Skip to content

Commit

Permalink
Merge pull request MatthewVance#54 from mxmartins/master
Browse files Browse the repository at this point in the history
Update Unbound to 1.13.0
  • Loading branch information
MatthewVance authored Dec 22, 2020
2 parents 9e56b9d + c09ed96 commit 1ae1c32
Show file tree
Hide file tree
Showing 6 changed files with 556 additions and 1 deletion.
147 changes: 147 additions & 0 deletions 1.13.0/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
FROM debian:buster as openssl
LABEL maintainer="Matthew Vance"

ENV VERSION_OPENSSL=openssl-1.1.1h \
SHA256_OPENSSL=5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9 \
SOURCE_OPENSSL=https://www.openssl.org/source/ \
OPGP_OPENSSL=8657ABB260F056B1E5190839D9C4D26D0E604491

WORKDIR /tmp/src

RUN set -e -x && \
build_deps="build-essential ca-certificates curl dirmngr gnupg libidn2-0-dev libssl-dev" && \
DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \
$build_deps && \
curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz -o openssl.tar.gz && \
echo "${SHA256_OPENSSL} ./openssl.tar.gz" | sha256sum -c - && \
curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz.asc -o openssl.tar.gz.asc && \
GNUPGHOME="$(mktemp -d)" && \
export GNUPGHOME && \
( gpg --no-tty --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$OPGP_OPENSSL" \
|| gpg --no-tty --keyserver ha.pool.sks-keyservers.net --recv-keys "$OPGP_OPENSSL" ) && \
gpg --batch --verify openssl.tar.gz.asc openssl.tar.gz && \
tar xzf openssl.tar.gz && \
cd $VERSION_OPENSSL && \
./config \
--prefix=/opt/openssl \
--openssldir=/opt/openssl \
no-weak-ssl-ciphers \
no-ssl3 \
no-shared \
enable-ec_nistp_64_gcc_128 \
-DOPENSSL_NO_HEARTBEATS \
-fstack-protector-strong && \
make depend && \
make && \
make install_sw && \
apt-get purge -y --auto-remove \
$build_deps && \
rm -rf \
/tmp/* \
/var/tmp/* \
/var/lib/apt/lists/*

FROM debian:buster as unbound
LABEL maintainer="Matthew Vance"

ENV NAME=unbound \
UNBOUND_VERSION=1.13.0 \
UNBOUND_SHA256=a954043a95b0326ca4037e50dace1f3a207a0a19e9a4a22f4c6718fc623db2a1 \
UNBOUND_DOWNLOAD_URL=https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0.tar.gz

WORKDIR /tmp/src

COPY --from=openssl /opt/openssl /opt/openssl

RUN build_deps="curl gcc libc-dev libevent-dev libexpat1-dev libnghttp2-dev make" && \
set -x && \
DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \
$build_deps \
bsdmainutils \
ca-certificates \
ldnsutils \
libevent-2.1-6 \
libexpat1 && \
curl -sSL $UNBOUND_DOWNLOAD_URL -o unbound.tar.gz && \
echo "${UNBOUND_SHA256} *unbound.tar.gz" | sha256sum -c - && \
tar xzf unbound.tar.gz && \
rm -f unbound.tar.gz && \
cd unbound-1.13.0 && \
groupadd _unbound && \
useradd -g _unbound -s /etc -d /dev/null _unbound && \
./configure \
--disable-dependency-tracking \
--prefix=/opt/unbound \
--with-pthreads \
--with-username=_unbound \
--with-ssl=/opt/openssl \
--with-libevent \
--with-libnghttp2 \
--enable-tfo-server \
--enable-tfo-client \
--enable-event-api && \
make install && \
mv /opt/unbound/etc/unbound/unbound.conf /opt/unbound/etc/unbound/unbound.conf.example && \
apt-get purge -y --auto-remove \
$build_deps && \
rm -rf \
/opt/unbound/share/man \
/tmp/* \
/var/tmp/* \
/var/lib/apt/lists/*


FROM debian:buster
LABEL maintainer="Matthew Vance"

ENV NAME=unbound \
VERSION=1.2 \
SUMMARY="${NAME} is a validating, recursive, and caching DNS resolver." \
DESCRIPTION="${NAME} is a validating, recursive, and caching DNS resolver."

