first commit

2025-07-13 06:45:43 +02:00 · 2023-05-04 01:33:01 +02:00 · 2023-05-04 01:33:01 +02:00 · e5b26c41c5
commit e5b26c41c5
13 changed files with 515 additions and 0 deletions
--- a/docker-build/Dockerfile
+++ b/docker-build/Dockerfile
@ -0,0 +1,27 @@
+# Get the latet Pi-hole version
+FROM pihole/pihole:2021.09
+
+# Install necessary programs
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install -y \
+    unbound \
+    wget
+
+# Additional configs
+# unbound
+COPY unbound-v1.9_pihole.conf  /etc/unbound/unbound.conf.d/pihole.conf
+
+# Download the DNS-Root-Zone. Change owner and move it to the right directory
+RUN wget -O root.hints https://www.internic.net/domain/named.root && \
+    chown unbound:unbound root.hints && \
+    mv root.hints /var/lib/unbound/
+
+# Unbound startup script
+COPY start_unbound_and_s6_init.sh start_unbound_and_s6_init.sh
+RUN chmod +x start_unbound_and_s6_init.sh
+ENTRYPOINT ./start_unbound_and_s6_init.sh
+
+# Remove unnecessary programs
+RUN apt-get remove -y \
+    wget
--- a/docker-build/README.md
+++ b/docker-build/README.md
@ -0,0 +1,20 @@
+# Build it yourself
+
+https://docs.docker.com/buildx/working-with-buildx/#work-with-builder-instances
+
+ ```
+ # This creates a new builder instance with a single node based on your current configuration.
+ docker buildx create
+ # To list all available builders, use
+ docker buildx ls
+ # To switch between different builders, use
+ docker buildx use <name>
+ # After creating a new instance, you can delete it with
+ docker buildx rm <name>
+```
+
+Build it as a multi-platform image:
+```
+chmod +x build_and_push.sh
+./build_and_push.sh
+```
--- a/docker-build/VERSION
+++ b/docker-build/VERSION
@ -0,0 +1 @@
+2021.09
--- a/docker-build/build_and_push.sh
+++ b/docker-build/build_and_push.sh
@ -0,0 +1,2 @@
+docker buildx build --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t sujiba/pihole-unbound-hyperlocal:`cat VERSION` --push .
+docker buildx build --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t sujiba/pihole-unbound-hyperlocal:latest --push .
--- a/docker-build/start_unbound_and_s6_init.sh
+++ b/docker-build/start_unbound_and_s6_init.sh
@ -0,0 +1,3 @@
+#!/bin/bash -e
+/etc/init.d/unbound start
+/s6-init
--- a/docker-build/unbound-v1.13_pihole.conf
+++ b/docker-build/unbound-v1.13_pihole.conf
@ -0,0 +1,228 @@
+server:
+    ###########################################################################
+    # BASIC SETTINGS
+    ###########################################################################
+    
+    # Listen to for queries from clients and answer from this network interface
+    # and port.
+    interface: 127.0.0.1	
+    port: 5335
+    do-ip4: yes
+    do-udp: yes
+    do-tcp: yes
+
+    # Maybe set to yes if you have IPv6 connectivity
+    do-ip6: no
+    # and for *native* IPv6
+    prefer-ip6: no
+
+    # where to find root server data
+    root-hints: /usr/share/dns/root.hints
+
+    # Reduce EDNS reassembly buffer size.
+    # Suggested by the unbound man page to reduce fragmentation reassembly problems
+    edns-buffer-size: 1472
+
+    # Rotates RRSet order in response (the pseudo-random number is taken from
+    # the query ID, for speed and thread safety).
+    rrset-roundrobin: yes
+
+    # Drop user  privileges after  binding the port.
+    username: "_unbound"
+
+    ###########################################################################
+    # LOGGING
+    ###########################################################################
+
+    # If no logfile is specified, syslog is used
+    #logfile: "/var/log/unbound/unbound.log"    
+    log-time-ascii: yes
+
+    # The verbosity number, 
+    # level 0 means no verbosity, only errors.
+    # level 1 gives operational information.
