feat(net-aux): Adding Unbound as a recursive DNS resolver for Pi-Hole

infra/net-aux/config/pi-hole/02-custom.conf

@@ -1,2 +1,2 @@
 address=/stonegarden.dev/192.168.1.128
-address=/stonegarden.lan/192.168.1.128
+edns-packet-max=1232

infra/net-aux/config/pi-hole/env

@@ -1,7 +1,7 @@
 TZ=Europe/Oslo
 DNSMASQ_LISTENING=all
 WEBPASSWORD=password
-DNS1=1.1.1.1
+WEBTHEME=default-darker
-DNS2=8.8.8.8
+PIHOLE_DNS_=127.0.0.1#5335
 VIRTUAL_HOST=pi.hole
 WEB_PORT=80

infra/net-aux/config/pi-hole/pihole-FTL.conf

@@ -1,2 +0,0 @@
-MAXDBDAYS=200
-LOGFILE=/var/log/pihole/pihole-FTL.log

infra/net-aux/config/unbound/unbound.conf

@@ -0,0 +1,113 @@
+server:
+    # See https://github.com/MatthewVance/unbound-docker/blob/master/unbound.conf for details
+    interface: 0.0.0.0
+    port: 5335
+
+    cache-max-ttl: 86400
+    cache-min-ttl: 300
+
+    directory: "/opt/unbound/etc/unbound"
+
+    do-ip4: yes
+    do-ip6: yes
+    prefer-ip6: no
+    do-tcp: yes
+    do-udp: yes
+
+    edns-buffer-size: 1232
+    rrset-roundrobin: yes
+    username: "_unbound"
+
+    log-local-actions: no
+    log-queries: no
+    log-replies: no
+    log-servfail: no
+
+    #logfile: /opt/unbound/etc/unbound/unbound.log
+    verbosity: 1
+
+    infra-cache-slabs: 4
+    incoming-num-tcp: 10
+    key-cache-slabs: 4
+
+    msg-cache-size: 142768128
+    msg-cache-slabs: 4
+
+    num-queries-per-thread: 4096
+    num-threads: 3
+
+    outgoing-range: 8192
+
+    rrset-cache-size: 285536256
+    rrset-cache-slabs: 4
+
+    minimal-responses: yes
+
+    prefetch: yes
+    prefetch-key: yes
+
+    serve-expired: yes
+
+    so-reuseport: yes
+
+    aggressive-nsec: yes
+
+    delay-close: 10000
+
+    do-daemonize: no
+
+    do-not-query-localhost: no
+
+    neg-cache-size: 4M
+
+    qname-minimisation: yes
+
+    access-control: 127.0.0.1/32 allow
+    access-control: 192.168.0.0/16 allow
+    access-control: 172.16.0.0/12 allow
+    access-control: 10.0.0.0/8 allow
+    access-control: fc00::/7 allow
+    access-control: ::1/128 allow
+
+    auto-trust-anchor-file: "var/root.key"
+
+    chroot: "/opt/unbound/etc/unbound"
+
+    deny-any: yes
+
+    harden-algo-downgrade: yes
+    harden-below-nxdomain: yes
+    harden-dnssec-stripped: yes
+    harden-glue: yes
+    harden-large-queries: yes
+    harden-referral-path: no
+    harden-short-bufsize: yes
+
+    hide-http-user-agent: no
+    hide-identity: yes
+    hide-version: yes
+
+    http-user-agent: "DNS"
+    identity: "DNS"
+
+    private-address: 10.0.0.0/8
+    private-address: 172.16.0.0/12
+    private-address: 192.168.0.0/16
+    private-address: 169.254.0.0/16
+    private-address: fd00::/8
+    private-address: fe80::/10
+    private-address: ::ffff:0:0/96
+
+    ratelimit: 1000
+
+    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+
+    unwanted-reply-threshold: 10000
+
+    use-caps-for-id: no
+
+    val-clean-additional: yes
+    include: /opt/unbound/etc/unbound/a-records.conf
+    include: /opt/unbound/etc/unbound/srv-records.conf
+remote-control:
+    control-enable: no

