From 3ea2765ec206a5424b3e06b20605e5c8568e4e96 Mon Sep 17 00:00:00 2001 From: Springcomp Date: Wed, 31 Dec 2025 18:35:46 +0100 Subject: [PATCH 1/7] supports own recursive name server (dns) --- unbound/.gitignore | 7 + unbound/Dockerfile | 8 + unbound/conf.d/a-records.conf | 5 + unbound/conf.d/srv-records.conf | 2 + unbound/conf.d/unbound.conf | 399 ++++++++++++++++++++++++++++++++ unbound/docker-entrypoint.sh | 11 + 6 files changed, 432 insertions(+) create mode 100644 unbound/.gitignore create mode 100644 unbound/Dockerfile create mode 100644 unbound/conf.d/a-records.conf create mode 100644 unbound/conf.d/srv-records.conf create mode 100644 unbound/conf.d/unbound.conf create mode 100644 unbound/docker-entrypoint.sh diff --git a/unbound/.gitignore b/unbound/.gitignore new file mode 100644 index 0000000..9b7fac5 --- /dev/null +++ b/unbound/.gitignore @@ -0,0 +1,7 @@ +conf.d/dev/ + +conf.d/var/root.hints +conf.d/var/root.key +conf.d/var/unbound.log + +conf.d/unbound.pid diff --git a/unbound/Dockerfile b/unbound/Dockerfile new file mode 100644 index 0000000..272b5e2 --- /dev/null +++ b/unbound/Dockerfile @@ -0,0 +1,8 @@ +FROM mvance/unbound:1.22.0 +COPY docker-entrypoint.sh /docker-entrypoint.sh + +RUN apt-get update \ + && apt-get install -y curl dnsutils + +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["/unbound.sh"] diff --git a/unbound/conf.d/a-records.conf b/unbound/conf.d/a-records.conf new file mode 100644 index 0000000..319d934 --- /dev/null +++ b/unbound/conf.d/a-records.conf @@ -0,0 +1,5 @@ +# A Record + #local-data: "somecomputer.local. A 192.168.1.1" + +# PTR Record + #local-data-ptr: "192.168.1.1 somecomputer.local." diff --git a/unbound/conf.d/srv-records.conf b/unbound/conf.d/srv-records.conf new file mode 100644 index 0000000..fccdd51 --- /dev/null +++ b/unbound/conf.d/srv-records.conf @@ -0,0 +1,2 @@ +# SRV records +# _service._proto.name. | TTL | class | SRV | priority | weight | port | target. diff --git a/unbound/conf.d/unbound.conf b/unbound/conf.d/unbound.conf new file mode 100644 index 0000000..175fd4a --- /dev/null +++ b/unbound/conf.d/unbound.conf @@ -0,0 +1,399 @@ +server: + ########################################################################### + # BASIC SETTINGS + ########################################################################### + + # Module configuration - disable subnetcache (not needed for local resolver) + module-config: "validator iterator" + + # Time to live maximum for RRsets and messages in the cache. If the maximum + # kicks in, responses to clients still get decrementing TTLs based on the + # original (larger) values. When the internal TTL expires, the cache item + # has expired. Can be set lower to force the resolver to query for data + # often, and not trust (very large) TTL values. + cache-max-ttl: 86400 + + # Time to live minimum for RRsets and messages in the cache. If the minimum + # kicks in, the data is cached for longer than the domain owner intended, + # and thus less queries are made to look up the data. Zero makes sure the + # data in the cache is as the domain owner intended, higher values, + # especially more than an hour or so, can lead to trouble as the data in + # the cache does not match up with the actual data any more. + cache-min-ttl: 300 + + # Set the working directory for the program. + directory: "/opt/unbound/etc/unbound" + + # Enable or disable whether IPv4 queries are answered or issued. + # Default: yes + do-ip4: yes + + # Enable or disable whether IPv6 queries are answered or issued. + # If disabled, queries are not answered on IPv6, and queries are not sent + # on IPv6 to the internet nameservers. With this option you can disable the + # IPv6 transport for sending DNS traffic, it does not impact the contents + # of the DNS traffic, which may have IPv4 (A) and IPv6 (AAAA) addresses in + # it. + # Default: yes + # May be set to yes if you have IPv6 connectivity + # + # IPv6 is disabled for server use. + # Spamhaus and some DNSBL providers falsely flag IPv6 queries as “open resolver” activity, + # potentially blocking your server from their services. + # Only enable IPv6 if you’ve verified all your DNSBL providers support it properly. + do-ip6: no + + # Enable or disable whether TCP queries are answered or issued. + # Default: yes + do-tcp: yes + + # Enable or disable whether UDP queries are answered or issued. + # Default: yes + do-udp: yes + + # RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer + # size. This is the value put into datagrams over UDP towards peers. + # The actual buffer size is determined by msg-buffer-size (both for TCP and + # UDP). Do not set higher than that value. + # Default is 1232 which is the DNS Flag Day 2020 recommendation. + # Setting to 512 bypasses even the most stringent path MTU problems, but + # is seen as extreme, since the amount of TCP fallback generated is + # excessive (probably also for this resolver, consider tuning the outgoing + # tcp number). + edns-buffer-size: 1232 + + # Listen to for queries from clients and answer from this network interface + # and port. + interface: 0.0.0.0 + interface: ::1 + port: 53 + + # If enabled, prefer IPv6 transport for sending DNS queries to internet + # nameservers. + # Default: yes + # You want to leave this to no unless you have *native* IPv6. With 6to4 and + # Terredo tunnels your web browser should favor IPv4 for the same reasons + prefer-ip6: no + + # Rotates RRSet order in response (the pseudo-random number is taken from + # the query ID, for speed and thread safety). + rrset-roundrobin: yes + + # Drop user privileges after binding the port. + username: "_unbound" + + ########################################################################### + # LOGGING + ########################################################################### + + # Do not print log lines to inform about local zone actions + log-local-actions: no + + # Do not print one line per query to the log + log-queries: yes + + # Do not print one line per reply to the log + log-replies: no + + # Do not print log lines that say why queries return SERVFAIL to clients + log-servfail: no + + # If you want