stream { js_import /etc/nginx/nginx-dns/njs.d/dns/dns.js; # The $dns_qname variable can be populated by preread calls, and can be used for DNS routing js_set $dns_qname dns.get_qname; # The DNS response packet, if we're blocking the domain, this will be set. js_set $dns_response dns.get_response; limit_conn_zone $binary_remote_addr zone=dns-addr:30m; # When doing DNS routing, use $dns_qname to map the questions to the upstream pools. map $dns_qname $upstream { include /etc/nginx/domains.txt; default blocked; } map $dns_qname $upstream_v6 { include /etc/nginx/domains_v6.txt; default blocked; } # upstream pool for blocked requests (returns nxdomain) upstream blocked { server 127.0.0.1:9953; } upstream dns_server { server 127.0.0.1:53; } upstream dns_server_v6 { server [::1]:53; } server { listen 53; listen 53 udp; proxy_responses 1; proxy_timeout 2s; proxy_upload_rate 10k; proxy_download_rate 10k; # set_real_ip_from 0.0.0.0; js_preread dns.preread_dns_request; proxy_pass $upstream; access_log off; error_log /dev/null; } server { listen [::]:53 ipv6only=on; listen [::]:53 udp ipv6only=on; proxy_responses 1; proxy_timeout 2s; proxy_upload_rate 10k; proxy_download_rate 10k; # set_real_ip_from [::]; js_preread dns.preread_dns_request; proxy_pass $upstream_v6; access_log off; error_log /dev/null; } # Server for responding to blocked responses server { listen 127.0.0.1:9953; listen 127.0.0.1:9953 udp; limit_conn dns-addr 3; proxy_responses 1; js_preread dns.preread_dns_request; access_log off; error_log /dev/null; return $dns_response; } }