Skip to content

Commit

Permalink
[resolver] add unbound dns resolver #340
Browse files Browse the repository at this point in the history
  • Loading branch information
@sob
sob committed Nov 18, 2024
1 parent b5cd316 commit b63f8db
Show file tree
Hide file tree
Showing 5 changed files with 378 additions and 1 deletion.
20 changes: 20 additions & 0 deletions kubernetes/apps/network/dns-resolver/ks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,23 @@ spec:
interval: 30m
retryInterval: 1m
timeout: 5m
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app dns-resolver-unbound
namespace: flux-system
spec:
targetNamespace: network
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/network/dns-resolver/unbound
prune: true
sourceRef:
kind: GitRepository
name: home-kubernetes
wait: true
interval: 30m
retryInterval: 1m
timeout: 5m
6 changes: 5 additions & 1 deletion kubernetes/apps/network/dns-resolver/nsd/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,14 @@ spec:
controller: main
type: ClusterIP
ports:
dns-server:
nsd-udp:
port: 53
targetPort: 53
protocol: UDP
nsd-tcp:
port: 53
targetPort: 53
protocol: TCP
persistence:
nsd-conf:
type: emptyDir
Expand Down
268 changes: 268 additions & 0 deletions kubernetes/apps/network/dns-resolver/unbound/conf/unbound.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,268 @@
# See unbound.conf(5) man page.
# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
# https://raw.githubusercontent.com/NLnetLabs/unbound/master/doc/example.conf.in

server:

#### Options already enabled by default:
## https://tools.ietf.org/html/rfc7816
# qname-minimisation: yes
### Enabled in v1.8.0
# so-reuseport: yes
# minimal-responses: yes
## https://tools.ietf.org/html/rfc8020
# harden-below-nxdomain: yes
####

## new option in v1.7.3
# https://tools.ietf.org/html/rfc7828
edns-tcp-keepalive: yes
# edns-tcp-keepalive-timeout: 120000 # 2min
# tcp-idle-timeout: 30000 # 30 sec
edns-buffer-size: 1232
## New Options in v1.8.0
serve-expired-ttl: 86400 # max 1 day
#serve-expired-ttl-reset: no
#log-servfail: no

## new option in v1.8.2
# This responds with an empty message to queries of type ANY.
deny-any: yes
# unknown-server-time-limit: 376
# min-client-subnet-ipv6: 0
# min-client-subnet-ipv4: 0
# max-ecs-tree-size-ipv4: 100
# max-ecs-tree-size-ipv6 : 100
# unknown-server-time-limit: 376
# fast-server-permil: 0
# fast-server-num: 3

# http://unbound.nlnetlabs.nl/documentation/howto_optimise.html
# https://unbound.net/pipermail/unbound-users/2010-March/001083.html
# https://github.com/jedisct1/dnscrypt-server-docker/blob/master/unbound.sh
num-threads: 1
msg-cache-slabs: 1
rrset-cache-slabs: 1
key-cache-slabs: 1
infra-cache-slabs: 1
# dnscrypt-shared-secret-cache-slabs: 1
# dnscrypt-nonce-cache-slabs:1

msg-cache-size: 54m # default 4m
rrset-cache-size: 108m # rrset=msg*2 # default 4m
key-cache-size: 54m # default 4m
neg-cache-size: 27m # default 1m
infra-cache-numhosts: 50000
# dnscrypt-shared-secret-cache-size: 13m # default 4m
# dnscrypt-nonce-cache-size: 13m # default 4m

## if--with-libevent
# outgoing-range: 8192.0
# num-queries-per-thread: 4096.0
## else
# outgoing-range: 974.0
# num-queries-per-thread: 487.0

## Larger socket buffer. OS may need config.
# so-rcvbuf: 4m
# so-sndbuf: 4m

domain-insecure: "dns.opennic.glue"
domain-insecure: "bbs"
domain-insecure: "bit"
domain-insecure: "chan"
domain-insecure: "cyb"
domain-insecure: "dyn"
domain-insecure: "epic"
domain-insecure: "geek"
domain-insecure: "gopher"
domain-insecure: "indy"
domain-insecure: "libre"
domain-insecure: "neo"
domain-insecure: "null"
domain-insecure: "o"
domain-insecure: "opennic.glue"
domain-insecure: "oss"
domain-insecure: "oz"
domain-insecure: "parody"
domain-insecure: "pirate"
domain-insecure: "glue"
domain-insecure: "bazar"
domain-insecure: "coin"
domain-insecure: "emc"
domain-insecure: "lib"

