From b63f8db159aa769d0915616271b8f02e49f685a2 Mon Sep 17 00:00:00 2001 From: Sean O'Brien Date: Mon, 18 Nov 2024 00:09:50 -0600 Subject: [PATCH] [resolver] add unbound dns resolver #340 --- kubernetes/apps/network/dns-resolver/ks.yaml | 20 ++ .../network/dns-resolver/nsd/helmrelease.yaml | 6 +- .../dns-resolver/unbound/conf/unbound.conf | 268 ++++++++++++++++++ .../dns-resolver/unbound/helmrelease.yaml | 73 +++++ .../dns-resolver/unbound/kustomization.yaml | 12 + 5 files changed, 378 insertions(+), 1 deletion(-) create mode 100644 kubernetes/apps/network/dns-resolver/unbound/conf/unbound.conf create mode 100644 kubernetes/apps/network/dns-resolver/unbound/helmrelease.yaml create mode 100644 kubernetes/apps/network/dns-resolver/unbound/kustomization.yaml diff --git a/kubernetes/apps/network/dns-resolver/ks.yaml b/kubernetes/apps/network/dns-resolver/ks.yaml index 53bb5792..bbed7f29 100644 --- a/kubernetes/apps/network/dns-resolver/ks.yaml +++ b/kubernetes/apps/network/dns-resolver/ks.yaml @@ -18,3 +18,23 @@ spec: interval: 30m retryInterval: 1m timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app dns-resolver-unbound + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/network/dns-resolver/unbound + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/network/dns-resolver/nsd/helmrelease.yaml b/kubernetes/apps/network/dns-resolver/nsd/helmrelease.yaml index d3819add..774c5e30 100644 --- a/kubernetes/apps/network/dns-resolver/nsd/helmrelease.yaml +++ b/kubernetes/apps/network/dns-resolver/nsd/helmrelease.yaml @@ -52,10 +52,14 @@ spec: controller: main type: ClusterIP ports: - dns-server: + nsd-udp: port: 53 targetPort: 53 protocol: UDP + nsd-tcp: + port: 53 + targetPort: 53 + protocol: TCP persistence: nsd-conf: type: emptyDir diff --git a/kubernetes/apps/network/dns-resolver/unbound/conf/unbound.conf b/kubernetes/apps/network/dns-resolver/unbound/conf/unbound.conf new file mode 100644 index 00000000..76f08afc --- /dev/null +++ b/kubernetes/apps/network/dns-resolver/unbound/conf/unbound.conf @@ -0,0 +1,268 @@ +# See unbound.conf(5) man page. +# https://nlnetlabs.nl/documentation/unbound/unbound.conf/ +# https://raw.githubusercontent.com/NLnetLabs/unbound/master/doc/example.conf.in + +server: + + #### Options already enabled by default: + ## https://tools.ietf.org/html/rfc7816 + # qname-minimisation: yes + ### Enabled in v1.8.0 + # so-reuseport: yes + # minimal-responses: yes + ## https://tools.ietf.org/html/rfc8020 + # harden-below-nxdomain: yes + #### + + ## new option in v1.7.3 + # https://tools.ietf.org/html/rfc7828 + edns-tcp-keepalive: yes + # edns-tcp-keepalive-timeout: 120000 # 2min + # tcp-idle-timeout: 30000 # 30 sec + edns-buffer-size: 1232 + ## New Options in v1.8.0 + serve-expired-ttl: 86400 # max 1 day + #serve-expired-ttl-reset: no + #log-servfail: no + + ## new option in v1.8.2 + # This responds with an empty message to queries of type ANY. + deny-any: yes + # unknown-server-time-limit: 376 + # min-client-subnet-ipv6: 0 + # min-client-subnet-ipv4: 0 + # max-ecs-tree-size-ipv4: 100 + # max-ecs-tree-size-ipv6 : 100 + # unknown-server-time-limit: 376 + # fast-server-permil: 0 + # fast-server-num: 3 + + # http://unbound.nlnetlabs.nl/documentation/howto_optimise.html + # https://unbound.net/pipermail/unbound-users/2010-March/001083.html + # https://github.com/jedisct1/dnscrypt-server-docker/blob/master/unbound.sh + num-threads: 1 + msg-cache-slabs: 1 + rrset-cache-slabs: 1 + key-cache-slabs: 1 + infra-cache-slabs: 1 + # dnscrypt-shared-secret-cache-slabs: 1 + # dnscrypt-nonce-cache-slabs:1 + + msg-cache-size: 54m # default 4m + rrset-cache-size: 108m # rrset=msg*2 # default 4m + key-cache-size: 54m # default 4m + neg-cache-size: 27m # default 1m + infra-cache-numhosts: 50000 + # dnscrypt-shared-secret-cache-size: 13m # default 4m + # dnscrypt-nonce-cache-size: 13m # default 4m + + ## if--with-libevent + # outgoing-range: 8192.0 + # num-queries-per-thread: 4096.0 + ## else + # outgoing-range: 974.0 + # num-queries-per-thread: 487.0 + + ## Larger socket buffer. OS may