+    verbosity: 1
+
+    # Do not print log lines to inform about local zone actions
+    log-local-actions: no
+
+    # Do not print one line per query to the log
+    log-queries: no
+
+    # Do not print one line per reply to the log
+    log-replies: no
+
+    # Do not print log lines that say why queries return SERVFAIL to clients
+    log-servfail: no
+
+    # Further limit logging
+    logfile: /dev/null
+
+    ###########################################################################
+    # PRIVACY SETTINGS
+    ###########################################################################
+
+    # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
+    # denials, using information from previous NXDO-MAINs answers. In other
+    # words, use cached NSEC records to generate negative answers within a
+    # range and positive answers from wildcards. This increases performance,
+    # decreases latency and resource utilization on both authoritative and
+    # recursive servers, and increases privacy. Also, it may help increase
+    # resilience to certain DoS attacks in some circumstances.
+    aggressive-nsec: yes
+
+    # Extra delay for timeouted UDP ports before they are closed, in msec.
+    # This prevents very delayed answer packets from the upstream (recursive)
+    # servers from bouncing against closed ports and setting off all sort of
+    # close-port counters, with eg. 1500 msec. When timeouts happen you need
+    # extra sockets, it checks the ID and remote IP of packets, and unwanted
+    # packets are added to the unwanted packet counter.
+    delay-close: 10000
+
+    # Prevent the unbound server from forking into the background as a daemon
+    do-daemonize: no
+
+    # Add localhost to the do-not-query-address list.
+    do-not-query-localhost: no
+
+    # Number  of  bytes size of the aggressive negative cache.
+    neg-cache-size: 4M
+
+    # Send minimum amount of information to upstream servers to enhance
+    # privacy (best privacy).
+    qname-minimisation: yes
+
+    ###########################################################################
+    # SECURITY SETTINGS
+    ###########################################################################
+
+    # Only give access to recursion clients from LAN IPs
+    access-control: 127.0.0.1/32 allow
+    access-control: 192.168.0.0/16 allow
+    access-control: 172.16.0.0/12 allow
+    access-control: 10.0.0.0/8 allow
+
+    # Enable chroot (i.e, change apparent root directory for the current
+    # running process and its children)
+    chroot: "/etc/unbound"
+
+    # Deny queries of type ANY with an empty response.
+    deny-any: yes
+
+    # Harden against algorithm downgrade when multiple algorithms are
+    # advertised in the DS record.
+    harden-algo-downgrade: yes
+
+    # RFC 8020. returns nxdomain to queries for a name below another name that
+    # is already known to be nxdomain.
+    harden-below-nxdomain: yes
+
+    # Require DNSSEC data for trust-anchored zones, if such data is absent, the
+    # zone becomes bogus. If turned off you run the risk of a downgrade attack
+    # that disables security for a zone.
+    harden-dnssec-stripped: yes
+
+    # Trust glue only if it is within the server's authority
+    harden-glue: yes
+
+    # Ignore very large queries.
+    harden-large-queries: yes
+
+    # Perform additional queries for infrastructure data to harden the referral
+    # path. Validates the replies if trust anchors are configured and the zones
+    # are signed. This enforces DNSSEC validation on nameserver NS sets and the
+    # nameserver addresses that are encountered on the referral path to the
+    # answer. Experimental option.
+    harden-referral-path: no
+
+    # Ignore very small EDNS buffer sizes from queries.
+    harden-short-bufsize: yes
+
+    # Refuse id.server and hostname.bind queries
+    hide-identity: yes
+
+    # Refuse version.server and version.bind queries
+    hide-version: yes
+
+    # Set the HTTP User-Agent header for outgoing HTTP requests. If
+    # set to "", the default, then the package name and version are
+    # used.
+    http-user-agent: "DNS"
+
+    # Report this identity rather than the hostname of the server.
+    identity: "DNS"
+
+    # These private network addresses are not allowed to be returned for public
+    # internet names. Any  occurrence of such addresses are removed from DNS
+    # answers. Additionally, the DNSSEC validator may mark the  answers  bogus.
+    # This  protects  against DNS  Rebinding
+    private-address: 10.0.0.0/8
+    private-address: 172.16.0.0/12
+    private-address: 169.254.0.0/16
+    private-address: 192.168.0.0/16
+    private-address: fd00::/8
+    private-address: fe80::/10
+
+    # Enable ratelimiting of queries (per second) sent to nameserver for
+    # performing recursion. More queries are turned away with an error
+    # (servfail). This stops recursive floods (e.g., random query names), but
+    # not spoofed reflection floods. Cached responses are not rate limited by
+    # this setting. Experimental option.