verbosity: 0
do-ip6: no
logfile: run/unbound.log
auto-trust-anchor-file: run/root.key
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
root-hints: root.hints
pidfile: run/unbound.pid
# username: _unbound
directory: /etc/unbound
# chroot: /etc/unbound
# use-syslog: yes
log-time-ascii: yes
# val-log-level: 0
# statistics-interval: 0
# extended-statistics: yes
# statistics-cumulative: no
interface: 0.0.0.0
# interface: 127.0.0.1
# interface: ::1 # Docker ipv6 -> can't bind socket: Address not available for ::1
# interface: 10.19.96.4
# interface: 0.0.0.0@853
# interface: ::0@853
port: 53
# ssl-service-key: /etc/unbound/private.key
# ssl-service-pem: /etc/unbound/certificate.pem
# ssl-port: 853
access-control: 0.0.0.0/0 allow
access-control: ::/0 allow
# qname-minimisation-strict : yes
# https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
# use-caps-for-id: yes
# caps-whitelist: example.com
# https://tools.ietf.org/html/draft-ietf-dnsop-nsec-aggressiveuse
aggressive-nsec: yes
serve-expired: yes
prefetch: yes
prefetch-key: yes
rrset-roundrobin: yes
num-queries-per-thread: 2048
# outgoing-range: 32767
outgoing-range: 4096
incoming-num-tcp: 100
outgoing-num-tcp: 100
jostle-timeout: 325 # average roundtrip time from AU (myserver) to US + a tiny bit extra
neg-cache-size: 25m
cache-min-ttl: 120
cache-max-ttl: 86400
infra-host-ttl: 3600
# cache-max-negative-ttl: 3600
val-bogus-ttl: 120
hide-identity: yes
hide-version: yes
hide-trustanchor: yes
unwanted-reply-threshold: 10000000
## Simple DNS rebinding protection
## refer to RFC1918, RFC5735, RFC5156 and https://en.wikipedia.org/wiki/Reserved_IP_addresses
## IPv4
private-address: 0.0.0.0/32 # Should not be on the Internet (only valid as source address) See https://lwn.net/Articles/791086/ still conflits with https://tools.ietf.org/html/rfc8190
private-address: 10.0.0.0/8 # Private networks
private-address: 127.0.0.0/8 # Loopback, spam-blocklists (RBL) (https://www.dnsbl.info/) e.g. "dig +short 0.0.0.0.zen.spamhaus.org" will stop working (https://www.spamhaus.org/zen/, https://www.spamhaus.org/faq/section/DNSBL%20Usage#202)
private-address: 169.254.0.0/16 # link-local (networks without DHCP)
private-address: 172.16.0.0/12 # Private networks
private-address: 192.168.0.0/16 # Private networks
private-address: 255.255.255.255/32 # Broadcast destination
## IPv6
# private-address: ::/128 # Unspecified addresses (only valid as source address)
# private-address: ::1/128 # Loopback
# private-address: 2001:db8::/32 # Documentation addresses used for documentation purposes such as user manuals, RFCs, etc. (RFC3849)
# private-address: ::ffff:0:0/96 # IPv4-mapped IPv6 addresses (depreciated and should not be on the public internet) (blocks potentially valid addresses / gives wrong result from DNS Benchmark)
# private-address: fe80::/10 # IP address autoconfiguration (link-local unicast, Private network)
# private-address: fc00::/7 # Unique Local Addresses (Private network)
# private-address: fec0::/10 # Depreciated site networks
# private-address: 2002::/16 # 6to4 (deprecated)
# private-address: 64:ff9b::/96 # 6to4 "Well-Known" Prefix
# private-address: 2001::/32 # Teredo
# private-address: 2001:10::/28 # ORCHID
# private-address: ff00::/8 # Multicast
##
do-not-query-localhost: yes # ::1 and 127.0.0.1/8
do-not-query-address: 127.0.0.0/8
do-not-query-address: 192.168.0.0/16
# ratelimit: 500
# ip-ratelimit: 50
### harden-large-queries: yes
### harden-short-bufsize: yes
## harden-algo-downgrade: yes
### harden-referral-path: yes
## prefer-ip6: yes
# delay-close: 1500

# https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
local-zone: "use-application-dns.net." always_nxdomain
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: /run/root.zone
remote-control:
control-enable: no
control-interface: 127.0.0.1
stub-zone:
name: "dns.opennic.glue"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "bbs"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "chan"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "cyb"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "dyn"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "epic"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "geek"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "gopher"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "indy"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "libre"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "neo"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "null"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "o"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "opennic.glue"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "oss"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "oz"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "parody"
stub-host: nsd.network.svc.cluster.local@53
stub-zone:
name: "pirate"
stub-host: nsd.network.svc.cluster.local@53

# OpenNIC Peers:
stub-zone:
name: "bazar"
stub-host: "seed1.emercoin.com"
stub-host: "seed2.emercoin.com"
stub-zone:
name: "coin"
stub-host: "seed1.emercoin.com"
stub-host: "seed2.emercoin.com"
stub-zone:
name: "emc"
stub-host: "seed1.emercoin.com"
stub-host: "seed2.emercoin.com"
stub-zone:
name: "lib"
stub-host: "seed1.emercoin.com"
stub-host: "seed2.emercoin.com"
73 changes: 73 additions & 0 deletions kubernetes/apps/network/dns-resolver/unbound/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app resolver-unbound
spec:
releaseName: unbound
interval: 15m
chart:
spec:
chart: app-template
version: 3.5.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
interval: 15m
maxHistory: 3
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
controllers:
main:
annotations:
reloader.stakater.com/auto: "true"
pod:
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
containers:
main:
image:
repository: docker.io/publicarray/unbound
tag: latest@sha256:d1b8846274711c92fcd47f5432e9b852719e492353abcafc951b860c25225dc9
resources:
requests:
memory: 500Mi
cpu: 100m
service:
main:
controller: main
type: ClusterIP
ports:
dns-server:
port: 53
targetPort: 53
persistence:
unbound-conf:
type: emptyDir
globalMounts:
- path: /etc/unbound
unbound-run:
type: emptyDir
globalMounts:
- path: /etc/unbound/run
unbound-configmap:
name: resolver-unbound-configmap
type: configMap
globalMounts:
- path: /etc/unbound/unbound.conf
subPath: unbound.conf
readOnly: true
12 changes: 12 additions & 0 deletions kubernetes/apps/network/dns-resolver/unbound/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml
configMapGenerator:
- name: resolver-unbound-configmap
files:
- unbound.conf=./conf/unbound.conf
generatorOptions:
disableNameSuffixHash: true

0 comments on commit b63f8db

Please sign in to comment.