From b367ec0ace533ee3f32bd16c70a5e7f7ab52f571 Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 12 Jun 2017 23:48:27 +0200 Subject: [PATCH] Add Unbound as better DNSSEC enabled resolver --- data/Dockerfiles/unbound/Dockerfile | 21 ++++++ data/Dockerfiles/unbound/docker-entrypoint.sh | 9 +++ data/Dockerfiles/unbound/unbound.conf | 28 +++++++ docker-compose.yml | 73 ++++++++++++++++--- 4 files changed, 119 insertions(+), 12 deletions(-) create mode 100644 data/Dockerfiles/unbound/Dockerfile create mode 100755 data/Dockerfiles/unbound/docker-entrypoint.sh create mode 100644 data/Dockerfiles/unbound/unbound.conf diff --git a/data/Dockerfiles/unbound/Dockerfile b/data/Dockerfiles/unbound/Dockerfile new file mode 100644 index 00000000..3a9d11af --- /dev/null +++ b/data/Dockerfiles/unbound/Dockerfile @@ -0,0 +1,21 @@ +FROM alpine:3.6 + +LABEL maintainer "Andre Peters " + +RUN apk add --update --no-cache \ + curl \ + unbound \ + bash \ + openssl \ + drill \ + && curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \ + && chown root:unbound /etc/unbound \ + && chmod 775 /etc/unbound + +COPY unbound.conf /etc/unbound/unbound.conf + +EXPOSE 53/udp 53/tcp + +COPY docker-entrypoint.sh /docker-entrypoint.sh + +ENTRYPOINT ["/docker-entrypoint.sh"] diff --git a/data/Dockerfiles/unbound/docker-entrypoint.sh b/data/Dockerfiles/unbound/docker-entrypoint.sh new file mode 100755 index 00000000..6a705764 --- /dev/null +++ b/data/Dockerfiles/unbound/docker-entrypoint.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +unbound-control-setup +echo "Receiving anchor key..." +/usr/sbin/unbound-anchor -a /etc/unbound/trusted-key.key +echo "Receiving root hints..." +curl -#o /etc/unbound/root.hints https://www.internic.net/domain/named.cache + +exec "$@" diff --git a/data/Dockerfiles/unbound/unbound.conf b/data/Dockerfiles/unbound/unbound.conf new file mode 100644 index 00000000..d0986651 --- /dev/null +++ b/data/Dockerfiles/unbound/unbound.conf @@ -0,0 +1,28 @@ +server: + verbosity: 2 + interface: 0.0.0.0 + interface: ::0 + logfile: /dev/stdout + do-ip4: yes + do-ip6: yes + do-udp: yes + do-tcp: yes + do-daemonize: no + access-control: 172.22.1.0/24 allow + access-control: fd4d:6169:6c63:6f77::/64 allow + directory: "/etc/unbound" + username: unbound + auto-trust-anchor-file: trusted-key.key + private-address: 10.0.0.0/8 + private-address: 172.16.0.0/12 + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: fd00::/8 + private-address: fe80::/10 + root-hints: "/etc/unbound/root.hints" +remote-control: + control-enable: yes + server-key-file: /etc/unbound/unbound_server.key + server-cert-file: /etc/unbound/unbound_server.pem + control-key-file: /etc/unbound/unbound_control.key + control-cert-file: /etc/unbound/unbound_control.pem diff --git a/docker-compose.yml b/docker-compose.yml index 5f325edb..a3c3b782 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,24 @@ version: '2.1' services: + + unbound-mailcow: + image: mailcow/unbound + command: /usr/sbin/unbound + depends_on: + mysql-mailcow: + condition: service_healthy + healthcheck: + test: ["CMD", "drill", "A", "servercow.de", "@127.0.0.1"] + interval: 10s + timeout: 30s + retries: 5 + restart: always + networks: + mailcow-network: + ipv4_address: 172.22.1.254 + aliases: + - bind9 + mysql-mailcow: image: mariadb:10.1 healthcheck: @@ -16,6 +35,9 @@ services: - MYSQL_USER=${DBUSER} - MYSQL_PASSWORD=${DBPASS} restart: always + dns: + - 172.22.1.254 + dns_search: mailcow-network networks: mailcow-network: aliases: @@ -24,11 +46,13 @@ services: redis-mailcow: image: redis:alpine depends_on: - mysql-mailcow: - condition: service_healthy + - unbound-mailcow volumes: - redis-vol-1:/data/ restart: always + dns: + - 172.22.1.254 + dns_search: mailcow-network networks: mailcow-network: aliases: @@ -38,6 +62,9 @@ services: image: mailcow/clamd build: ./data/Dockerfiles/clamav restart: always + dns: + - 172.22.1.254 + dns_search: mailcow-network networks: mailcow-network: aliases: @@ -52,8 +79,7 @@ services: /usr/bin/rspamd -f -u _rspamd -g _rspamd " depends_on: - nginx-mailcow: - condition: service_healthy + - nginx-mailcow volumes: - ./data/conf/rspamd/override.d/:/etc/rspamd/override.d:ro - ./data/conf/rspamd/local.d/:/etc/rspamd/local.d:ro @@ -61,6 +87,9 @@ services: - dkim-vol-1:/data/dkim - rspamd-vol-1:/var/lib/rspamd restart: always + dns: + - 172.22.1.254 + dns_search: mailcow-network hostname: rspamd networks: mailcow-network: @@ -84,6 +113,9 @@ services: - DBPASS=${DBPASS} - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME} restart: always + dns: + - 172.22.1.254 + dns_search: mailcow-network networks: mailcow-network: aliases: @@ -93,8 +125,7 @@ services: image: mailcow/sogo build: ./data/Dockerfiles/sogo depends_on: - mysql-mailcow: - condition: service_healthy + - unbound-mailcow environment: - DBNAME=${DBNAME} - DBUSER=${DBUSER} @@ -103,6 +134,9 @@ services: volumes: - ./data/conf/sogo/:/etc/sogo/ restart: always + dns: + - 172.22.1.254 + dns_search: mailcow-network networks: mailcow-network: ipv4_address: 172.22.1.252 @@ -113,8 +147,7 @@ services: image: mailcow/dovecot build: ./data/Dockerfiles/dovecot depends_on: - mysql-mailcow: - condition: service_healthy + - unbound-mailcow volumes: - ./data/conf/dovecot:/usr/local/etc/dovecot - ./data/assets/ssl:/etc/ssl/mail/:ro @@ -132,6 +165,9 @@ services: - "${POPS_PORT:-995}:995" - "${SIEVE_PORT:-4190}:4190" restart: always + dns: + - 172.22.1.254 + dns_search: mailcow-network hostname: ${MAILCOW_HOSTNAME} networks: mailcow-network: @@ -142,8 +178,7 @@ services: image: mailcow/postfix build: ./data/Dockerfiles/postfix depends_on: - mysql-mailcow: - condition: service_healthy + - unbound-mailcow volumes: - ./data/conf/postfix:/opt/postfix/conf - ./data/assets/ssl:/etc/ssl/mail/:ro @@ -158,6 +193,9 @@ services: - "${SMTPS_PORT:-465}:465" - "${SUBMISSION_PORT:-587}:587" restart: always + dns: + - 172.22.1.254 + dns_search: mailcow-network hostname: ${MAILCOW_HOSTNAME} networks: mailcow-network: @@ -167,9 +205,11 @@ services: memcached-mailcow: image: memcached:alpine depends_on: - mysql-mailcow: - condition: service_healthy + - unbound-mailcow restart: always + dns: + - 172.22.1.254 + dns_search: mailcow-network networks: mailcow-network: aliases: @@ -202,6 +242,9 @@ services: - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}" - "${HTTP_BIND:-127.0.0.1}:${HTTP_PORT:-80}:${HTTP_PORT:-80}" restart: always + dns: + - 172.22.1.254 + dns_search: mailcow-network networks: mailcow-network: ipv4_address: 172.22.1.251 @@ -213,6 +256,9 @@ services: - nginx-mailcow image: mailcow/acme build: ./data/Dockerfiles/acme + dns: + - 172.22.1.254 + dns_search: mailcow-network # All domains to be included in the certificate environment: - CONTAINERS_RESTART=mailcowdockerized_postfix-mailcow_1 mailcowdockerized_dovecot-mailcow_1 mailcowdockerized_nginx-mailcow_1 @@ -239,6 +285,9 @@ services: - sogo-mailcow - php-fpm-mailcow restart: always + dns: + - 172.22.1.254 + dns_search: mailcow-network privileged: true network_mode: "host" volumes: