1
0
Fork 0
mirror of https://github.com/sujiba/pihole-unbound-hyperlocal.git synced 2025-07-11 06:05:14 +02:00

first commit

This commit is contained in:
sujiba 2023-05-04 01:33:01 +02:00
commit e5b26c41c5
13 changed files with 515 additions and 0 deletions

27
docker-build/Dockerfile Normal file
View file

@ -0,0 +1,27 @@
# Get the latet Pi-hole version
FROM pihole/pihole:2021.09
# Install necessary programs
RUN apt-get update && \
apt-get upgrade -y && \
apt-get install -y \
unbound \
wget
# Additional configs
# unbound
COPY unbound-v1.9_pihole.conf /etc/unbound/unbound.conf.d/pihole.conf
# Download the DNS-Root-Zone. Change owner and move it to the right directory
RUN wget -O root.hints https://www.internic.net/domain/named.root && \
chown unbound:unbound root.hints && \
mv root.hints /var/lib/unbound/
# Unbound startup script
COPY start_unbound_and_s6_init.sh start_unbound_and_s6_init.sh
RUN chmod +x start_unbound_and_s6_init.sh
ENTRYPOINT ./start_unbound_and_s6_init.sh
# Remove unnecessary programs
RUN apt-get remove -y \
wget

20
docker-build/README.md Normal file
View file

@ -0,0 +1,20 @@
# Build it yourself
https://docs.docker.com/buildx/working-with-buildx/#work-with-builder-instances
```
# This creates a new builder instance with a single node based on your current configuration.
docker buildx create
# To list all available builders, use
docker buildx ls
# To switch between different builders, use
docker buildx use <name>
# After creating a new instance, you can delete it with
docker buildx rm <name>
```
Build it as a multi-platform image:
```
chmod +x build_and_push.sh
./build_and_push.sh
```

1
docker-build/VERSION Normal file
View file

@ -0,0 +1 @@
2021.09

2
docker-build/build_and_push.sh Executable file
View file

@ -0,0 +1,2 @@
docker buildx build --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t sujiba/pihole-unbound-hyperlocal:`cat VERSION` --push .
docker buildx build --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t sujiba/pihole-unbound-hyperlocal:latest --push .

