etc/unbound/forward-records.conf - -auth-zone: - name: "." - url: "https://www.internic.net/domain/root.zone" - fallback-enabled: yes - for-downstream: no - for-upstream: yes - zonefile: "var/root.zone" - -remote-control: - control-enable: no diff --git a/volumes/unbound/etc/unbound/unbound.pid b/volumes/unbound/etc/unbound/unbound.pid deleted file mode 100644 index d00491f..0000000 --- a/volumes/unbound/etc/unbound/unbound.pid +++ /dev/null @@ -1 +0,0 @@ -1