forked from jedisct1/dnscrypt-server-docker
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathunbound.sh
More file actions
executable file
·102 lines (90 loc) · 2.71 KB
/
unbound.sh
File metadata and controls
executable file
·102 lines (90 loc) · 2.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#! /usr/bin/env bash
KEYS_DIR="/opt/dnscrypt-wrapper/etc/keys"
ZONES_DIR="/opt/unbound/etc/unbound/zones"
reserved=12582912
availableMemory=$((1024 * $( (fgrep MemAvailable /proc/meminfo || fgrep MemTotal /proc/meminfo) | sed 's/[^0-9]//g' ) ))
if [ $availableMemory -le $(($reserved * 2)) ]; then
echo "Not enough memory" >&2
exit 1
fi
availableMemory=$(($availableMemory - $reserved))
msg_cache_size=$(($availableMemory / 3))
rr_cache_size=$(($availableMemory / 3))
nproc=$(nproc)
if [ $nproc -gt 1 ]; then
threads=$(($nproc - 1))
else
threads=1
fi
provider_name=$(cat "$KEYS_DIR/provider_name")
sed \
-e "s/@MSG_CACHE_SIZE@/${msg_cache_size}/" \
-e "s/@PROVIDER_NAME@/${provider_name}/" \
-e "s/@RR_CACHE_SIZE@/${rr_cache_size}/" \
-e "s/@THREADS@/${threads}/" \
-e "s#@ZONES_DIR@#${ZONES_DIR}#" \
> /opt/unbound/etc/unbound/unbound.conf << EOT
server:
verbosity: 1
num-threads: @THREADS@
interface: 127.0.0.1@553
so-reuseport: yes
edns-buffer-size: 1252
delay-close: 10000
cache-min-ttl: 60
cache-max-ttl: 86400
do-daemonize: no
username: "_unbound"
log-queries: no
hide-version: yes
identity: "DNSCrypt"
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: no
do-not-query-localhost: no
prefetch: yes
prefetch-key: yes
qname-minimisation: no
ratelimit: 1000
rrset-roundrobin: yes
minimal-responses: yes
chroot: "/opt/unbound/etc/unbound"
directory: "/opt/unbound/etc/unbound"
auto-trust-anchor-file: "var/root.key"
num-queries-per-thread: 4096
outgoing-range: 8192
msg-cache-size: @MSG_CACHE_SIZE@
rrset-cache-size: @RR_CACHE_SIZE@
neg-cache-size: 4M
serve-expired: yes
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow
local-zone: "belkin." static
local-zone: "corp." static
local-zone: "domain." static
local-zone: "example." static
local-zone: "home." static
local-zone: "invalid." static
local-zone: "lan." static
local-zone: "local." static
local-zone: "localdomain." static
local-zone: "test." static
local-zone: "@PROVIDER_NAME@." refuse
include: "@ZONES_DIR@/*.conf"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
EOT
mkdir -p /opt/unbound/etc/unbound/dev && \
cp -a /dev/random /dev/urandom /opt/unbound/etc/unbound/dev/
mkdir -p -m 700 /opt/unbound/etc/unbound/var && \
chown _unbound:_unbound /opt/unbound/etc/unbound/var && \
/opt/unbound/sbin/unbound-anchor -a /opt/unbound/etc/unbound/var/root.key
if [ ! -f /opt/unbound/etc/unbound/unbound_control.pem ]; then
/opt/unbound/sbin/unbound-control-setup
fi
mkdir -p /opt/unbound/etc/unbound/zones
exec /opt/unbound/sbin/unbound