to log to a file, use: + # logfile: /opt/unbound/etc/unbound/unbound.log + # Set log location (using /dev/null further limits logging) + logfile: "var/unbound.log" + + # Set logging level + # Level 0: No verbosity, only errors. + # Level 1: Gives operational information. + # Level 2: Gives detailed operational information including short information per query. + # Level 3: Gives query level information, output per query. + # Level 4: Gives algorithm level information. + # Level 5: Logs client identification for cache misses. + verbosity: 2 + + ########################################################################### + # PERFORMANCE SETTINGS + ########################################################################### + # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ + # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/ + + # Number of slabs in the infrastructure cache. Slabs reduce lock contention + # by threads. Must be set to a power of 2. + infra-cache-slabs: 4 + + # Number of incoming TCP buffers to allocate per thread. Default + # is 10. If set to 0, or if do-tcp is "no", no TCP queries from + # clients are accepted. For larger installations increasing this + # value is a good idea. + incoming-num-tcp: 10 + + # Number of slabs in the key cache. Slabs reduce lock contention by + # threads. Must be set to a power of 2. Setting (close) to the number + # of cpus is a reasonable guess. + key-cache-slabs: 4 + + # Number of bytes size of the message cache. + # Unbound recommendation is to Use roughly twice as much rrset cache memory + # as you use msg cache memory. + msg-cache-size: 142768128 + + # Number of slabs in the message cache. Slabs reduce lock contention by + # threads. Must be set to a power of 2. Setting (close) to the number of + # cpus is a reasonable guess. + msg-cache-slabs: 4 + + # The number of queries that every thread will service simultaneously. If + # more queries arrive that need servicing, and no queries can be jostled + # out (see jostle-timeout), then the queries are dropped. + # This is best set at half the number of the outgoing-range. + # This Unbound instance was compiled with libevent so it can efficiently + # use more than 1024 file descriptors. + num-queries-per-thread: 4096 + + # The number of threads to create to serve clients. + # This is set dynamically at run time to effectively use available CPUs + # resources + num-threads: 3 + + # Number of ports to open. This number of file descriptors can be opened + # per thread. + # This Unbound instance was compiled with libevent so it can efficiently + # use more than 1024 file descriptors. + outgoing-range: 8192 + + # Number of bytes size of the RRset cache. + # Use roughly twice as much rrset cache memory as msg cache memory + rrset-cache-size: 285536256 + + # Number of slabs in the RRset cache. Slabs reduce lock contention by + # threads. Must be set to a power of 2. + rrset-cache-slabs: 4 + + # Do no insert authority/additional sections into response messages when + # those sections are not required. This reduces response size + # significantly, and may avoid TCP fallback for some responses. This may + # cause a slight speedup. + minimal-responses: yes + + # # Fetch the DNSKEYs earlier in the validation process, when a DS record + # is encountered. This lowers the latency of requests at the expense of + # little more CPU usage. + prefetch: yes + + # Fetch the DNSKEYs earlier in the validation process, when a DS record is + # encountered. This lowers the latency of requests at the expense of little + # more CPU usage. + prefetch-key: yes + + # Have unbound attempt to serve old responses from cache with a TTL of 0 in + # the response without waiting for the actual resolution to finish. The + # actual resolution answer ends up in the cache later on. + serve-expired: yes + + # If not 0, then set the SO_RCVBUF socket option to get more buffer space on + # UDP port 53 incoming queries. So that short spikes on busy servers do not + # drop packets (see counter in netstat -su). Otherwise, the number of bytes + # to ask for, try “4m” on a busy server. + # The OS caps it at a maximum, on linux Unbound needs root permission to + # bypass the limit, or the admin can use sysctl net.core.rmem_max. + # Default: 0 (use system value) + # For example: sysctl -w net.core.rmem_max=4194304 + # To persist reboots, edit /etc/sysctl.conf to include: + # net.core.rmem_max=4194304 + # Larger socket buffer. OS may need config. + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + #so-rcvbuf: 4m + + # Open dedicated listening sockets for incoming queries for each thread and + # try to set the SO_REUSEPORT socket option on each socket. May distribute + # incoming queries to threads more evenly. + so-reuseport: yes + + # If not 0, then set the SO_SNDBUF socket option to get more buffer space + # on UDP port 53 outgoing queries. + # Specify the number of bytes to ask for, try “4m” on a very busy server. + # The OS caps it at a maximum, on linux Unbound needs root permission to + # bypass the limit, or the admin can use sysctl net.core.wmem_max. + # For example: sysctl -w net.core.wmem_max=4194304 + # To persist reboots, edit /etc/sysctl.conf to include: + # net.core.wmem_max=4194304 + # Default: 0 (use system value) + # Larger socket buffer. OS may need config. + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + #so-sndbuf: 4m + + ########################################################################### + # PRIVACY SETTINGS + ########################################################################### + + # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other + # denials, using information from previous NXDO-MAINs answers. In other + # words, use cached NSEC records to generate negative answers within a + # range and positive answers from wildcards. This increases performance, + # decreases latency and resource utilization on both authoritative and + # recursive servers, and increases privacy. Also, it may help increase + # resilience to certain DoS attacks in some circumstances. + aggressive-nsec: yes + + # Extra delay for timeouted UDP ports before they are