forked from MatthewVance/unbound-docker
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request MatthewVance#54 from mxmartins/master
Update Unbound to 1.13.0
- Loading branch information
Showing
6 changed files
with
556 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,147 @@ | ||
FROM debian:buster as openssl | ||
LABEL maintainer="Matthew Vance" | ||
|
||
ENV VERSION_OPENSSL=openssl-1.1.1h \ | ||
SHA256_OPENSSL=5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9 \ | ||
SOURCE_OPENSSL=https://www.openssl.org/source/ \ | ||
OPGP_OPENSSL=8657ABB260F056B1E5190839D9C4D26D0E604491 | ||
|
||
WORKDIR /tmp/src | ||
|
||
RUN set -e -x && \ | ||
build_deps="build-essential ca-certificates curl dirmngr gnupg libidn2-0-dev libssl-dev" && \ | ||
DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \ | ||
$build_deps && \ | ||
curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz -o openssl.tar.gz && \ | ||
echo "${SHA256_OPENSSL} ./openssl.tar.gz" | sha256sum -c - && \ | ||
curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz.asc -o openssl.tar.gz.asc && \ | ||
GNUPGHOME="$(mktemp -d)" && \ | ||
export GNUPGHOME && \ | ||
( gpg --no-tty --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$OPGP_OPENSSL" \ | ||
|| gpg --no-tty --keyserver ha.pool.sks-keyservers.net --recv-keys "$OPGP_OPENSSL" ) && \ | ||
gpg --batch --verify openssl.tar.gz.asc openssl.tar.gz && \ | ||
tar xzf openssl.tar.gz && \ | ||
cd $VERSION_OPENSSL && \ | ||
./config \ | ||
--prefix=/opt/openssl \ | ||
--openssldir=/opt/openssl \ | ||
no-weak-ssl-ciphers \ | ||
no-ssl3 \ | ||
no-shared \ | ||
enable-ec_nistp_64_gcc_128 \ | ||
-DOPENSSL_NO_HEARTBEATS \ | ||
-fstack-protector-strong && \ | ||
make depend && \ | ||
make && \ | ||
make install_sw && \ | ||
apt-get purge -y --auto-remove \ | ||
$build_deps && \ | ||
rm -rf \ | ||
/tmp/* \ | ||
/var/tmp/* \ | ||
/var/lib/apt/lists/* | ||
|
||
FROM debian:buster as unbound | ||
LABEL maintainer="Matthew Vance" | ||
|
||
ENV NAME=unbound \ | ||
UNBOUND_VERSION=1.13.0 \ | ||
UNBOUND_SHA256=a954043a95b0326ca4037e50dace1f3a207a0a19e9a4a22f4c6718fc623db2a1 \ | ||
UNBOUND_DOWNLOAD_URL=https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0.tar.gz | ||
|
||
WORKDIR /tmp/src | ||
|
||
COPY --from=openssl /opt/openssl /opt/openssl | ||
|
||
RUN build_deps="curl gcc libc-dev libevent-dev libexpat1-dev libnghttp2-dev make" && \ | ||
set -x && \ | ||
DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \ | ||
$build_deps \ | ||
bsdmainutils \ | ||
ca-certificates \ | ||
ldnsutils \ | ||
libevent-2.1-6 \ | ||
libexpat1 && \ | ||
curl -sSL $UNBOUND_DOWNLOAD_URL -o unbound.tar.gz && \ | ||
echo "${UNBOUND_SHA256} *unbound.tar.gz" | sha256sum -c - && \ | ||
tar xzf unbound.tar.gz && \ | ||
rm -f unbound.tar.gz && \ | ||
cd unbound-1.13.0 && \ | ||
groupadd _unbound && \ | ||
useradd -g _unbound -s /etc -d /dev/null _unbound && \ | ||
./configure \ | ||
--disable-dependency-tracking \ | ||
--prefix=/opt/unbound \ | ||
--with-pthreads \ | ||
--with-username=_unbound \ | ||
--with-ssl=/opt/openssl \ | ||
--with-libevent \ | ||
--with-libnghttp2 \ | ||
--enable-tfo-server \ | ||
--enable-tfo-client \ | ||
--enable-event-api && \ | ||
make install && \ | ||
mv /opt/unbound/etc/unbound/unbound.conf /opt/unbound/etc/unbound/unbound.conf.example && \ | ||
apt-get purge -y --auto-remove \ | ||
$build_deps && \ | ||
rm -rf \ | ||
/opt/unbound/share/man \ | ||
/tmp/* \ | ||
/var/tmp/* \ | ||
/var/lib/apt/lists/* | ||
|
||
|
||
FROM debian:buster | ||
LABEL maintainer="Matthew Vance" | ||
|
||
ENV NAME=unbound \ | ||
VERSION=1.2 \ | ||
SUMMARY="${NAME} is a validating, recursive, and caching DNS resolver." \ | ||
DESCRIPTION="${NAME} is a validating, recursive, and caching DNS resolver." | ||
|
||
LABEL summary="${SUMMARY}" \ | ||
description="${DESCRIPTION}" \ | ||