need config. + # so-rcvbuf: 4m + # so-sndbuf: 4m + + domain-insecure: "dns.opennic.glue" + domain-insecure: "bbs" + domain-insecure: "bit" + domain-insecure: "chan" + domain-insecure: "cyb" + domain-insecure: "dyn" + domain-insecure: "epic" + domain-insecure: "geek" + domain-insecure: "gopher" + domain-insecure: "indy" + domain-insecure: "libre" + domain-insecure: "neo" + domain-insecure: "null" + domain-insecure: "o" + domain-insecure: "opennic.glue" + domain-insecure: "oss" + domain-insecure: "oz" + domain-insecure: "parody" + domain-insecure: "pirate" + domain-insecure: "glue" + domain-insecure: "bazar" + domain-insecure: "coin" + domain-insecure: "emc" + domain-insecure: "lib" + + verbosity: 0 + do-ip6: no + logfile: run/unbound.log + auto-trust-anchor-file: run/root.key + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + root-hints: root.hints + pidfile: run/unbound.pid + # username: _unbound + directory: /etc/unbound + # chroot: /etc/unbound + # use-syslog: yes + log-time-ascii: yes + # val-log-level: 0 + # statistics-interval: 0 + # extended-statistics: yes + # statistics-cumulative: no + interface: 0.0.0.0 + # interface: 127.0.0.1 + # interface: ::1 # Docker ipv6 -> can't bind socket: Address not available for ::1 + # interface: 10.19.96.4 + # interface: 0.0.0.0@853 + # interface: ::0@853 + port: 53 + # ssl-service-key: /etc/unbound/private.key + # ssl-service-pem: /etc/unbound/certificate.pem + # ssl-port: 853 + access-control: 0.0.0.0/0 allow + access-control: ::/0 allow + # qname-minimisation-strict : yes + # https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 + # use-caps-for-id: yes + # caps-whitelist: example.com + # https://tools.ietf.org/html/draft-ietf-dnsop-nsec-aggressiveuse + aggressive-nsec: yes + serve-expired: yes + prefetch: yes + prefetch-key: yes + rrset-roundrobin: yes + num-queries-per-thread: 2048 + # outgoing-range: 32767 + outgoing-range: 4096 + incoming-num-tcp: 100 + outgoing-num-tcp: 100 + jostle-timeout: 325 # average roundtrip time from AU (myserver) to US + a tiny bit extra + neg-cache-size: 25m + cache-min-ttl: 120 + cache-max-ttl: 86400 + infra-host-ttl: 3600 + # cache-max-negative-ttl: 3600 + val-bogus-ttl: 120 + hide-identity: yes + hide-version: yes + hide-trustanchor: yes + unwanted-reply-threshold: 10000000 + ## Simple DNS rebinding protection + ## refer to RFC1918, RFC5735, RFC5156 and https://en.wikipedia.org/wiki/Reserved_IP_addresses + ## IPv4 + private-address: 0.0.0.0/32 # Should not be on the Internet (only valid as source address) See https://lwn.net/Articles/791086/ still conflits with https://tools.ietf.org/html/rfc8190 + private-address: 10.0.0.0/8 # Private networks + private-address: 127.0.0.0/8 # Loopback, spam-blocklists (RBL) (https://www.dnsbl.info/) e.g. "dig +short 0.0.0.0.zen.spamhaus.org" will stop working (https://www.spamhaus.org/zen/, https://www.spamhaus.org/faq/section/DNSBL%20Usage#202) + private-address: 169.254.0.0/16 # link-local (networks without DHCP) + private-address: 172.16.0.0/12 # Private networks + private-address: 192.168.0.0/16 # Private networks + private-address: 255.255.255.255/32 # Broadcast destination + ## IPv6 + # private-address: ::/128 # Unspecified addresses (only valid as source address) + # private-address: ::1/128 # Loopback + # private-address: 2001:db8::/32 # Documentation addresses used for documentation purposes such as user manuals, RFCs, etc. (RFC3849) + # private-address: ::ffff:0:0/96 # IPv4-mapped IPv6 addresses (depreciated and should not be on the public internet) (blocks potentially valid addresses / gives wrong result from DNS Benchmark) + # private-address: fe80::/10 # IP address autoconfiguration (link-local unicast, Private network) + # private-address: fc00::/7 # Unique Local Addresses (Private network) + # private-address: fec0::/10 # Depreciated site networks + # private-address: 2002::/16 # 6to4 (deprecated) + # private-address: 64:ff9b::/96 # 6to4 "Well-Known" Prefix + # private-address: 2001::/32 # Teredo + # private-address: 2001:10::/28 # ORCHID + # private-address: