feat: add lightweight Alpine Unbound DNS container

- Multi-arch support (x86_64 and ARM64) - ~50MB image size vs ~500MB for Ubuntu version - DNSSEC validation with root hints - Health checks and resource limits - Security hardening (hide identity/version, harden-glue, etc.) - Build script for easy single/multi-arch builds
2025-12-17 03:20:52 +00:00
parent eb42caf579
commit 827f8bbf9d
7 changed files with 553 additions and 0 deletions
--- a/builds/alpine-unbound/unbound.conf
+++ b/builds/alpine-unbound/unbound.conf
@@ -0,0 +1,74 @@
+# Unbound configuration for Alpine container
+# Optimized for recursive DNS resolution with DNSSEC
+
+server:
+    # Basic settings
+    verbosity: 1
+    num-threads: 2
+    
+    # Interface binding
+    interface: 0.0.0.0
+    port: 5335
+    do-ip4: yes
+    do-ip6: yes
+    do-udp: yes
+    do-tcp: yes
+    
+    # Access control - allow all private networks
+    access-control: 127.0.0.0/8 allow
+    access-control: 10.0.0.0/8 allow
+    access-control: 172.16.0.0/12 allow
+    access-control: 192.168.0.0/16 allow
+    access-control: ::1/128 allow
+    access-control: fd00::/8 allow
+    
+    # Root hints for DNSSEC
+    root-hints: /etc/unbound/root.hints
+    
+    # Trust anchor for DNSSEC validation
+    auto-trust-anchor-file: /var/lib/unbound/root.key
+    
+    # Hide identity and version
+    hide-identity: yes
+    hide-version: yes
+    
+    # Harden settings
+    harden-glue: yes
+    harden-dnssec-stripped: yes
+    harden-referral-path: yes
+    use-caps-for-id: yes
+    
+    # Prefetch settings for performance
+    prefetch: yes
+    prefetch-key: yes
+    
+    # Cache settings
+    cache-min-ttl: 3600
+    cache-max-ttl: 86400
+    msg-cache-size: 50m
+    rrset-cache-size: 100m
+    key-cache-size: 50m
+    neg-cache-size: 10m
+    
+    # Privacy settings
+    qname-minimisation: yes
+    aggressive-nsec: yes
+    
+    # Logging
+    logfile: ""
+    log-queries: no
+    log-replies: no
+    log-local-actions: no
+    log-servfail: yes
+    
+    # User/group (Alpine uses 'unbound' user)
+    username: "unbound"
+    directory: "/etc/unbound"
+    chroot: ""
+    
+    # PID file
+    pidfile: "/var/run/unbound.pid"
+
+# Remote control (disabled for security)
+remote-control:
+    control-enable: no