feat: add lightweight Alpine Unbound DNS container

- Multi-arch support (x86_64 and ARM64) - ~50MB image size vs ~500MB for Ubuntu version - DNSSEC validation with root hints - Health checks and resource limits - Security hardening (hide identity/version, harden-glue, etc.) - Build script for easy single/multi-arch builds
2025-12-17 03:20:52 +00:00
parent eb42caf579
commit 827f8bbf9d
7 changed files with 553 additions and 0 deletions
--- a/builds/alpine-unbound/README.md
+++ b/builds/alpine-unbound/README.md
@@ -0,0 +1,129 @@
+# Alpine Unbound DNS Server
+
+A lightweight Alpine-based Unbound DNS resolver container, optimized for homelab use.
+
+## Features
+
+- 🪶 **Lightweight**: ~50MB image size (vs ~500MB+ for Ubuntu-based)
+- 🔒 **DNSSEC Validation**: Full DNSSEC support with automatic root trust anchor updates
+- 🏗️ **Multi-Architecture**: Native support for x86_64 and ARM64 (Raspberry Pi, Apple Silicon)
+- ❤️ **Health Checks**: Built-in health monitoring
+- 🔧 **Hardened Config**: Security best practices out of the box
+- 📊 **Resource Efficient**: Memory limits of 128MB (typically uses ~30-50MB)
+
+## Quick Start
+
+### Using Docker Compose
+
+```bash
+docker-compose up -d
+```
+
+### Building Manually
+
+```bash
+# For x86_64/AMD64
+docker build -f Dockerfile.amd64 -t alpine-unbound:amd64 .
+
+# For ARM64 (Raspberry Pi 4/5, Apple Silicon)
+docker build -f Dockerfile.arm64 -t alpine-unbound:arm64 .
+
+# Multi-arch build (if using buildx)
+./build.sh multiarch
+```
+
+## Architecture-Specific Dockerfiles
+
+| File | Architecture | Use Case |
+|------|-------------|----------|
+| `Dockerfile` | Auto-detect | General use, multi-arch builds |
+| `Dockerfile.amd64` | x86_64 | Intel/AMD servers, desktop PCs |
+| `Dockerfile.arm64` | ARM64 | Raspberry Pi 4/5, Apple Silicon, AWS Graviton |
+
+## Configuration
+
+The default configuration (`unbound.conf`) includes:
+
+- Listening on port **5335** (to avoid conflicts with other DNS services)
+- Access allowed from all RFC1918 private networks
+- DNSSEC validation enabled
+- Query name minimization for privacy
+- Aggressive caching for performance
+- Security hardening options
+
+### Custom Configuration
+
+Mount your own config files:
+
+```yaml
+volumes:
+  - ./my-unbound.conf:/etc/unbound/unbound.conf:ro
+  - ./conf.d/:/etc/unbound/unbound.conf.d/:ro
+```
+
+## Integration with Pi-hole
+
+Use as upstream DNS for Pi-hole:
+
+```yaml
+# In Pi-hole's docker-compose.yml
+environment:
+  - PIHOLE_DNS_=172.17.0.1#5335
+```
+
+## Comparison with Ubuntu Version
+
+| Aspect | Alpine | Ubuntu |
+|--------|--------|--------|
+| Image Size | ~50MB | ~500MB+ |
+| Memory Usage | ~30-50MB | ~100-200MB |
+| SSH Access | ❌ | ✅ |
+| Dev Tools | ❌ | ✅ |
+| Shell | ash | zsh (oh-my-zsh) |
+| Init System | tini | supervisord |
+| Startup Time | <1s | ~5s |
+
+Choose **Alpine** for: Production DNS, resource-constrained devices, simple deployments.
+
+Choose **Ubuntu** for: Development, debugging, when you need SSH access or interactive shell.
+
+## Ports
+
+| Port | Protocol | Description |
+|------|----------|-------------|
+| 5335 | TCP/UDP | Unbound DNS |
+
+## Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `TZ` | `UTC` | Timezone |
+
+## Health Check
+
+The container includes automatic health checks using `drill`:
+
+```bash
+drill @127.0.0.1 -p 5335 google.com
+```
+
+## Troubleshooting
+
+### Check if Unbound is running
+```bash
+docker exec alpine_unbound drill @127.0.0.1 -p 5335 google.com
+```
+
+### View logs
+```bash
+docker logs alpine_unbound
+```
+
+### Test DNSSEC validation
+```bash
+docker exec alpine_unbound drill -D sigok.verteiltesysteme.net @127.0.0.1 -p 5335
+```
+
+## License
+
+MIT