io.k8s.description="${DESCRIPTION}" \ | ||
io.k8s.display-name="Unbound ${UNBOUND_VERSION}" \ | ||
name="mvance/${NAME}" \ | ||
maintainer="Matthew Vance" | ||
|
||
WORKDIR /tmp/src | ||
|
||
COPY --from=unbound /opt /opt | ||
|
||
RUN set -x && \ | ||
DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \ | ||
bsdmainutils \ | ||
ca-certificates \ | ||
ldnsutils \ | ||
libevent-2.1-6 \ | ||
libnghttp2-14 \ | ||
libexpat1 && \ | ||
groupadd _unbound && \ | ||
useradd -g _unbound -s /etc -d /dev/null _unbound && \ | ||
apt-get purge -y --auto-remove \ | ||
$build_deps && \ | ||
rm -rf \ | ||
/opt/unbound/share/man \ | ||
/tmp/* \ | ||
/var/tmp/* \ | ||
/var/lib/apt/lists/* | ||
|
||
COPY a-records.conf /opt/unbound/etc/unbound/ | ||
COPY forward-records.conf /opt/unbound/etc/unbound/ | ||
COPY srv-records.conf /opt/unbound/etc/unbound/ | ||
COPY unbound.sh / | ||
|
||
RUN chmod +x /unbound.sh | ||
|
||
WORKDIR /opt/unbound/ | ||
|
||
ENV PATH /opt/unbound/sbin:"$PATH" | ||
|
||
EXPOSE 53/tcp | ||
EXPOSE 53/udp | ||
|
||
HEALTHCHECK --interval=5s --timeout=3s --start-period=5s CMD drill @127.0.0.1 cloudflare.com || exit 1 | ||
|
||
CMD ["/unbound.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# A Record | ||
#local-data: "somecomputer.local. A 192.168.1.1" | ||
|
||
# PTR Record | ||
#local-data-ptr: "192.168.1.1 somecomputer.local." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
forward-zone: | ||
# Forward all queries (except those in cache and local zone) to | ||
# upstream recursive servers | ||
name: "." | ||
# Queries to this forward zone use TLS | ||
forward-tls-upstream: yes | ||
|
||
# https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers | ||
|
||
## Cloudflare | ||
forward-addr: 1.1.1.1@853#cloudflare-dns.com | ||
forward-addr: 1.0.0.1@853#cloudflare-dns.com | ||
#forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com | ||
#forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com | ||
|
||
## CleanBrowsing Security Filter | ||
# forward-addr: 185.228.168.9@853#security-filter-dns.cleanbrowsing.org | ||
# forward-addr: 185.228.169.9@853#security-filter-dns.cleanbrowsing.org | ||
# forward-addr: 2a0d:2a00:1::2@853#security-filter-dns.cleanbrowsing.org | ||
# forward-addr: 2a0d:2a00:2::2@853#security-filter-dns.cleanbrowsing.org | ||
|
||
## CleanBrowsing Adult Filter | ||
# forward-addr: 185.228.168.10@853#adult-filter-dns.cleanbrowsing.org | ||
# forward-addr: 185.228.169.11@853#adult-filter-dns.cleanbrowsing.org | ||
# forward-addr: 2a0d:2a00:1::1@853#adult-filter-dns.cleanbrowsing.org | ||
# forward-addr: 2a0d:2a00:2::1@853#adult-filter-dns.cleanbrowsing.org | ||
|
||
## CleanBrowsing Family Filter | ||
# forward-addr: 185.228.168.168@853#family-filter-dns.cleanbrowsing.org | ||
# forward-addr: 185.228.169.168@853#family-filter-dns.cleanbrowsing.org | ||
# forward-addr: 2a0d:2a00:1::@853#family-filter-dns.cleanbrowsing.org | ||
# forward-addr: 2a0d:2a00:2::@853#family-filter-dns.cleanbrowsing.org | ||
|
||
## Quad9 | ||
# forward-addr: 9.9.9.9@853#dns.quad9.net | ||
# forward-addr: 149.112.112.112@853#dns.quad9.net | ||
# forward-addr: 2620:fe::fe@853#dns.quad9.net | ||
# forward-addr: 2620:fe::9@853#dns.quad9.net | ||
|
||
## getdnsapi.net | ||
# forward-addr: 185.49.141.37@853#getdnsapi.net | ||
# forward-addr: 2a04:b900:0:100::37@853#getdnsapi.net | ||
|
||
## Surfnet | ||
# forward-addr: 145.100.185.15@853#dnsovertls.sinodun.com | ||
# forward-addr: 145.100.185.16@853#dnsovertls1.sinodun.com | ||
# forward-addr: 2001:610:1:40ba:145:100:185:15@853#dnsovertls.sinodun.com | ||
# forward-addr: 2001:610:1:40ba:145:100:185:16@853#dnsovertls1.sinodun.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# SRV records | ||
# _service._proto.name. | TTL | class | SRV | priority | weight | port | target. |
Oops, something went wrong.