Initial commit: CoreDNS caching resolver

Co-Authored-By: Claude <noreply@anthropic.com>

.gitignore

@@ -0,0 +1,11 @@
+# Secrets
+*.env
+secrets/
+*.pem
+*.key
+
+# Data volumes
+data/
+
+# Logs
+*.log

.launch.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+cd "$(dirname "$0")"
+
+# Git commit if message provided
+if [ -n "$1" ] && [ -d .git ]; then
+    git add -A
+    git commit -m "$1"
+    git push
+fi
+
+docker compose up -d --build

Corefile

@@ -0,0 +1,20 @@
+. {
+    # Cache responses (success and denial)
+    cache {
+        success 9984 300 3600
+        denial 9984 60 300
+        prefetch 10 1m 10%
+    }
+
+    # Forward to upstream DNS
+    forward . 1.1.1.1 8.8.8.8 1.0.0.1 8.8.4.4 {
+        policy random
+        health_check 30s
+    }
+
+    # Log errors only
+    errors
+
+    # Limit concurrent connections
+    bufsize 1232
+}

Dockerfile

@@ -0,0 +1,23 @@
+# Build CoreDNS from source
+FROM golang:latest AS builder
+
+RUN apt-get update && apt-get install -y git make && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /build
+RUN git clone --depth 1 https://github.com/coredns/coredns.git .
+
+# Build static binary
+RUN CGO_ENABLED=0 make
+
+# Runtime image
+FROM ubuntu:latest
+
+RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /build/coredns /usr/local/bin/coredns
+COPY Corefile /etc/coredns/Corefile
+
+EXPOSE 53/udp 53/tcp
+
+ENTRYPOINT ["/usr/local/bin/coredns"]
+CMD ["-conf", "/etc/coredns/Corefile"]

docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+  dns:
+    build: .
+    image: infra-dns
+    container_name: infra-dns
+    restart: unless-stopped
+    networks:
+      - proxy
+
+networks:
+  proxy:
+    external: true

unbound.conf

@@ -0,0 +1,69 @@
+server:
+    # Listen on all interfaces (inside container)
+    interface: 0.0.0.0
+    port: 53
+
+    # Allow queries from Docker networks
+    access-control: 10.0.0.0/8 allow
+    access-control: 172.16.0.0/12 allow
+    access-control: 192.168.0.0/16 allow
+    access-control: 127.0.0.0/8 allow
+
+    # Performance tuning for high-volume lookups
+    num-threads: 4
+    msg-cache-slabs: 8
+    rrset-cache-slabs: 8
+    infra-cache-slabs: 8
+    key-cache-slabs: 8
+
+    # Cache sizes (MB) - generous for domain crawling
+    msg-cache-size: 128m
+    rrset-cache-size: 256m
+    key-cache-size: 32m
+    neg-cache-size: 64m
+
+    # Cache TTL settings
+    cache-min-ttl: 300
+    cache-max-ttl: 86400
+    cache-max-negative-ttl: 300
+
+    # Prefetch popular entries before expiry
+    prefetch: yes
+    prefetch-key: yes
+
+    # Serve stale data while refreshing
+    serve-expired: yes
+    serve-expired-ttl: 86400
+
+    # Connection handling
+    so-reuseport: yes
+    outgoing-range: 8192
+    num-queries-per-thread: 4096
+
+    # Logging (minimal for performance)
+    verbosity: 1
+    log-queries: no
+    log-replies: no
+
+    # Security
+    hide-identity: yes
+    hide-version: yes
+    harden-glue: yes
+    harden-dnssec-stripped: yes
+    use-caps-for-id: yes
+
+    # Don't use system resolv.conf
+    do-not-query-localhost: no
+
+# Upstream DNS servers (forwarding mode for speed)
+forward-zone:
+    name: "."
+    forward-tls-upstream: yes
+
+    # Cloudflare DNS (fast, reliable)
+    forward-addr: 1.1.1.1@853#cloudflare-dns.com
+    forward-addr: 1.0.0.1@853#cloudflare-dns.com
+
+    # Google DNS (fallback)
+    forward-addr: 8.8.8.8@853#dns.google
+    forward-addr: 8.8.4.4@853#dns.google