commit 5a6264a8e9ee264e8dde7798302fe2f954d5fb97
Author: ale <ale@manalejandro.com>
Date:   Sat Oct 12 21:12:33 2024 +0200

    initial commit

diff --git a/.env b/.env
new file mode 100644
index 0000000..5f4e133
--- /dev/null
+++ b/.env
@@ -0,0 +1,2 @@
+IPV4=192.168.1.2
+IPV6=[::1]
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..646fd00
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,4 @@
+FROM nginx
+RUN apt update && apt install -y git && apt clean
+RUN git clone --depth 1 https://github.com/TuxInvader/nginx-dns /etc/nginx/nginx-dns
+COPY nginx.conf dns.conf domains.txt domains_v6.txt /etc/nginx/
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b22422a
--- /dev/null
+++ b/README.md
@@ -0,0 +1,25 @@
+# nginx-wall
+
+### Filter all DNS traffic, only pass validated domains using [nginx-dns](https://github.com/TuxInvader/nginx-dns)
+### Keep the control against DDoS DNS attaks
+
+## Config
+```
+edit .env and domains files with your settings
+```
+
+## Build
+
+```
+docker-compose build
+```
+
+## Run
+
+```
+docker-compose up -d
+```
+
+## License
+
+MIT
diff --git a/dns.conf b/dns.conf
new file mode 100644
index 0000000..ede21f7
--- /dev/null
+++ b/dns.conf
@@ -0,0 +1,73 @@
+  js_import /etc/nginx/nginx-dns/njs.d/dns/dns.js;
+
+  # The $dns_qname variable can be populated by preread calls, and can be used for DNS routing
+  js_set $dns_qname dns.get_qname;
+  
+  # The DNS response packet, if we're blocking the domain, this will be set.
+  js_set $dns_response dns.get_response;
+
+  limit_conn_zone $binary_remote_addr zone=dns-addr:30m;
+
+  # When doing DNS routing, use $dns_qname to map the questions to the upstream pools.
+  map $dns_qname $upstream {
+    include /etc/nginx/domains.txt;
+    default blocked;
+  }
+
+  map $dns_qname $upstream_v6 {
+    include /etc/nginx/domains_v6.txt;
+    default blocked;
+  }
+
+  # upstream pool for blocked requests (returns nxdomain)
+  upstream blocked {
+    server 127.0.0.1:9953;
+  }
+
+  upstream dns_server {
+    server 127.0.0.1:53;
+  }
+
+  upstream dns_server_v6 {
+    server [::1]:53;
+  }
+
+  server {
+    listen 53;
+    listen 53 udp;
+    proxy_responses 1;
+    proxy_timeout 2s;
+    proxy_upload_rate 10k;
+    proxy_download_rate 10k;
+#    set_real_ip_from 0.0.0.0;
+    js_preread dns.preread_dns_request;
+    proxy_pass $upstream;
+    access_log off;
+    error_log /dev/null;
+  }
+
+  server {
+    listen [::]:53 ipv6only=on;
+    listen [::]:53 udp ipv6only=on;
+    proxy_responses 1;
+    proxy_timeout 2s;
+    proxy_upload_rate 10k;
+    proxy_download_rate 10k;
+#    set_real_ip_from [::];
+    js_preread dns.preread_dns_request;
+    proxy_pass $upstream_v6;
+    access_log off;
+    error_log /dev/null;
+  }
+
+  # Server for responding to blocked responses
+  server {
+    listen 127.0.0.1:9953;
+    listen 127.0.0.1:9953 udp;
+    limit_conn dns-addr 3;
+    proxy_responses 1;
+    js_preread dns.preread_dns_request;
+    access_log off;
+    error_log /dev/null;
+    return $dns_response;
+  }
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..3708bf5
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,43 @@
+services:
+  nginx-dnswall:
+    build: .
+    image: nginx-dnswall
+    hostname: nginx-dnswall
+    container_name: nginx-dnswall
+    restart: always
+    ports:
+      - "[${IPV6}]:53:53"
+      - target: 53
+        host_ip: ${IPV4}
+        published: "53"
+        protocol: tcp
+        mode: host
+      - "[${IPV6}]:53:53/udp"
+      - target: 53
+        host_ip: ${IPV4}
+        published: "53"
+        protocol: udp
+        mode: host
+      - "[${IPV6}]:80:80"
+      - target: 80
+        host_ip: ${IPV4}
+        published: "80"
+        protocol: tcp
+        mode: host
+      - "[${IPV6}]:443:443"
+      - target: 443
+        host_ip: ${IPV4}
+        published: "443"
+        protocol: tcp
+        mode: host
+      - "[${IPV6}]:443:443/udp"
+      - target: 443
+        host_ip: ${IPV4}
+        published: "443"
+        protocol: udp
+        mode: host
+    networks:
+      nginx-net:
+
+networks:
+  nginx-net:
diff --git a/domains.txt b/domains.txt
new file mode 100644
index 0000000..c2a646a
--- /dev/null
+++ b/domains.txt
@@ -0,0 +1,2 @@
+manalejandro.com dns_server;
+another.manalejandro.com dns_server;
diff --git a/domains_v6.txt b/domains_v6.txt
new file mode 100644
index 0000000..fe3d8b3
--- /dev/null
+++ b/domains_v6.txt
@@ -0,0 +1,2 @@
+manalejandro.com dns_server_v6;
+another.manalejandro.com dns_server_v6;
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..013f88f
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,36 @@
+load_module modules/ngx_stream_js_module.so;
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}
+
+stream {
+    include /etc/nginx/dns.conf;
+}