ff00::/8 # Multicast + ## + do-not-query-localhost: yes # ::1 and 127.0.0.1/8 + do-not-query-address: 127.0.0.0/8 + do-not-query-address: 192.168.0.0/16 + # ratelimit: 500 + # ip-ratelimit: 50 + ### harden-large-queries: yes + ### harden-short-bufsize: yes + ## harden-algo-downgrade: yes + ### harden-referral-path: yes + ## prefer-ip6: yes + # delay-close: 1500 + + # https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https + local-zone: "use-application-dns.net." always_nxdomain +auth-zone: + name: "." + url: "https://www.internic.net/domain/root.zone" + fallback-enabled: yes + for-downstream: no + for-upstream: yes + zonefile: /run/root.zone +remote-control: + control-enable: no + control-interface: 127.0.0.1 +stub-zone: + name: "dns.opennic.glue" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "bbs" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "chan" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "cyb" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "dyn" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "epic" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "geek" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "gopher" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "indy" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "libre" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "neo" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "null" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "o" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "opennic.glue" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "oss" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "oz" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "parody" + stub-host: nsd.network.svc.cluster.local@53 +stub-zone: + name: "pirate" + stub-host: nsd.network.svc.cluster.local@53 + +# OpenNIC Peers: +stub-zone: + name: "bazar" + stub-host: "seed1.emercoin.com" + stub-host: "seed2.emercoin.com" +stub-zone: + name: "coin" + stub-host: "seed1.emercoin.com" + stub-host: "seed2.emercoin.com" +stub-zone: + name: "emc" + stub-host: "seed1.emercoin.com" + stub-host: "seed2.emercoin.com" +stub-zone: + name: "lib" + stub-host: "seed1.emercoin.com" + stub-host: "seed2.emercoin.com" diff --git a/kubernetes/apps/network/dns-resolver/unbound/helmrelease.yaml b/kubernetes/apps/network/dns-resolver/unbound/helmrelease.yaml new file mode 100644 index 00000000..4412653e --- /dev/null +++ b/kubernetes/apps/network/dns-resolver/unbound/helmrelease.yaml @@ -0,0 +1,73 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app resolver-unbound +spec: + releaseName: unbound + interval: 15m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + interval: 15m + maxHistory: 3 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + controllers: + main: + annotations: + reloader.stakater.com/auto: "true" + pod: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + containers: + main: + image: + repository: docker.io/publicarray/unbound + tag: latest@sha256:d1b8846274711c92fcd47f5432e9b852719e492353abcafc951b860c25225dc9 + resources: + requests: + memory: 500Mi + cpu: 100m + service: + main: + controller: main + type: ClusterIP + ports: + dns-server: + port: 53 + targetPort: 53 + persistence: + unbound-conf: + type: emptyDir + globalMounts: + - path: /etc/unbound + unbound-run: + type: emptyDir + globalMounts: + - path: /etc/unbound/run + unbound-configmap: + name: resolver-unbound-configmap + type: configMap + globalMounts: + - path: /etc/unbound/unbound.conf + subPath: unbound.conf + readOnly: true diff --git a/kubernetes/apps/network/dns-resolver/unbound/kustomization.yaml b/kubernetes/apps/network/dns-resolver/unbound/kustomization.yaml new file mode 100644 index 00000000..d3918738 --- /dev/null +++ b/kubernetes/apps/network/dns-resolver/unbound/kustomization.yaml @@ -0,0 +1,12 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml +configMapGenerator: + - name: resolver-unbound-configmap + files: + - unbound.conf=./conf/unbound.conf +generatorOptions: + disableNameSuffixHash: true