Friday, 25 February 2022
Show HN: Open-Source Unbound DNS Resolver Docker Image https://ift.tt/5xRcHI4
Show HN: Open-Source Unbound DNS Resolver Docker Image Hey Hacker News! I am madnuttah, I am a Windows/Linux Sysadmin and some folks may remember this username for "niche" mods I've made for Fallout and Skyrim and some C# UWP Windows Store Apps which I've retired because of Microsoft's unclear strategy abandoning things from one day to another. Why am I writing this? I wanted to be independent from the DNS servers of my provider, because they have often shined brightly with problems in the past instead of functioning properly, wanted to have a little bit more privacy and freedom back by fighting censorship via DNS, so I built my own Unbound Docker image with a lot of effort and conscientiousness. Because I think it's worth it, I'd like to share my efforts with you. My life taught me that trust must be earned, you never know what was fiddled into and what was tampered with. This image is therefore entirely built online using workflows in a GitHub action, uses the very lean Alpine Linux with all its security features and Unbound directly queries a local copy of the root zone, which is kept up-to-date using DNS zone transfers (XFR). Instead of occupying a few hundred megabytes on your harddisk, my image is only about 30 megabytes uncompressed in size. The separate components Libevent and OpenSSL3 are compiled in the build process in their separate workflows and all the downloads, even the Internic files (root.hints and root.zone) are checked using their PGP keys and signature files if available, following my zero-trust policy. Unbound is compiled with hardening security features that most images do not include, such as PIE (Position Independent Executables), which randomizes the application's position in memory which makes attacks more difficult and RELRO (Relocation Read-Only) which also can mitigate exploitations. The image was actually designed as an DNSSEC validating upstream DNS resolver with Pi-hole for adblocking and tracking prevention in mind but it also works perfectly as a standalone server. All Linux architectures are supported, which are currently used by Pi-hole: 386, armv6, armv7, arm64 and amd64. So it also able to run on older Raspberries under Docker. I maintain the image regularly and as soon as included components are updated, security vulnerabilities become known or an update of Unbound is released, the image will be available for you on the Docker registry in a few hours. If anyone would like to contribute to the development, I'm happy to receive a pull request of yours. For any suggestions, questions, comments or even criticism you are very welcome to contact me here on HN or on Mastodon (https://ift.tt/4wlXLbO). Here is the link to my GitHub repo https://ift.tt/3qY4E2K. You may find the following links useful for testing the security of your DNS or even in case you want to do a before and after comparison if you want to give the image a try: DNS Leak Test: https://ift.tt/Z2E1M8P DNSSEC-Test from the University of Duisburg-Essen: https://ift.tt/1xOFDmW GRC's DNS Nameserver Spoofability Test: https://ift.tt/vX0HEre Cheers, madnuttah February 25, 2022 at 04:20PM
Labels:
Hacker News
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment