commit 93740d7bca347e51eeb076156f63dc2d5ac748e3 Author: primal Date: Sun Feb 1 14:43:18 2026 -0500 Initial commit: CoreDNS caching resolver Co-Authored-By: Claude diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ac5d1a0 --- /dev/null +++ b/.gitignore @@ -0,0 +1,11 @@ +# Secrets +*.env +secrets/ +*.pem +*.key + +# Data volumes +data/ + +# Logs +*.log diff --git a/.launch.sh b/.launch.sh new file mode 100755 index 0000000..456a5a5 --- /dev/null +++ b/.launch.sh @@ -0,0 +1,12 @@ +#!/bin/bash +set -e +cd "$(dirname "$0")" + +# Git commit if message provided +if [ -n "$1" ] && [ -d .git ]; then + git add -A + git commit -m "$1" + git push +fi + +docker compose up -d --build diff --git a/Corefile b/Corefile new file mode 100644 index 0000000..0b289de --- /dev/null +++ b/Corefile @@ -0,0 +1,20 @@ +. { + # Cache responses (success and denial) + cache { + success 9984 300 3600 + denial 9984 60 300 + prefetch 10 1m 10% + } + + # Forward to upstream DNS + forward . 1.1.1.1 8.8.8.8 1.0.0.1 8.8.4.4 { + policy random + health_check 30s + } + + # Log errors only + errors + + # Limit concurrent connections + bufsize 1232 +} diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..bad3cee --- /dev/null +++ b/Dockerfile @@ -0,0 +1,23 @@ +# Build CoreDNS from source +FROM golang:latest AS builder + +RUN apt-get update && apt-get install -y git make && rm -rf /var/lib/apt/lists/* + +WORKDIR /build +RUN git clone --depth 1 https://github.com/coredns/coredns.git . + +# Build static binary +RUN CGO_ENABLED=0 make + +# Runtime image +FROM ubuntu:latest + +RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/* + +COPY --from=builder /build/coredns /usr/local/bin/coredns +COPY Corefile /etc/coredns/Corefile + +EXPOSE 53/udp 53/tcp + +ENTRYPOINT ["/usr/local/bin/coredns"] +CMD ["-conf", "/etc/coredns/Corefile"] diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..79cf26a --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,12 @@ +services: + dns: + build: . + image: infra-dns + container_name: infra-dns + restart: unless-stopped + networks: + - proxy + +networks: + proxy: + external: true diff --git a/unbound.conf b/unbound.conf new file mode 100644 index 0000000..31353fc --- /dev/null +++ b/unbound.conf @@ -0,0 +1,69 @@ +server: + # Listen on all interfaces (inside container) + interface: 0.0.0.0 + port: 53 + + # Allow queries from Docker networks + access-control: 10.0.0.0/8 allow + access-control: 172.16.0.0/12 allow + access-control: 192.168.0.0/16 allow + access-control: 127.0.0.0/8 allow + + # Performance tuning for high-volume lookups + num-threads: 4 + msg-cache-slabs: 8 + rrset-cache-slabs: 8 + infra-cache-slabs: 8 + key-cache-slabs: 8 + + # Cache sizes (MB) - generous for domain crawling + msg-cache-size: 128m + rrset-cache-size: 256m + key-cache-size: 32m + neg-cache-size: 64m + + # Cache TTL settings + cache-min-ttl: 300 + cache-max-ttl: 86400 + cache-max-negative-ttl: 300 + + # Prefetch popular entries before expiry + prefetch: yes + prefetch-key: yes + + # Serve stale data while refreshing + serve-expired: yes + serve-expired-ttl: 86400 + + # Connection handling + so-reuseport: yes + outgoing-range: 8192 + num-queries-per-thread: 4096 + + # Logging (minimal for performance) + verbosity: 1 + log-queries: no + log-replies: no + + # Security + hide-identity: yes + hide-version: yes + harden-glue: yes + harden-dnssec-stripped: yes + use-caps-for-id: yes + + # Don't use system resolv.conf + do-not-query-localhost: no + +# Upstream DNS servers (forwarding mode for speed) +forward-zone: + name: "." + forward-tls-upstream: yes + + # Cloudflare DNS (fast, reliable) + forward-addr: 1.1.1.1@853#cloudflare-dns.com + forward-addr: 1.0.0.1@853#cloudflare-dns.com + + # Google DNS (fallback) + forward-addr: 8.8.8.8@853#dns.google + forward-addr: 8.8.4.4@853#dns.google