closed, in msec. + # This prevents very delayed answer packets from the upstream (recursive) + # servers from bouncing against closed ports and setting off all sort of + # close-port counters, with eg. 1500 msec. When timeouts happen you need + # extra sockets, it checks the ID and remote IP of packets, and unwanted + # packets are added to the unwanted packet counter. + delay-close: 10000 + + # Prevent the unbound server from forking into the background as a daemon + do-daemonize: no + + # Add localhost to the do-not-query-address list. + do-not-query-localhost: no + + # Number of bytes size of the aggressive negative cache. + neg-cache-size: 4M + + # Send minimum amount of information to upstream servers to enhance + # privacy (best privacy). + qname-minimisation: yes + + ########################################################################### + # SECURITY SETTINGS + ########################################################################### + # Only give access to recursion clients from LAN IPs + access-control: 127.0.0.1/32 allow + access-control: 192.168.0.0/16 allow + access-control: 172.16.0.0/12 allow + access-control: 10.0.0.0/8 allow + access-control: fc00::/7 allow + access-control: ::1/128 allow + + # root.hints enable unbound to perform recursive resolution + root-hints: "var/root.hints" + + # File with trust anchor for one zone, which is tracked with RFC5011 + # probes. + auto-trust-anchor-file: "var/root.key" + + # Enable chroot (i.e, change apparent root directory for the current + # running process and its children) + chroot: "/opt/unbound/etc/unbound" + + # Deny queries of type ANY with an empty response. + deny-any: yes + + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. + harden-algo-downgrade: yes + + # RFC 8020. returns nxdomain to queries for a name below another name that + # is already known to be nxdomain. + harden-below-nxdomain: yes + + # Require DNSSEC data for trust-anchored zones, if such data is absent, the + # zone becomes bogus. If turned off you run the risk of a downgrade attack + # that disables security for a zone. + harden-dnssec-stripped: yes + + # Only trust glue if it is within the servers authority. + harden-glue: yes + + # Ignore very large queries. + harden-large-queries: yes + + # Perform additional queries for infrastructure data to harden the referral + # path. Validates the replies if trust anchors are configured and the zones + # are signed. This enforces DNSSEC validation on nameserver NS sets and the + # nameserver addresses that are encountered on the referral path to the + # answer. Experimental option. + harden-referral-path: no + + # Ignore very small EDNS buffer sizes from queries. + harden-short-bufsize: yes + + # If enabled the HTTP header User-Agent is not set. Use with caution + # as some webserver configurations may reject HTTP requests lacking + # this header. If needed, it is better to explicitly set the + # the http-user-agent. + hide-http-user-agent: no + + # Refuse id.server and hostname.bind queries + hide-identity: yes + + # Refuse version.server and version.bind queries + hide-version: yes + + # Set the HTTP User-Agent header for outgoing HTTP requests. If + # set to "", the default, then the package name and version are + # used. + http-user-agent: "DNS" + + # Report this identity rather than the hostname of the server. + identity: "DNS" + + # These private network addresses are not allowed to be returned for public + # internet names. Any occurrence of such addresses are removed from DNS + # answers. Additionally, the DNSSEC validator may mark the answers bogus. + # This protects against DNS Rebinding + private-address: 10.0.0.0/8 + private-address: 172.16.0.0/12 + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: fd00::/8 + private-address: fe80::/10 + private-address: ::ffff:0:0/96 + + # Enable ratelimiting of queries (per second) sent to nameserver for + # performing recursion. More queries are turned away with an error + # (servfail). This stops recursive floods (e.g., random query names), but + # not spoofed reflection floods. Cached responses are not rate limited by + # this setting. Experimental option. + ratelimit: 1000 + + # Use this certificate bundle for authenticating connections made to + # outside peers (e.g., auth-zone urls, DNS over TLS connections). + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + + # Set the total number of unwanted replies to eep track of in every thread. + # When it reaches the threshold, a defensive action of clearing the rrset + # and message caches is taken, hopefully flushing away any poison. + # Unbound suggests a value of 10 million. + unwanted-reply-threshold: 10000 + + # Use 0x20-encoded random bits in the query to foil spoof attempts. This + # perturbs the lowercase and uppercase of query names sent to authority + # servers and checks if the reply still has the correct casing. + # This feature is an experimental implementation of draft dns-0x20. + # Experimental option. + # Don't use Capitalization randomization as it known to cause DNSSEC issues + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 + use-caps-for-id: yes + + # Help protect users that rely on this validator for authentication from + # potentially bad data in the additional section. Instruct the validator to + # remove data from the additional section of secure messages that are not + # signed properly. Messages that are insecure, bogus, indeterminate or + # unchecked are not affected. + val-clean-additional: yes + + ########################################################################### + # FORWARD ZONE + ########################################################################### + + # include: /opt/unbound/etc/unbound/forward-records.conf + + ########################################################################### + # LOCAL ZONE + ########################################################################### + + # Include file for local-data and local-data-ptr + include: /opt/unbound/etc/unbound/a-records.conf + include: /opt/unbound/etc/unbound/srv-records.conf + + ########################################################################### + # WILDCARD INCLUDE + ########################################################################### + #include: "/opt/unbound/etc/unbound/*.conf" + +remote-control: + control-enable: no diff --git a/unbound/docker-entrypoint.sh b/unbound/docker-entrypoint.sh new file mode 100644 index 0000000..bccd2d7 --- /dev/null +++ b/unbound/docker-entrypoint.sh @@ -0,0 +1,11 @@ +#!