mirror of
https://github.com/dnscrypt/dnscrypt-server-docker
synced 2024-05-28 14:06:29 +02:00
Add authoritative zone handling
This commit is contained in:
parent
98a8ba9672
commit
3effd2d06b
|
@ -18,6 +18,9 @@ ENV UNBOUND_GIT_REVISION a8739bad76d4d179290627e989c7ef236345bda6
|
||||||
|
|
||||||
WORKDIR /tmp
|
WORKDIR /tmp
|
||||||
|
|
||||||
|
# --- FOR TESTING ---
|
||||||
|
# RUN apt-get update && apt-get install -y iproute2 less vim
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \
|
RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \
|
||||||
git clone --depth=1000 "$UNBOUND_GIT_URL" && \
|
git clone --depth=1000 "$UNBOUND_GIT_URL" && \
|
||||||
cd unbound && \
|
cd unbound && \
|
||||||
|
|
|
@ -14,6 +14,7 @@ CONF_DIR="/opt/encrypted-dns/etc"
|
||||||
CONFIG_FILE="${KEYS_DIR}/encrypted-dns.toml"
|
CONFIG_FILE="${KEYS_DIR}/encrypted-dns.toml"
|
||||||
CONFIG_FILE_TEMPLATE="${CONF_DIR}/encrypted-dns.toml.in"
|
CONFIG_FILE_TEMPLATE="${CONF_DIR}/encrypted-dns.toml.in"
|
||||||
SERVICES_DIR="/etc/runit/runsvdir/svmanaged"
|
SERVICES_DIR="/etc/runit/runsvdir/svmanaged"
|
||||||
|
SCRIPTNAME=$(basename $0)
|
||||||
|
|
||||||
init() {
|
init() {
|
||||||
if [ "$(is_initialized)" = yes ]; then
|
if [ "$(is_initialized)" = yes ]; then
|
||||||
|
@ -21,21 +22,57 @@ init() {
|
||||||
exit $?
|
exit $?
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# TEMP=$(getopt --name "${SCRIPTNAME}" --options 'h?N:E:T:AM:' --longoptions 'unbound-on-all-interfaces' -- "$@")
|
||||||
|
TEMP=$(getopt --name "${SCRIPTNAME}" --options 'h?N:E:T:AM:' -- "$@")
|
||||||
|
eval set -- "$TEMP"
|
||||||
|
|
||||||
anondns_enabled="false"
|
anondns_enabled="false"
|
||||||
anondns_blacklisted_ips=""
|
anondns_blacklisted_ips=""
|
||||||
|
|
||||||
metrics_address="127.0.0.1:9100"
|
metrics_address="127.0.0.1:9100"
|
||||||
|
|
||||||
while getopts "h?N:E:T:AM:" opt; do
|
# extract options and their arguments into variables.
|
||||||
case "$opt" in
|
while true ; do
|
||||||
h | \?) usage ;;
|
case "$1" in
|
||||||
N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
-h | -\?)
|
||||||
E) ext_addresses=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
shift
|
||||||
T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
usage
|
||||||
A) anondns_enabled="true" ;;
|
;;
|
||||||
M) metrics_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
-N)
|
||||||
|
provider_name=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
|
||||||
|
shift 2
|
||||||
|
;;
|
||||||
|
-E)
|
||||||
|
ext_addresses=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
|
||||||
|
shift 2
|
||||||
|
;;
|
||||||
|
-T)
|
||||||
|
tls_proxy_upstream_address=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
|
||||||
|
shift 2
|
||||||
|
;;
|
||||||
|
-A)
|
||||||
|
anondns_enabled="true"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
-M)
|
||||||
|
metrics_address=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
|
||||||
|
shift 2
|
||||||
|
;;
|
||||||
|
# --unbound-on-all-interfaces)
|
||||||
|
# touch /opt/unbound/run-options/use-all-interfaces
|
||||||
|
# shift
|
||||||
|
# ;;
|
||||||
|
--)
|
||||||
|
shift
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Internal error!"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
[ -z "$provider_name" ] && usage
|
[ -z "$provider_name" ] && usage
|
||||||
case "$provider_name" in
|
case "$provider_name" in
|
||||||
.*) usage ;;
|
.*) usage ;;
|
||||||
|
|
41
unbound.sh
41
unbound.sh
|
@ -2,6 +2,37 @@
|
||||||
|
|
||||||
KEYS_DIR="/opt/encrypted-dns/etc/keys"
|
KEYS_DIR="/opt/encrypted-dns/etc/keys"
|
||||||
ZONES_DIR="/opt/unbound/etc/unbound/zones"
|
ZONES_DIR="/opt/unbound/etc/unbound/zones"
|
||||||
|
AUTHZONES_DIR="/opt/unbound/etc/unbound/auth-zones"
|
||||||
|
|
||||||
|
OIFS="${IFS}"
|
||||||
|
IFS=""
|
||||||
|
|
||||||
|
INTERFACES="\
|
||||||
|
interface: 127.0.0.1@553
|
||||||
|
interface: ::1@553"
|
||||||
|
ACCESS_CONTROL="\
|
||||||
|
access-control: 0.0.0.0/0 allow
|
||||||
|
access-control: ::0/0 allow"
|
||||||
|
AUTHZONE_INCLUDE=""
|
||||||
|
|
||||||
|
test -d $AUTHZONES_DIR && {
|
||||||
|
chown -R _unbound:_unbound $AUTHZONES_DIR
|
||||||
|
INTERFACES="\
|
||||||
|
interface: 0.0.0.0@553
|
||||||
|
interface: ::@553"
|
||||||
|
ACCESS_CONTROL="\
|
||||||
|
access-control: 127.0.0.1/32 allow
|
||||||
|
access-control: ::1/128 allow
|
||||||
|
access-control: 0.0.0.0/0 refuse_non_local
|
||||||
|
access-control: ::0/0 refuse_non_local"
|
||||||
|
AUTHZONE_INCLUDE="include: \"${AUTHZONES_DIR}/*.conf\""
|
||||||
|
}
|
||||||
|
|
||||||
|
# Replace multiline replacements so sed can deal with them later
|
||||||
|
INTERFACES=$(echo -n "${INTERFACES}" | sed -z 's/\n/\\n/g')
|
||||||
|
ACCESS_CONTROL=$(echo -n "${ACCESS_CONTROL}" | sed -z 's/\n/\\n/g')
|
||||||
|
|
||||||
|
IFS="${OIFS}"
|
||||||
|
|
||||||
reserved=134217728
|
reserved=134217728
|
||||||
availableMemory=$((1024 * $( (grep -F MemAvailable /proc/meminfo || grep -F MemTotal /proc/meminfo) | sed 's/[^0-9]//g')))
|
availableMemory=$((1024 * $( (grep -F MemAvailable /proc/meminfo || grep -F MemTotal /proc/meminfo) | sed 's/[^0-9]//g')))
|
||||||
|
@ -27,11 +58,15 @@ sed \
|
||||||
-e "s/@RR_CACHE_SIZE@/${rr_cache_size}/" \
|
-e "s/@RR_CACHE_SIZE@/${rr_cache_size}/" \
|
||||||
-e "s/@THREADS@/${threads}/" \
|
-e "s/@THREADS@/${threads}/" \
|
||||||
-e "s#@ZONES_DIR@#${ZONES_DIR}#" \
|
-e "s#@ZONES_DIR@#${ZONES_DIR}#" \
|
||||||
|
-e "s#@INTERFACES@#${INTERFACES}#" \
|
||||||
|
-e "s#@ACCESS_CONTROL@#${ACCESS_CONTROL}#" \
|
||||||
|
-e "s#@AUTHZONE_INCLUDE@#${AUTHZONE_INCLUDE}#" \
|
||||||
>/opt/unbound/etc/unbound/unbound.conf <<EOT
|
>/opt/unbound/etc/unbound/unbound.conf <<EOT
|
||||||
server:
|
server:
|
||||||
verbosity: 1
|
verbosity: 1
|
||||||
num-threads: @THREADS@
|
num-threads: @THREADS@
|
||||||
interface: 127.0.0.1@553
|
@INTERFACES@
|
||||||
|
@ACCESS_CONTROL@
|
||||||
so-reuseport: yes
|
so-reuseport: yes
|
||||||
edns-buffer-size: 1232
|
edns-buffer-size: 1232
|
||||||
delay-close: 10000
|
delay-close: 10000
|
||||||
|
@ -66,8 +101,6 @@ server:
|
||||||
serve-expired: yes
|
serve-expired: yes
|
||||||
serve-expired-ttl: 86400
|
serve-expired-ttl: 86400
|
||||||
serve-expired-ttl-reset: yes
|
serve-expired-ttl-reset: yes
|
||||||
access-control: 0.0.0.0/0 allow
|
|
||||||
access-control: ::0/0 allow
|
|
||||||
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
|
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
|
||||||
aggressive-nsec: yes
|
aggressive-nsec: yes
|
||||||
val-bogus-ttl: 600
|
val-bogus-ttl: 600
|
||||||
|
@ -138,6 +171,8 @@ auth-zone:
|
||||||
for-downstream: no
|
for-downstream: no
|
||||||
for-upstream: yes
|
for-upstream: yes
|
||||||
zonefile: "var/root.zone"
|
zonefile: "var/root.zone"
|
||||||
|
|
||||||
|
@AUTHZONE_INCLUDE@
|
||||||
EOT
|
EOT
|
||||||
|
|
||||||
mkdir -p /opt/unbound/etc/unbound/dev &&
|
mkdir -p /opt/unbound/etc/unbound/dev &&
|
||||||
|
|
Loading…
Reference in New Issue