From fb203db38c00ffc5d281daacaa7961c6f2293ad8 Mon Sep 17 00:00:00 2001 From: Matthew Sojourner Newton Date: Wed, 24 Aug 2016 15:42:13 -0700 Subject: [PATCH] Added /opt/unbound/etc/unbound/zones directory and a section in the README discussing how to customize Unbound --- README.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++ unbound.sh | 6 +++++- 2 files changed, 52 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3544012..ebcab4f 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,53 @@ edit the [dnscrypt.csv](https://github.com/jedisct1/dnscrypt-proxy/blob/master/d file to add your resolver's informations, and submit a pull request to have it included in the list of public DNSCrypt resolvers! +Customizing Unbound +============ + +To add new configuration to Unbound, add files to the `/opt/unbound/etc/unbound/zones` +directory. All files ending in `.conf` will be processed. In this manner, you +can add any directives to the `server:` section of the Unbound configuration. + +Serve custom DNS records on a local network +------------------------------------------ +While Unbound is not a full authoritative name server, it supports resolving +custom entries in a way that is serviceable on a small, private LAN. You can use +unbound to resolve private hostnames such as `my-computer.example.com` within +your LAN. + +To support such custom entries using this image, first map a volume to the zones +directory. Add this to your `docker run` line: + + -v /myconfig/zones:/opt/unbound/etc/unbound/zones + +The whole command to create and initialize a container would look something like +this: + + $ docker run --name=dnscrypt-server \ + -v /myconfig/zones:/opt/unbound/etc/unbound/zones \ + -p 443:443/udp -p 443:443/tcp --net=host \ + jedisct1/unbound-dnscrypt-server init -N example.com + +Create a new `.conf` file: + + $ touch /myconfig/zones/example.conf + +Now, add one or more unbound directives to the file, such as: + + local-zone: "example.com." static + local-data: "my-computer.example.com. IN A 10.0.0.1" + local-data: "other-computer.example.com. IN A 10.0.0.2" + +Troubleshooting +--------------- + +If Unbound doesn't like one of the newly added directives, it +will probably not respond over the network. In that case, here are some commands +to work out what is wrong: + + $ docker logs dnscrypt + $ docker exec dnscrypt /opt/unbound/sbin/unbound-checkconf + Details ======= diff --git a/unbound.sh b/unbound.sh index 5c41c9e..da05672 100755 --- a/unbound.sh +++ b/unbound.sh @@ -1,6 +1,7 @@ #! /bin/sh KEYS_DIR="/opt/dnscrypt-wrapper/etc/keys" +ZONES_DIR="/opt/unbound/etc/unbound/zones" reserved=12582912 availableMemory=$((1024 * $( (fgrep MemAvailable /proc/meminfo || fgrep MemTotal /proc/meminfo) | sed 's/[^0-9]//g' ) )) @@ -25,6 +26,7 @@ sed \ -e "s/@PROVIDER_NAME@/${provider_name}/" \ -e "s/@RR_CACHE_SIZE@/${rr_cache_size}/" \ -e "s/@THREADS@/${threads}/" \ + -e "s/@ZONES_DIR@/${ZONES_DIR}" \ > /opt/unbound/etc/unbound/unbound.conf << EOT server: verbosity: 1 @@ -77,7 +79,7 @@ server: local-zone: "test." static local-zone: "@PROVIDER_NAME@." refuse - include: "/opt/unbound/etc/unbound/zones/*.conf" + include: "@ZONES_DIR@/*.conf" remote-control: control-enable: yes @@ -96,4 +98,6 @@ if [ ! -f /opt/unbound/etc/unbound/unbound_control.pem ]; then /opt/unbound/sbin/unbound-control-setup fi +mkdir -p /opt/unbound/etc/unbound/zones + exec /opt/unbound/sbin/unbound