/bin/sh -eu + +# perform recursive resolution starting from DNS root servers: +curl -o /opt/unbound/etc/unbound/var/root.hints https://www.internic.net/domain/named.root + +# redirect logfile to stdout +rm /opt/unbound/etc/unbound/var/unbound.log +ln -sf /dev/stdout /opt/unbound/etc/unbound/var/unbound.log + +# hand over to container CMD (/unbound.sh) +exec "$@" From 1b49d53f57bf499efe376d2512025a2490e4c733 Mon Sep 17 00:00:00 2001 From: Springcomp Date: Wed, 31 Dec 2025 18:50:13 +0100 Subject: [PATCH 2/7] postfix now uses own internal nameserver --- docker-compose.yaml | 3 +-- postfix-compose.yaml | 18 ++++++++++++++++++ simple-login-compose.yaml | 12 +++++++++++- 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index b1ff12c..53efee0 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,4 +1,3 @@ - # If there is already a traefik container running on your host, you can comment out the first include line. # But make sure that... # - container `sl-app` can join traefiks network, defined in traefic static config `providers.docker.network` @@ -10,7 +9,7 @@ include: - postfix-compose.yaml networks: - default: + internal: driver: bridge ipam: driver: default diff --git a/postfix-compose.yaml b/postfix-compose.yaml index fe5531d..075b6c2 100644 --- a/postfix-compose.yaml +++ b/postfix-compose.yaml @@ -4,12 +4,29 @@ services: ## POSTFIX ## ================= + dns: + image: private/unbound:latest + build: + context: ./unbound/ + dockerfile: Dockerfile + container_name: dns + networks: + internal: + ipv4_address: 10.0.0.99 + volumes: + - ./unbound/conf.d/:/opt/unbound/etc/unbound/:rw + restart: unless-stopped + postfix: image: private/postfix:latest build: context: ./postfix/ dockerfile: Dockerfile container_name: postfix + dns: + - '10.0.0.99' + networks: + - internal env_file: .env ports: - '25:25' @@ -18,6 +35,7 @@ services: - certs:/certs:ro restart: unless-stopped depends_on: + - dns - email - traefik-certificate-exporter labels: diff --git a/simple-login-compose.yaml b/simple-login-compose.yaml index f62c85c..93d67aa 100644 --- a/simple-login-compose.yaml +++ b/simple-login-compose.yaml @@ -20,6 +20,8 @@ services: interval: 10s retries: 3 start_period: 1s + networks: + - internal volumes: - ./db:/var/lib/postgresql/data restart: unless-stopped @@ -28,6 +30,8 @@ services: <<: *sl-defaults command: [ "alembic", "upgrade", "head" ] container_name: sl-migration + networks: + - internal depends_on: postgres: condition: service_healthy @@ -36,6 +40,8 @@ services: <<: *sl-defaults command: [ "python", "init_app.py" ] container_name: sl-init + networks: + - internal depends_on: migration: condition: service_completed_successfully @@ -45,7 +51,7 @@ services: container_name: sl-app networks: - traefik - - default + - internal restart: unless-stopped depends_on: init: @@ -86,6 +92,8 @@ services: <<: *sl-defaults command: ["python", "email_handler.py"] container_name: sl-email + networks: + - internal restart: unless-stopped depends_on: init: @@ -95,6 +103,8 @@ services: <<: *sl-defaults command: ["python", "job_runner.py"] container_name: sl-job-runner + networks: + - internal restart: unless-stopped depends_on: init: From 8924f35a8ab07c45a6445f06961ffcf8d349640d Mon Sep 17 00:00:00 2001 From: Springcomp Date: Thu, 1 Jan 2026 10:50:15 +0100 Subject: [PATCH 3/7] supports DANE for outgoing emails --- postfix/templates/30-icf-dane.tpl | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 postfix/templates/30-icf-dane.tpl diff --git a/postfix/templates/30-icf-dane.tpl b/postfix/templates/30-icf-dane.tpl new file mode 100644 index 0000000..a540d5a --- /dev/null +++ b/postfix/templates/30-icf-dane.tpl @@ -0,0 +1,3 @@ + +smtp_dns_support_level = dnssec +smtp_tls_security_level = dane From d23c2b7b6f56ce85c95b249a86f74173d77f7f78 Mon Sep 17 00:00:00 2001 From: Maxime Labelle Date: Fri, 2 Jan 2026 19:13:18 +0100 Subject: [PATCH 4/7] Set static ip for dns service to 10.0.0.53 --- postfix-compose.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/postfix-compose.yaml b/postfix-compose.yaml index 075b6c2..181f85f 100644 --- a/postfix-compose.yaml +++ b/postfix-compose.yaml @@ -12,7 +12,7 @@ services: container_name: dns networks: internal: - ipv4_address: 10.0.0.99 + ipv4_address: 10.0.0.53 volumes: - ./unbound/conf.d/:/opt/unbound/etc/unbound/:rw restart: unless-stopped @@ -24,7 +24,7 @@ services: dockerfile: Dockerfile container_name: postfix dns: - - '10.0.0.99' + - '10.0.0.53' networks: - internal env_file: .env From 528863e726a46ac5d1c90c7f4acfd8733ef6ca97 Mon Sep 17 00:00:00 2001 From: Maxime Labelle Date: Fri, 2 Jan 2026 19:19:26 +0100 Subject: [PATCH 5/7] Factored network definition into the `sl-defaults` anchor. --- simple-login-compose.yaml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/simple-login-compose.yaml b/simple-login-compose.yaml index 93d67aa..70a3702 100644 --- a/simple-login-compose.yaml +++ b/simple-login-compose.yaml @@ -5,6 +5,8 @@ x-sl-defaults: &sl-defaults - ./pgp:/sl/pgp - ./upload:/code/static/upload - ./dkim.key:/dkim.key + networks: + - internal services: @@ -30,8 +32,6 @@ services: <<: *sl-defaults command: [ "alembic", "upgrade", "head" ] container_name: sl-migration - networks: - - internal depends_on: postgres: condition: service_healthy @@ -40,8 +40,6 @@ services: <<: *sl-defaults command: [ "python", "init_app.py" ] container_name: sl-init - networks: - - internal depends_on: migration: condition: service_completed_successfully @@ -92,8 +90,6 @@ services: <<: *sl-defaults command: ["python", "email_handler.py"] container_name: sl-email - networks: - - internal restart: unless-stopped depends_on: init: @@ -103,8 +99,6 @@ services: <<: *sl-defaults command: ["python", "job_runner.py"] container_name: sl-job-runner - networks: - - internal restart: unless-stopped depends_on: init: From 080410dd582ac0fdf58408b5912bd94cc434f859 Mon Sep 17 00:00:00 2001 From: Springcomp Date: Sun, 4 Jan 2026 11:26:31 +0100 Subject: [PATCH 6/7] replaced dns with simpler crazymax/unbound image --- postfix-compose.yaml | 16 +++-- unbound/.gitignore | 7 -- unbound/Dockerfile | 8 --- .../conf.d/{unbound.conf => 00-unbound.conf} | 65 +++---------------- unbound/conf.d/10-logging.conf | 2 + unbound/conf.d/a-records.conf | 5 -- unbound/conf.d/srv-records.conf | 2 - unbound/docker-entrypoint.sh | 11 ---- 8 files changed, 21 insertions(+), 95 deletions(-) delete mode 100644 unbound/.gitignore delete mode 100644 unbound/Dockerfile rename unbound/conf.d/{unbound.conf => 00-unbound.conf} (88%) create mode 100644 unbound/conf.d/10-logging.conf delete mode 100644 unbound/conf.d/a-records.conf delete mode 100644 unbound/conf.d/srv-records.conf delete mode 100644 unbound/docker-entrypoint.sh diff --git a/postfix-compose.yaml b/postfix-compose.yaml index 181f85f..1e31b0b 100644 --- a/postfix-compose.yaml +++ b/postfix-compose.yaml @@ -5,17 +5,23 @@ services: ## ================= dns: - image: private/unbound:latest - build: - context: ./unbound/ - dockerfile: Dockerfile + image: crazymax/unbound:latest container_name: dns + user: "0:0" + cap_add: + - NET_BIND_SERVICE networks: internal: ipv4_address: 10.0.0.53 volumes: - - ./unbound/conf.d/:/opt/unbound/etc/unbound/:rw + - ./unbound/conf.d/:/config/:ro restart: unless-stopped + entrypoint: + - /bin/sh + - -ec + - | + unbound-anchor -a /var/run/unbound/root.key || true + exec su -s /bin/sh unbound -c "sh /entrypoint.sh" postfix: image: private/postfix:latest diff --git a/unbound/.gitignore b/unbound/.gitignore deleted file mode 100644 index 9b7fac5..0000000 --- a/unbound/.gitignore +++ /dev/null @@ -1,7 +0,0 @@ -conf.d/dev/ - -conf.d/var/root.hints -conf.d/var/root.key -conf.d/var/unbound.log - -conf.d/unbound.pid diff --git a/unbound/Dockerfile b/unbound/Dockerfile deleted file mode 100644 index 272b5e2..0000000 --- a/unbound/Dockerfile +++ /dev/null @@ -1,8 +0,0 @@ -FROM mvance/unbound:1.22.0 -COPY docker-entrypoint.sh /docker-entrypoint.sh - -RUN apt-get update \ - && apt-get install -y curl dnsutils - -ENTRYPOINT ["/docker-entrypoint.sh"] -CMD ["/unbound.sh"] diff --git a/unbound/conf.d/unbound.conf b/unbound/conf.d/00-unbound.conf similarity index 88% rename from unbound/conf.d/unbound.conf rename to unbound/conf.d/00-unbound.conf index 175fd4a..94b7c81 100644 --- a/unbound/conf.d/unbound.conf +++ b/unbound/conf.d/00-unbound.conf @@ -1,4 +1,3 @@ -server: ########################################################################### # BASIC SETTINGS ########################################################################### @@ -21,22 +20,11 @@ server: # the cache does not match up with the actual data any more. cache-min-ttl: 300 - # Set the working directory for the program. - directory: "/opt/unbound/etc/unbound" # Enable or disable whether IPv4 queries are answered or issued. # Default: yes do-ip4: yes - # Enable or disable whether IPv6 queries are answered or issued. - # If disabled, queries are not answered on IPv6, and queries are not sent - # on IPv6 to the internet nameservers. With this option you can disable the - # IPv6 transport for sending DNS traffic, it does not impact the contents - # of the DNS traffic, which may have IPv4 (A) and IPv6 (AAAA) addresses in - # it. - # Default: yes - # May be set to yes if you have IPv6 connectivity - # # IPv6 is disabled for server use. # Spamhaus and some DNSBL providers falsely flag IPv6 queries as “open resolver” activity, # potentially blocking your server from their services. @@ -79,9 +67,6 @@ server: # the query ID, for speed and thread safety). rrset-roundrobin: yes - # Drop user privileges after binding the port. - username: "_unbound" - ########################################################################### # LOGGING ########################################################################### @@ -90,7 +75,7 @@ server: log-local-actions: no # Do not print one line per query to the log - log-queries: yes + log-queries: no # Do not print one line per reply to the log log-replies: no @@ -98,11 +83,6 @@ server: # Do not print log lines that say why queries return SERVFAIL to clients log-servfail: no - # If you want to log to a file, use: - # logfile: /opt/unbound/etc/unbound/unbound.log - # Set log location (using /dev/null further limits logging) - logfile: "var/unbound.log" - # Set logging level # Level 0: No verbosity, only errors. # Level 1: Gives operational information. @@ -110,7 +90,7 @@ server: # Level 3: Gives query level information, output per query. # Level 4: Gives algorithm level information. # Level 5: Logs client identification for cache misses. - verbosity: 2 + verbosity: 0 ########################################################################### # PERFORMANCE SETTINGS @@ -221,7 +201,7 @@ server: # Default: 0 (use system value) # Larger socket buffer. OS may need config. # Ensure kernel buffer is large enough to not lose messages in traffic spikes - #so-sndbuf: 4m + so-sndbuf: 0 ########################################################################### # PRIVACY SETTINGS @@ -261,23 +241,15 @@ server: # SECURITY SETTINGS ########################################################################### # Only give access to recursion clients from LAN IPs + access-control: 10.0.0.0/8 allow access-control: 127.0.0.1/32 allow - access-control: 192.168.0.0/16 allow access-control: 172.16.0.0/12 allow - access-control: 10.0.0.0/8 allow + access-control: 192.168.0.0/16 allow access-control: fc00::/7 allow access-control: ::1/128 allow # root.hints enable unbound to perform recursive resolution - root-hints: "var/root.hints" - - # File with trust anchor for one zone, which is tracked with RFC5011 - # probes. - auto-trust-anchor-file: "var/root.key" - - # Enable chroot (i.e, change apparent root directory for the current - # running process and its children) - chroot: "/opt/unbound/etc/unbound" + root-hints: "/usr/share/dns-root-hints/named.root" # Deny queries of type ANY with an empty