LABEL summary="${SUMMARY}" \
description="${DESCRIPTION}" \
io.k8s.description="${DESCRIPTION}" \
io.k8s.display-name="Unbound ${UNBOUND_VERSION}" \
name="mvance/${NAME}" \
maintainer="Matthew Vance"

WORKDIR /tmp/src

COPY --from=unbound /opt /opt

RUN set -x && \
DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \
bsdmainutils \
ca-certificates \
ldnsutils \
libevent-2.1-6 \
libnghttp2-14 \
libexpat1 && \
groupadd _unbound && \
useradd -g _unbound -s /etc -d /dev/null _unbound && \
apt-get purge -y --auto-remove \
$build_deps && \
rm -rf \
/opt/unbound/share/man \
/tmp/* \
/var/tmp/* \
/var/lib/apt/lists/*

COPY a-records.conf /opt/unbound/etc/unbound/
COPY forward-records.conf /opt/unbound/etc/unbound/
COPY srv-records.conf /opt/unbound/etc/unbound/
COPY unbound.sh /

RUN chmod +x /unbound.sh

WORKDIR /opt/unbound/

ENV PATH /opt/unbound/sbin:"$PATH"

EXPOSE 53/tcp
EXPOSE 53/udp

HEALTHCHECK --interval=5s --timeout=3s --start-period=5s CMD drill @127.0.0.1 cloudflare.com || exit 1

CMD ["/unbound.sh"]
5 changes: 5 additions & 0 deletions 1.13.0/a-records.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# A Record
#local-data: "somecomputer.local. A 192.168.1.1"

# PTR Record
#local-data-ptr: "192.168.1.1 somecomputer.local."
48 changes: 48 additions & 0 deletions 1.13.0/forward-records.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
forward-zone:
# Forward all queries (except those in cache and local zone) to
# upstream recursive servers
name: "."
# Queries to this forward zone use TLS
forward-tls-upstream: yes

# https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

## Cloudflare
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
#forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
#forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

## CleanBrowsing Security Filter
# forward-addr: 185.228.168.9@853#security-filter-dns.cleanbrowsing.org
# forward-addr: 185.228.169.9@853#security-filter-dns.cleanbrowsing.org
# forward-addr: 2a0d:2a00:1::2@853#security-filter-dns.cleanbrowsing.org
# forward-addr: 2a0d:2a00:2::2@853#security-filter-dns.cleanbrowsing.org

## CleanBrowsing Adult Filter
# forward-addr: 185.228.168.10@853#adult-filter-dns.cleanbrowsing.org
# forward-addr: 185.228.169.11@853#adult-filter-dns.cleanbrowsing.org
# forward-addr: 2a0d:2a00:1::1@853#adult-filter-dns.cleanbrowsing.org
# forward-addr: 2a0d:2a00:2::1@853#adult-filter-dns.cleanbrowsing.org

## CleanBrowsing Family Filter
# forward-addr: 185.228.168.168@853#family-filter-dns.cleanbrowsing.org
# forward-addr: 185.228.169.168@853#family-filter-dns.cleanbrowsing.org
# forward-addr: 2a0d:2a00:1::@853#family-filter-dns.cleanbrowsing.org
# forward-addr: 2a0d:2a00:2::@853#family-filter-dns.cleanbrowsing.org

## Quad9
# forward-addr: 9.9.9.9@853#dns.quad9.net
# forward-addr: 149.112.112.112@853#dns.quad9.net
# forward-addr: 2620:fe::fe@853#dns.quad9.net
# forward-addr: 2620:fe::9@853#dns.quad9.net

## getdnsapi.net
# forward-addr: 185.49.141.37@853#getdnsapi.net
# forward-addr: 2a04:b900:0:100::37@853#getdnsapi.net

## Surfnet
# forward-addr: 145.100.185.15@853#dnsovertls.sinodun.com
# forward-addr: 145.100.185.16@853#dnsovertls1.sinodun.com
# forward-addr: 2001:610:1:40ba:145:100:185:15@853#dnsovertls.sinodun.com
# forward-addr: 2001:610:1:40ba:145:100:185:16@853#dnsovertls1.sinodun.com
2 changes: 2 additions & 0 deletions 1.13.0/srv-records.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# SRV records
# _service._proto.name. | TTL | class | SRV | priority | weight | port | target.
Loading

0 comments on commit 1ae1c32

Please sign in to comment.