infra/net-aux/deployment.yaml

@@ -25,6 +25,31 @@ spec:
         nameservers:
           - 127.0.0.1
       containers:
+        - name: unbound
+          image: mvance/unbound:1.17.1
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: dns-tcp
+              containerPort: 5335
+              protocol: TCP
+            - name: dns-udp
+              containerPort: 5335
+              protocol: UDP
+          startupProbe:
+            exec:
+              command:
+                - 'drill'
+                - '@127.0.0.1'
+                - '-p'
+                - '5335'
+                - 'cnn.com'
+            initialDelaySeconds: 60
+            failureThreshold: 3
+            timeoutSeconds: 5
+          volumeMounts:
+             - name: unbound-config
+               mountPath: /opt/unbound/etc/unbound/unbound.conf
+               subPath: unbound.conf
         - name: pi-hole
           image: pihole/pihole:2023.05.2
           imagePullPolicy: IfNotPresent
@@ -55,12 +80,14 @@ spec:
               cpu: "250m"
               memory: "896Mi"
           livenessProbe:
-            tcpSocket:
+            httpGet:
-              port: dns-tcp
+              path: /admin/index.php
+              port: http
+              scheme: HTTP
             initialDelaySeconds: 60
             failureThreshold: 10
             timeoutSeconds: 5
-          readinessProbe:
+          startupProbe:
             exec:
               command:
                 - 'dig'
@@ -70,14 +97,11 @@ spec:
             failureThreshold: 3
             timeoutSeconds: 5
           volumeMounts:
-            - name: config
+            - name: pi-hole-config
               mountPath: /etc/pihole
             - name: custom-dnsmasq
               mountPath: /etc/dnsmasq.d/02-custom.conf
               subPath: 02-custom.conf
-            #- name: ftl-conf
-            #  mountPath: /etc/pihole/pihole-FTL.conf
-            #  subPath: pihole-FTL.conf
             - name: ad-lists
               mountPath: /etc/pihole/adlists.list
               subPath: adlists.list
@@ -88,7 +112,8 @@ spec:
               mountPath: /etc/pihole/whitelist.txt
               subPath: whitelist.txt
         - name: cloudflared
-          image: cloudflare/cloudflared:latest
+          image: cloudflare/cloudflared:2023.7.3
+          imagePullPolicy: IfNotPresent
           args:
             - tunnel
             - --config
@@ -98,8 +123,8 @@ spec:
             httpGet:
               path: /ready
               port: 2000
-            failureThreshold: 1
+            initialDelaySeconds: 60
-            initialDelaySeconds: 10
+            failureThreshold: 5
             periodSeconds: 10
           env:
             - name: TUNNEL_TOKEN
@@ -113,16 +138,15 @@ spec:
               subPath: config.yaml
       restartPolicy: Always
       volumes:
-        - name: config
+        - name: unbound-config
-          emptyDir: {}
+          configMap:
-        #  persistentVolumeClaim:
+            name: unbound-config
-        #    claimName: pi-hole-config
+        - name: pi-hole-config
+          persistentVolumeClaim:
+            claimName: pi-hole-config
         - name: custom-dnsmasq
           configMap:
             name: custom-dnsmasq
-        #- name: ftl-conf
-        #  configMap:
-        #    name: ftl-conf
         - name: ad-lists
           configMap:
             name: adlists.list

infra/net-aux/kustomization.yaml

@@ -5,12 +5,12 @@ commonLabels:
   app: pi-hole
 
 configMapGenerator:
+  - name: unbound-config
+    files:
+      - config/unbound/unbound.conf
   - name: pi-hole-env
     envs:
       - config/pi-hole/env
-  - name: ftl-conf
-    files:
-      - config/pi-hole/pihole-FTL.conf
   - name: custom-dnsmasq
     files:
       - config/pi-hole/02-custom.conf
@@ -29,6 +29,8 @@ configMapGenerator:
 
 resources:
   - namespace.yaml
+  - pv-pi-hole.yaml
+  - pvc-pi-hole.yaml
   - auth-secret.yaml
   - tunnel-token.yaml
   - ingress-route.yaml

infra/net-aux/pv-pi-hole.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pi-hole-config
+  namespace: net-aux
+  labels:
+    app: pi-hole
+spec:
+  capacity:
+    storage: 256Mi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: pi-hole-storage
+  local:
+    path: /disk/etc/net-aux/pi-hole
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - gauss

infra/net-aux/pvc-pi-hole.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pi-hole-config
+  namespace: net-aux
+  labels:
+    app: pi-hole
+spec:
+  storageClassName: pi-hole-storage
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 256Mi