View file

@ -0,0 +1,3 @@
#!/bin/bash -e
/etc/init.d/unbound start
/s6-init

View file

@ -0,0 +1,228 @@
server:
###########################################################################
# BASIC SETTINGS
###########################################################################
# Listen to for queries from clients and answer from this network interface
# and port.
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# Maybe set to yes if you have IPv6 connectivity
do-ip6: no
# and for *native* IPv6
prefer-ip6: no
# where to find root server data
root-hints: /usr/share/dns/root.hints
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Rotates RRSet order in response (the pseudo-random number is taken from
# the query ID, for speed and thread safety).
rrset-roundrobin: yes
# Drop user privileges after binding the port.
username: "_unbound"
###########################################################################
# LOGGING
###########################################################################
# If no logfile is specified, syslog is used
#logfile: "/var/log/unbound/unbound.log"
log-time-ascii: yes
# The verbosity number,
# level 0 means no verbosity, only errors.
# level 1 gives operational information.
verbosity: 1
# Do not print log lines to inform about local zone actions
log-local-actions: no
# Do not print one line per query to the log
log-queries: no
# Do not print one line per reply to the log
log-replies: no
# Do not print log lines that say why queries return SERVFAIL to clients
log-servfail: no
# Further limit logging
logfile: /dev/null
###########################################################################
# PRIVACY SETTINGS
###########################################################################
# RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
# denials, using information from previous NXDO-MAINs answers. In other
# words, use cached NSEC records to generate negative answers within a
# range and positive answers from wildcards. This increases performance,
# decreases latency and resource utilization on both authoritative and
# recursive servers, and increases privacy. Also, it may help increase
# resilience to certain DoS attacks in some circumstances.
aggressive-nsec: yes
# Extra delay for timeouted UDP ports before they are closed, in msec.
# This prevents very delayed answer packets from the upstream (recursive)
# servers from bouncing against closed ports and setting off all sort of
# close-port counters, with eg. 1500 msec. When timeouts happen you need
# extra sockets, it checks the ID and remote IP of packets, and unwanted
# packets are added to the unwanted packet counter.
delay-close: 10000
# Prevent the unbound server from forking into the background as a daemon
do-daemonize: no
# Add localhost to the do-not-query-address list.
do-not-query-localhost: no
# Number of bytes size of the aggressive negative cache.
neg-cache-size: 4M
# Send minimum amount of information to upstream servers to enhance
# privacy (best privacy).
qname-minimisation: yes
###########################################################################
# SECURITY SETTINGS
###########################################################################
# Only give access to recursion clients from LAN IPs
access-control: 127.0.0.1/32 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
# Enable chroot (i.e, change apparent root directory for the current
# running process and its children)
chroot: "/etc/unbound"
# Deny queries of type ANY with an empty response.
deny-any: yes
# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record.
harden-algo-downgrade: yes
# RFC 8020. returns nxdomain to queries for a name below another name that
# is already known to be nxdomain.
harden-below-nxdomain: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the
# zone becomes bogus. If turned off you run the risk of a downgrade attack
# that disables security for a zone.
harden-dnssec-stripped: yes
# Trust glue only if it is within the server's authority
harden-glue: yes
# Ignore very large queries.
harden-large-queries: yes
# Perform additional queries for infrastructure data to harden the referral
# path. Validates the replies if trust anchors are configured and the zones
# are signed. This enforces DNSSEC validation on nameserver NS sets and the
# nameserver addresses that are encountered on the referral path to the
# answer. Experimental option.
harden-referral-path: no
# Ignore very small EDNS buffer sizes from queries.
harden-short-bufsize: yes
# Refuse id.server and hostname.bind queries
hide-identity: yes
# Refuse version.server and version.bind queries
hide-version: yes
# Set the HTTP User-Agent header for outgoing HTTP requests. If
# set to "", the default, then the package name and version are
# used.
http-user-agent: "DNS"
# Report this identity rather than the hostname of the server.
identity: "DNS"
# These private network addresses are not allowed to be returned for public
# internet names. Any occurrence of such addresses are removed from DNS
# answers. Additionally, the DNSSEC validator may mark the answers bogus.
# This protects against DNS Rebinding
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 169.254.0.0/16
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10
# Enable ratelimiting of queries (per second) sent to nameserver for
# performing recursion. More queries are turned away with an error
# (servfail). This stops recursive floods (e.g., random query names), but
# not spoofed reflection floods. Cached responses are not rate limited by
# this setting. Experimental option.
ratelimit: 1000
# Set the total number of unwanted replies to eep track of in every thread.
# When it reaches the threshold, a defensive action of clearing the rrset
# and message caches is taken, hopefully flushing away any poison.
# Unbound suggests a value of 10 million.
unwanted-reply-threshold: 10000
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
# !! Änderung gegenüber Pi-hole. Wenn es Fehler gibt, hier no statt yes probieren. !!
use-caps-for-id: yes
# Help protect users that rely on this validator for authentication from
# potentially bad data in the additional section. Instruct the validator to
# remove data from the additional section of secure messages that are not
# signed properly. Messages that are insecure, bogus, indeterminate or
# unchecked are not affected.
val-clean-additional: yes
###########################################################################
# PERFORMANCE SETTINGS
###########################################################################
# https://nlnetlabs.nl/documentation/unbound/howto-optimise/
# https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# fetch DS records earlier (DNSSEC): more cpu usage, less latency
prefetch-key: yes
# One thread should be sufficient, can be increased on beefy machines
num-threads: 1
# increase cache size to utilize more RAM, rrset=msg*2
msg-cache-size: 64m
rrset-cache-size: 128m
remote-control:
control-enable: no
# get data for all TLDs by IXFR (or AXFR) from root servers
# b,c,g are the only servers that answer a IXFR query
auth-zone:
name: "."
primary: 199.9.14.201 # b.root-servers.net
primary: 192.33.4.12 # c.root-servers.net
primary: 192.112.36.4 # g.root-servers.net
primary: 2001:500:200::b # b.root-servers.net
primary: 2001:500:2::c # c.root-servers.net
primary: 2001:500:12::d0d # g.root-servers.net
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: /var/lib/unbound/root.zone

View file

@ -0,0 +1,57 @@
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# increase cache size to utilize more RAM
msg-cache-size: 128m
rrset-cache-size: 256m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
#private-address: fd00::/8
#private-address: fe80::/10