nginx-dnswall/dns.conf
ale 173e912815
nginx.conf out
Signed-off-by: ale <ale@manalejandro.com>
2024-11-18 23:27:03 +01:00

76 lines
1.7 KiB
Plaintext

stream {
js_import /etc/nginx/nginx-dns/njs.d/dns/dns.js;
# The $dns_qname variable can be populated by preread calls, and can be used for DNS routing
js_set $dns_qname dns.get_qname;
# The DNS response packet, if we're blocking the domain, this will be set.
js_set $dns_response dns.get_response;
limit_conn_zone $binary_remote_addr zone=dns-addr:30m;
# When doing DNS routing, use $dns_qname to map the questions to the upstream pools.
map $dns_qname $upstream {
include /etc/nginx/domains.txt;
default blocked;
}
map $dns_qname $upstream_v6 {
include /etc/nginx/domains_v6.txt;
default blocked;
}
# upstream pool for blocked requests (returns nxdomain)
upstream blocked {
server 127.0.0.1:9953;
}
upstream dns_server {
server 127.0.0.1:53;
}
upstream dns_server_v6 {
server [::1]:53;
}
server {
listen 53;
listen 53 udp;
proxy_responses 1;
proxy_timeout 2s;
proxy_upload_rate 10k;
proxy_download_rate 10k;
# set_real_ip_from 0.0.0.0;
js_preread dns.preread_dns_request;
proxy_pass $upstream;
access_log off;
error_log /dev/null;
}
server {
listen [::]:53 ipv6only=on;
listen [::]:53 udp ipv6only=on;
proxy_responses 1;
proxy_timeout 2s;
proxy_upload_rate 10k;
proxy_download_rate 10k;
# set_real_ip_from [::];
js_preread dns.preread_dns_request;
proxy_pass $upstream_v6;
access_log off;
error_log /dev/null;
}
# Server for responding to blocked responses
server {
listen 127.0.0.1:9953;
listen 127.0.0.1:9953 udp;
limit_conn dns-addr 3;
proxy_responses 1;
js_preread dns.preread_dns_request;
access_log off;
error_log /dev/null;
return $dns_response;
}
}