response. deny-any: yes @@ -336,9 +308,10 @@ server: # answers. Additionally, the DNSSEC validator may mark the answers bogus. # This protects against DNS Rebinding private-address: 10.0.0.0/8 + private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 - private-address: 169.254.0.0/16 + private-address: fd00::/8 private-address: fe80::/10 private-address: ::ffff:0:0/96 @@ -375,25 +348,3 @@ server: # signed properly. Messages that are insecure, bogus, indeterminate or # unchecked are not affected. val-clean-additional: yes - - ########################################################################### - # FORWARD ZONE - ########################################################################### - - # include: /opt/unbound/etc/unbound/forward-records.conf - - ########################################################################### - # LOCAL ZONE - ########################################################################### - - # Include file for local-data and local-data-ptr - include: /opt/unbound/etc/unbound/a-records.conf - include: /opt/unbound/etc/unbound/srv-records.conf - - ########################################################################### - # WILDCARD INCLUDE - ########################################################################### - #include: "/opt/unbound/etc/unbound/*.conf" - -remote-control: - control-enable: no diff --git a/unbound/conf.d/10-logging.conf b/unbound/conf.d/10-logging.conf new file mode 100644 index 0000000..c7599b8 --- /dev/null +++ b/unbound/conf.d/10-logging.conf @@ -0,0 +1,2 @@ + log-queries: yes + verbosity: 2 diff --git a/unbound/conf.d/a-records.conf b/unbound/conf.d/a-records.conf deleted file mode 100644 index 319d934..0000000 --- a/unbound/conf.d/a-records.conf +++ /dev/null @@ -1,5 +0,0 @@ -# A Record - #local-data: "somecomputer.local. A 192.168.1.1" - -# PTR Record - #local-data-ptr: "192.168.1.1 somecomputer.local." diff --git a/unbound/conf.d/srv-records.conf b/unbound/conf.d/srv-records.conf deleted file mode 100644 index fccdd51..0000000 --- a/unbound/conf.d/srv-records.conf +++ /dev/null @@ -1,2 +0,0 @@ -# SRV records -# _service._proto.name. | TTL | class | SRV | priority | weight | port | target. diff --git a/unbound/docker-entrypoint.sh b/unbound/docker-entrypoint.sh deleted file mode 100644 index bccd2d7..0000000 --- a/unbound/docker-entrypoint.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh -eu - -# perform recursive resolution starting from DNS root servers: -curl -o /opt/unbound/etc/unbound/var/root.hints https://www.internic.net/domain/named.root - -# redirect logfile to stdout -rm /opt/unbound/etc/unbound/var/unbound.log -ln -sf /dev/stdout /opt/unbound/etc/unbound/var/unbound.log - -# hand over to container CMD (/unbound.sh) -exec "$@" From a9ee8019b4e8ebb15f5df5a927383edf06c92d1b Mon Sep 17 00:00:00 2001 From: Springcomp Date: Sat, 31 Jan 2026 21:20:04 +0100 Subject: [PATCH 7/7] simplified configuration: only override defaults --- unbound/conf.d/00-unbound.conf | 358 +-------------------------------- 1 file changed, 11 insertions(+), 347 deletions(-) diff --git a/unbound/conf.d/00-unbound.conf b/unbound/conf.d/00-unbound.conf index 94b7c81..2283164 100644 --- a/unbound/conf.d/00-unbound.conf +++ b/unbound/conf.d/00-unbound.conf @@ -1,350 +1,14 @@ - ########################################################################### - # BASIC SETTINGS - ########################################################################### + # Module configuration - disable subnetcache (not needed for local resolver) + module-config: "validator iterator" - # Module configuration - disable subnetcache (not needed for local resolver) - module-config: "validator iterator" + # Listen to for queries from clients and answer from this network interface + # and port. + interface: 0.0.0.0 + interface: ::1 + port: 53 - # Time to live maximum for RRsets and messages in the cache. If the maximum - # kicks in, responses to clients still get decrementing TTLs based on the - # original (larger) values. When the internal TTL expires, the cache item - # has expired. Can be set lower to force the resolver to query for data - # often, and not trust (very large) TTL values. - cache-max-ttl: 86400 + # Report this identity rather than the hostname of the server. + identity: "DNS" - # Time to live minimum for RRsets and messages in the cache. If the minimum - # kicks in, the data is cached for longer than the domain owner intended, - # and thus less queries are made to look up the data. Zero makes sure the - # data in the cache is as the domain owner intended, higher values, - # especially more than an hour or so, can lead to trouble as the data in - # the cache does not match up with the actual data any more. - cache-min-ttl: 300 - - - # Enable or disable whether IPv4 queries are answered or issued. - # Default: yes - do-ip4: yes - - # IPv6 is disabled for server use. - # Spamhaus and some DNSBL providers falsely flag IPv6 queries as “open resolver” activity, - # potentially blocking your server from their services. - # Only enable IPv6 if you’ve verified all your DNSBL providers support it properly. - do-ip6: no - - # Enable or disable whether TCP queries are answered or issued. - # Default: yes - do-tcp: yes - - # Enable or disable whether UDP queries are answered or issued. - # Default: yes - do-udp: yes - - # RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer - # size. This is the value put into datagrams over UDP towards peers. - # The actual buffer size is determined by msg-buffer-size (both for TCP and - # UDP). Do not set higher than that value. - # Default is 1232 which is the DNS Flag Day 2020 recommendation. - # Setting to 512 bypasses even the most stringent path MTU problems, but - # is seen as extreme, since the amount of TCP fallback generated is - # excessive (probably also for this resolver, consider tuning the outgoing - # tcp number). - edns-buffer-size: 1232 - - # Listen to for queries from clients and answer from this network interface - # and port. - interface: 0.0.0.0 - interface: ::1 - port: 53 - - # If enabled, prefer IPv6 transport for sending DNS queries to internet - # nameservers. - # Default: yes - # You want to leave this to no unless you have *native* IPv6. With 6to4 and - # Terredo tunnels your web browser should favor IPv4 for the same reasons - prefer-ip6: no - - # Rotates RRSet order in response (the pseudo-random number is taken from - # the query ID, for speed and thread safety). - rrset-roundrobin: yes - - ########################################################################### - # LOGGING - ########################################################################### - - # Do not print log lines to inform about local zone actions - log-local-actions: no - - # Do not print one line per query to the log - log-queries: no - - # Do not print one line per reply to the log - log-replies: no - - # Do not print log lines that say why queries return SERVFAIL to clients - log-servfail: no - - # Set logging level - # Level 0: No verbosity, only errors. - # Level 1: Gives operational information. - # Level 2: Gives detailed operational information including short information per query. - # Level 3: Gives query level information, output per query. - # Level 4: Gives algorithm level information. - # Level 5: Logs client identification for cache misses. - verbosity: 0 - - ########################################################################### - # PERFORMANCE SETTINGS - ########################################################################### - # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ - # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/ - - # Number of slabs in the infrastructure cache. Slabs reduce lock contention - # by threads. Must be set to a power of 2. - infra-cache-slabs: 4 - - # Number of incoming TCP buffers to allocate per thread. Default - # is 10. If set to 0, or if do-tcp is "no", no TCP queries from - # clients are accepted. For larger installations increasing this - # value is a good idea. - incoming-num-tcp: 10 - - # Number of slabs in the key cache. Slabs reduce lock contention by - # threads. Must be set to a power of 2. Setting (close) to the number - # of cpus is a reasonable guess. - key-cache-slabs: 4 - - # Number of bytes size of the message cache. - # Unbound recommendation is to Use roughly twice as much rrset cache memory - # as you use msg cache memory. - msg-cache-size: 142768128 - - # Number of slabs in the message cache. Slabs reduce lock contention by - # threads. Must be set to a power of 2. Setting (close) to the number of - # cpus is a reasonable guess. - msg-cache-slabs: 4 - - # The number of queries that every thread will service simultaneously. If - # more queries arrive that need servicing, and no queries can be jostled - # out (see jostle-timeout), then the queries are dropped. - # This is best set at half the number of the outgoing-range. - # This Unbound instance was compiled with libevent so it can efficiently - # use more than 1024 file descriptors. - num-queries-per-thread: 4096 - - # The number of threads to create to serve clients. - # This is set dynamically at run time to effectively use available CPUs - # resources - num-threads: 3 - - # Number of ports to open. This number of file descriptors can be opened - # per thread. - # This Unbound instance was compiled with libevent so it can efficiently - # use more than 1024 file descriptors. - outgoing-range: 8192 - - # Number of bytes size of the RRset cache. - # Use roughly twice as much rrset cache memory as msg cache memory - rrset-cache-size: 285536256 - - # Number of slabs in the RRset cache. Slabs reduce lock contention by - # threads. Must be set to a power of 2. - rrset-cache-slabs: 4 - - # Do no insert authority/additional sections into response messages when - # those sections are not required. This reduces response size - # significantly, and may avoid TCP fallback for some responses. This may - # cause a slight speedup. - minimal-responses: yes - - # # Fetch the DNSKEYs earlier in the validation process, when a DS record - # is encountered. This lowers the latency of requests at the expense of - # little more CPU usage. - prefetch: yes - - # Fetch the DNSKEYs earlier in the validation process, when a DS record is - # encountered. This lowers the latency of requests at the expense of little - # more CPU usage. - prefetch-key: yes - - # Have unbound attempt to serve old responses from cache with a TTL of 0 in - # the response without waiting for the actual resolution to finish. The - # actual resolution answer ends up in the cache later on. - serve-expired: yes - - # If not 0, then set the SO_RCVBUF socket option to get more buffer space on - # UDP port 53 incoming queries. So that short spikes on busy servers do not - # drop packets (see counter in netstat -su). Otherwise, the number of bytes - # to ask for, try “4m” on a busy server. - # The OS caps it at a maximum, on linux Unbound needs root permission to - # bypass the limit, or the admin can use sysctl net.core.rmem_max. - # Default: 0 (use system value) - # For example: sysctl -w net.core.rmem_max=4194304 - # To persist reboots, edit /etc/sysctl.conf to include: - # net.core.rmem_max=4194304 - # Larger socket buffer. OS may need config. - # Ensure kernel buffer is large enough to not lose messages in traffic spikes - #so-rcvbuf: 4m - - # Open dedicated listening sockets for incoming queries for each thread and - # try to set the SO_REUSEPORT socket option on each socket. May distribute - # incoming queries to threads more evenly. - so-reuseport: yes - - # If not 0, then set the SO_SNDBUF socket option to get more buffer space - # on UDP port 53 outgoing queries. - # Specify the number of bytes to ask for, try “4m” on a very busy server. - # The OS caps it at a maximum, on linux Unbound needs root permission to - # bypass the limit, or the admin can use sysctl net.core.wmem_max. - # For example: sysctl -w net.core.wmem_max=4194304 - # To persist reboots, edit /etc/sysctl.conf to include: - # net.core.wmem_max=4194304 - # Default: 0 (use system value) - # Larger socket buffer. OS may need config. - # Ensure kernel buffer is large enough to not lose messages in traffic spikes - so-sndbuf: 0 - - ########################################################################### - # PRIVACY SETTINGS - ########################################################################### - - # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other - # denials, using information from previous NXDO-MAINs answers. In other - # words, use cached NSEC records to generate negative answers within a - # range and positive answers from wildcards. This increases performance, - # decreases latency and resource utilization on both authoritative and - # recursive servers, and increases privacy. Also, it may help increase - # resilience to certain DoS attacks in some circumstances. - aggressive-nsec: yes - - # Extra delay for timeouted UDP ports before they are closed, in msec. - # This prevents very delayed answer packets from the upstream (recursive) - # servers from bouncing against closed ports and setting off all sort of - # close-port counters, with eg. 1500 msec. When timeouts happen you need - # extra sockets, it checks the ID and remote IP of packets, and unwanted - # packets are added to the unwanted packet counter. - delay-close: 10000 - - # Prevent the unbound server from forking into the background as a daemon - do-daemonize: no - - # Add localhost to the do-not-query-address list. - do-not-query-localhost: no - - # Number of bytes size of the aggressive negative cache. - neg-cache-size: 4M - - # Send minimum amount of information to upstream servers to enhance - # privacy (best privacy). - qname-minimisation: yes - - ########################################################################### - # SECURITY SETTINGS - ########################################################################### - # Only give access to recursion clients from LAN IPs - access-control: 10.0.0.0/8 allow - access-control: 127.0.0.1/32 allow - access-control: 172.16.0.0/12 allow - access-control: 192.168.0.0/16 allow - access-control: fc00::/7 allow - access-control: ::1/128 allow - - # root.hints enable unbound to perform recursive resolution - root-hints: "/usr/share/dns-root-hints/named.root" - - # Deny queries of type ANY with an empty response. - deny-any: yes - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. - harden-algo-downgrade: yes - - # RFC 8020. returns nxdomain to queries for a name below another name that - # is already known to be nxdomain. - harden-below-nxdomain: yes - - # Require DNSSEC data for trust-anchored zones, if such data is absent, the - # zone becomes bogus. If turned off you run the risk of a downgrade attack - # that disables security for a zone. - harden-dnssec-stripped: yes - - # Only trust glue if it is within the servers authority. - harden-glue: yes - - # Ignore very large queries. - harden-large-queries: yes - - # Perform additional queries for infrastructure data to harden the referral - # path. Validates the replies if trust anchors are configured and the zones - # are signed. This enforces DNSSEC validation on nameserver NS sets and the - # nameserver addresses that are encountered on the referral path to the - # answer. Experimental option. - harden-referral-path: no - - # Ignore very small EDNS buffer sizes from queries. - harden-short-bufsize: yes - - # If enabled the HTTP header User-Agent is not set. Use with caution - # as some webserver configurations may reject HTTP requests lacking - # this header. If needed, it is better to explicitly set the - # the http-user-agent. - hide-http-user-agent: no - - # Refuse id.server and hostname.bind queries - hide-identity: yes - - # Refuse version.server and version.bind queries - hide-version: yes - - # Set the HTTP User-Agent header for outgoing HTTP requests. If - # set to "", the default, then the package name and version are - # used. - http-user-agent: "DNS" - - # Report this identity rather than the hostname of the server. - identity: "DNS" - - # These private network addresses are not allowed to be returned for public - # internet names. Any occurrence of such addresses are removed from DNS - # answers. Additionally, the DNSSEC validator may mark the answers bogus. - # This protects against DNS Rebinding - private-address: 10.0.0.0/8 - private-address: 169.254.0.0/16 - private-address: 172.16.0.0/12 - private-address: 192.168.0.0/16 - - private-address: fd00::/8 - private-address: fe80::/10 - private-address: ::ffff:0:0/96 - - # Enable ratelimiting of queries (per second) sent to nameserver for - # performing recursion. More queries are turned away with an error - # (servfail). This stops recursive floods (e.g., random query names), but - # not spoofed reflection floods. Cached responses are not rate limited by - # this setting. Experimental option. - ratelimit: 1000 - - # Use this certificate bundle for authenticating connections made to - # outside peers (e.g., auth-zone urls, DNS over TLS connections). - tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - - # Set the total number of unwanted replies to eep track of in every thread. - # When it reaches the threshold, a defensive action of clearing the rrset - # and message caches is taken, hopefully flushing away any poison. - # Unbound suggests a value of 10 million. - unwanted-reply-threshold: 10000 - - # Use 0x20-encoded random bits in the query to foil spoof attempts. This - # perturbs the lowercase and uppercase of query names sent to authority - # servers and checks if the reply still has the correct casing. - # This feature is an experimental implementation of draft dns-0x20. - # Experimental option. - # Don't use Capitalization randomization as it known to cause DNSSEC issues - # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 - use-caps-for-id: yes - - # Help protect users that rely on this validator for authentication from - # potentially bad data in the additional section. Instruct the validator to - # remove data from the additional section of secure messages that are not - # signed properly. Messages that are insecure, bogus, indeterminate or - # unchecked are not affected. - val-clean-additional: yes + # root.hints enable unbound to perform recursive resolution + root-hints: "/usr/share/dns-root-hints/named.root"