+    ratelimit: 1000
+
+    # Set the total number of unwanted replies to eep track of in every thread.
+    # When it reaches the threshold, a defensive action of clearing the rrset
+    # and message caches is taken, hopefully flushing away any poison.
+    # Unbound suggests a value of 10 million.
+    unwanted-reply-threshold: 10000
+
+    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
+    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
+    # !! Änderung gegenüber Pi-hole. Wenn es Fehler gibt, hier no statt yes probieren. !!
+    use-caps-for-id: yes
+
+    # Help protect users that rely on this validator for authentication from
+    # potentially bad data in the additional section. Instruct the validator to
+    # remove data from the additional section of secure messages that are not
+    # signed properly. Messages that are insecure, bogus, indeterminate or
+    # unchecked are not affected.
+    val-clean-additional: yes
+
+    ###########################################################################
+    # PERFORMANCE SETTINGS
+    ###########################################################################
+    # https://nlnetlabs.nl/documentation/unbound/howto-optimise/
+    # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/
+
+    # Perform prefetching of close to expired message cache entries
+    # This only applies to domains that have been frequently queried
+    prefetch: yes
+
+    # fetch DS records earlier (DNSSEC): more cpu usage, less latency
+    prefetch-key: yes
+
+    # One thread should be sufficient, can be increased on beefy machines
+    num-threads: 1
+    
+    # increase cache size to utilize more RAM, rrset=msg*2
+    msg-cache-size: 64m
+    rrset-cache-size: 128m
+
+
+remote-control:
+	control-enable: no
+
+# get data for all TLDs by IXFR (or AXFR) from root servers
+# b,c,g are the only servers that answer a IXFR query
+auth-zone:
+	name: "."
+	primary: 199.9.14.201       # b.root-servers.net
+	primary: 192.33.4.12        # c.root-servers.net
+	primary: 192.112.36.4       # g.root-servers.net
+	primary: 2001:500:200::b    # b.root-servers.net
+	primary: 2001:500:2::c      # c.root-servers.net
+	primary: 2001:500:12::d0d   # g.root-servers.net
+	fallback-enabled: yes
+	for-downstream: no
+	for-upstream: yes
+	zonefile: /var/lib/unbound/root.zone
--- a/docker-build/unbound-v1.9_pihole.conf
+++ b/docker-build/unbound-v1.9_pihole.conf
@ -0,0 +1,57 @@
+server:
+    # If no logfile is specified, syslog is used
+    # logfile: "/var/log/unbound/unbound.log"
+    verbosity: 0
+
+    interface: 127.0.0.1
+    port: 5335
+    do-ip4: yes
+    do-udp: yes
+    do-tcp: yes
+
+    # May be set to yes if you have IPv6 connectivity
+    do-ip6: no
+
+    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
+    # Terredo tunnels your web browser should favor IPv4 for the same reasons
+    prefer-ip6: no
+
+    # Use this only when you downloaded the list of primary root servers!
+    # If you use the default dns-root-data package, unbound will find it automatically
+    root-hints: "/var/lib/unbound/root.hints"
+
+    # Trust glue only if it is within the server's authority
+    harden-glue: yes
+
+    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
+    harden-dnssec-stripped: yes
+
+    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
+    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
+    use-caps-for-id: no
+
+    # Reduce EDNS reassembly buffer size.
+    # Suggested by the unbound man page to reduce fragmentation reassembly problems
+    edns-buffer-size: 1472
+
+    # Perform prefetching of close to expired message cache entries
+    # This only applies to domains that have been frequently queried
+    prefetch: yes
+
+    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
+    num-threads: 1
+
+    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
+    so-rcvbuf: 1m
+
+    # increase cache size to utilize more RAM
+    msg-cache-size: 128m
+    rrset-cache-size: 256m
+
+    # Ensure privacy of local IP ranges
+    private-address: 192.168.0.0/16
+    private-address: 169.254.0.0/16
+    private-address: 172.16.0.0/12
+    private-address: 10.0.0.0/8
+    #private-address: fd00::/8
+    #private-address: fe80::/10