update

4 files changed, 123 insertions, 0 deletions

diff --git a/terminaldweller.com/doh/docker-compose.yaml b/terminaldweller.com/doh/docker-compose.yaml
new file mode 100644
index 0000000..1b4f81c
--- /dev/null
+++ b/terminaldweller.com/doh/docker-compose.yaml
@@ -0,0 +1,39 @@
+version: "3"
+services:
+  doh-server:
+    image: satishweb/doh-server
+    networks:
+      - dohnet
+    ports:
+      - "127.0.0.1:8053:8053"
+    restart: unless-stopped
+    environment:
+      - DEBUG="0"
+      - UPSTREAM_DNS_SERVER=udp:208.67.222.222:53
+      - DOH_HTTP_PREFIX=/getnsrecord
+      - DOH_SERVER_LISTEN=:8053
+      - DOH_SERVER_TIMEOUT=10
+      - DOH_SERVER_TRIES=3
+      - DOH_SERVER_VERBOSE=true
+    depends_on:
+      - nginx
+  nginx:
+    image: nginx:stable
+    ports:
+      - "443:443"
+    networks:
+      - dohnet
+    restart: unless-stopped
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - DAC_OVERRIDE
+      - SETGID
+      - SETUID
+      - NET_BIND_SERVICE
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - /etc/letsencrypt/archive/doh.terminaldweller.com/:/certs/:ro
+networks:
+  dohnet:
diff --git a/terminaldweller.com/doh/nginx.conf b/terminaldweller.com/doh/nginx.conf
new file mode 100644
index 0000000..c398730
--- /dev/null
+++ b/terminaldweller.com/doh/nginx.conf
@@ -0,0 +1,37 @@
+events {
+  worker_connections 1024;
+}
+http {
+  include /etc/nginx/mime.types;
+  server_tokens off;
+  limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
+  server {
+    listen 443 ssl http2;
+    keepalive_timeout 60;
+    charset utf-8;
+    ssl_certificate /certs/fullchain1.pem;
+    ssl_certificate_key /certs/privkey1.pem;
+    ssl_ciphers HIGH:!aNULL:!MD5:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_protocols TLSv1.3;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+    ssl_prefer_server_ciphers on;
+    tcp_nopush on;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Content-Security-Policy "default-src 'self';";
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer";
+    fastcgi_hide_header X-Powered-By;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /certs/cert1.pem;
+
+    error_page 401 403 404 /404.html;
+    location / {
+      proxy_pass http://doh-server:8053;
+    }
+  }
+}
diff --git a/terminaldweller.com/doh/unbound/doh.conf b/terminaldweller.com/doh/unbound/doh.conf
new file mode 100644
index 0000000..4e6e291
--- /dev/null
+++ b/terminaldweller.com/doh/unbound/doh.conf
@@ -0,0 +1,43 @@
+server:
+	interface: 0.0.0.0@443
+	tls-service-key: /etc/letsencrypt/archive/doh.terminaldweller.com/privkey1.pem
+	tls-service-pem: /etc/letsencrypt/archive/doh.terminaldweller.com/fullchain1.pem
+	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	https-port: 443
+	tls-port: 443
+	do-ip4: yes
+	do-ip6: yes
+	do-udp: yes
+	do-tcp: yes
+	prefer-ip6: no
+# auto-trust-anchor-file: "/var/lib/unbound/root.key"
+	qname-minimisation: yes
+	harden-glue: yes
+	harden-dnssec-stripped: yes
+	use-caps-for-id: no
+	edns-buffer-size: 1232
+	prefetch: yes
+	so-rcvbuf: 1m
+
+	private-address: 127.0.0.0/8
+	private-address: 192.168.0.0/16
+	private-address: 169.254.0.0/16
+	private-address: 172.16.0.0/12
+	private-address: 10.0.0.0/8
+	private-address: fd00::/8
+	private-address: fe80::/10
+
+	access-control: 0.0.0.0/0 allow_snoop
+
+forward-zone:
+	name: "."
+	forward-tls-upstream: yes
+	forward-addr: 9.9.9.9@853#dns.quad9.net
+	forward-addr: 149.112.112.112@853#dns.quad9.net
+	forward-addr: 1.1.1.1@853#cloudflare-dns.com
+	forward-addr: 1.0.0.1@853#cloudflare-dns.com
+
+	forward-addr: 2620:fe::fe@853#dns.quad9.net
+	forward-addr: 2620:fe::9@853#dns.quad9.net
+	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
+	forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
diff --git a/terminaldweller.com/doh/unbound/root-auto-trust-anchor-file.conf b/terminaldweller.com/doh/unbound/root-auto-trust-anchor-file.conf
new file mode 100644
index 0000000..433eff9
--- /dev/null
+++ b/terminaldweller.com/doh/unbound/root-auto-trust-anchor-file.conf
@@ -0,0 +1,4 @@
+server:
+    # The following line will configure unbound to perform cryptographic
+    # DNSSEC validation using the root trust anchor.
+    auto-trust-anchor-file: "/var/lib/unbound/root.key"