1
1
mirror of https://github.com/dnscrypt/dnscrypt-server-docker synced 2024-11-22 19:42:03 +01:00
dnscrypt-server-docker/unbound.sh

157 lines
4.4 KiB
Bash
Raw Normal View History

#! /usr/bin/env bash
2015-07-06 01:39:54 +02:00
KEYS_DIR="/opt/encrypted-dns/etc/keys"
ZONES_DIR="/opt/unbound/etc/unbound/zones"
reserved=134217728
availableMemory=$((1024 * $( (grep -F MemAvailable /proc/meminfo || grep -F MemTotal /proc/meminfo) | sed 's/[^0-9]//g')))
if [ $availableMemory -le $((reserved * 2)) ]; then
echo "Not enough memory" >&2
2015-07-06 01:39:54 +02:00
exit 1
fi
availableMemory=$((availableMemory - reserved))
2019-10-26 22:22:46 +02:00
msg_cache_size=$((availableMemory / 4))
rr_cache_size=$((availableMemory / 3))
2015-07-06 01:39:54 +02:00
nproc=$(nproc)
if [ "$nproc" -gt 1 ]; then
threads=$((nproc - 1))
2015-07-06 01:39:54 +02:00
else
threads=1
fi
provider_name=$(cat "$KEYS_DIR/provider_name")
2015-07-06 01:39:54 +02:00
sed \
-e "s/@MSG_CACHE_SIZE@/${msg_cache_size}/" \
-e "s/@PROVIDER_NAME@/${provider_name}/" \
2015-07-06 01:39:54 +02:00
-e "s/@RR_CACHE_SIZE@/${rr_cache_size}/" \
-e "s/@THREADS@/${threads}/" \
-e "s#@ZONES_DIR@#${ZONES_DIR}#" \
2022-12-16 18:04:31 +01:00
>/opt/unbound/etc/unbound/unbound.conf <<EOT
2015-07-06 01:39:54 +02:00
server:
verbosity: 1
num-threads: @THREADS@
interface: 127.0.0.1@553
2015-07-06 01:39:54 +02:00
so-reuseport: yes
edns-buffer-size: 1232
2015-07-06 01:39:54 +02:00
delay-close: 10000
2020-01-31 20:17:42 +01:00
cache-min-ttl: 3600
2015-07-06 01:39:54 +02:00
cache-max-ttl: 86400
do-daemonize: no
username: "_unbound"
log-queries: no
hide-version: yes
identity: "DNSCrypt"
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: no
do-not-query-localhost: no
prefetch: yes
prefetch-key: yes
qname-minimisation: yes
2015-07-06 01:39:54 +02:00
rrset-roundrobin: yes
minimal-responses: yes
2020-12-12 12:29:27 +01:00
udp-connect: no
2015-07-06 01:39:54 +02:00
chroot: "/opt/unbound/etc/unbound"
directory: "/opt/unbound/etc/unbound"
auto-trust-anchor-file: "var/root.key"
num-queries-per-thread: 4096
outgoing-range: 8192
msg-cache-size: @MSG_CACHE_SIZE@
rrset-cache-size: @RR_CACHE_SIZE@
2015-07-12 14:54:26 +02:00
neg-cache-size: 4M
2016-12-16 08:53:46 +01:00
serve-expired: yes
serve-expired-ttl: 86400
2020-01-27 19:30:21 +01:00
serve-expired-ttl-reset: yes
2015-07-06 01:39:54 +02:00
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
aggressive-nsec: yes
val-bogus-ttl: 600
2015-07-06 01:39:54 +02:00
2019-12-09 12:11:24 +01:00
local-zone: "1." static
2019-12-10 00:22:27 +01:00
local-zone: "10.in-addr.arpa." static
local-zone: "127.in-addr.arpa." static
local-zone: "16.172.in-addr.arpa." static
local-zone: "168.192.in-addr.arpa." static
2019-12-10 00:31:12 +01:00
local-zone: "f.f.ip6.arpa." static
local-zone: "8.e.f.ip6.arpa." static
2019-12-09 12:11:24 +01:00
local-zone: "airdream." static
local-zone: "api." static
local-zone: "bbrouter." static
2015-07-06 01:39:54 +02:00
local-zone: "belkin." static
2019-12-09 12:11:24 +01:00
local-zone: "blinkap." static
2015-07-06 01:39:54 +02:00
local-zone: "corp." static
2019-12-09 12:11:24 +01:00
local-zone: "davolink." static
local-zone: "dearmyrouter." static
local-zone: "dhcp." static
local-zone: "dlink." static
2015-07-06 01:39:54 +02:00
local-zone: "domain." static
2019-12-09 12:11:24 +01:00
local-zone: "envoy." static
2015-07-06 01:39:54 +02:00
local-zone: "example." static
2019-12-09 12:11:24 +01:00
local-zone: "grp." static
local-zone: "gw==." static
2015-07-06 01:39:54 +02:00
local-zone: "home." static
2019-12-09 12:11:24 +01:00
local-zone: "hub." static
local-zone: "internal." static
local-zone: "intra." static
2019-12-24 11:00:58 +01:00
local-zone: "intranet." static
2015-07-06 01:39:54 +02:00
local-zone: "invalid." static
2019-12-09 12:11:24 +01:00
local-zone: "ksyun." static
2015-07-06 01:39:54 +02:00
local-zone: "lan." static
2019-12-09 12:11:24 +01:00
local-zone: "loc." static
2015-07-06 01:39:54 +02:00
local-zone: "local." static
local-zone: "localdomain." static
2019-12-26 11:17:35 +01:00
local-zone: "localhost." static
2019-12-09 12:11:24 +01:00
local-zone: "localnet." static
local-zone: "modem." static
local-zone: "mynet." static
local-zone: "myrouter." static
local-zone: "novalocal." static
2019-12-24 11:00:58 +01:00
local-zone: "onion." static
2019-12-09 12:11:24 +01:00
local-zone: "openstacklocal." static
local-zone: "priv." static
2019-12-24 11:00:58 +01:00
local-zone: "private." static
2019-12-09 12:11:24 +01:00
local-zone: "prv." static
local-zone: "router." static
local-zone: "telus." static
2015-07-06 01:39:54 +02:00
local-zone: "test." static
2019-12-09 12:11:24 +01:00
local-zone: "totolink." static
local-zone: "wlan_ap." static
local-zone: "workgroup." static
local-zone: "zghjccbob3n0." static
local-zone: "@PROVIDER_NAME@." refuse
2015-11-28 12:59:25 +01:00
include: "@ZONES_DIR@/*.conf"
2015-11-28 12:59:25 +01:00
remote-control:
control-enable: yes
control-interface: 127.0.0.1
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "var/root.zone"
2015-07-06 01:39:54 +02:00
EOT
mkdir -p /opt/unbound/etc/unbound/dev &&
cp -a /dev/random /dev/urandom /opt/unbound/etc/unbound/dev/
2015-07-06 01:39:54 +02:00
mkdir -p -m 700 /opt/unbound/etc/unbound/var &&
chown _unbound:_unbound /opt/unbound/etc/unbound/var &&
/opt/unbound/sbin/unbound-anchor -a /opt/unbound/etc/unbound/var/root.key
2015-07-06 01:39:54 +02:00
if [ ! -f /opt/unbound/etc/unbound/unbound_control.pem ]; then
2022-12-16 18:04:31 +01:00
/opt/unbound/sbin/unbound-control-setup 2>/dev/null || :
fi
mkdir -p /opt/unbound/etc/unbound/zones
2015-07-06 01:39:54 +02:00
exec /opt/unbound/sbin/unbound