74 lines
1.7 KiB
Plaintext
74 lines
1.7 KiB
Plaintext
js_import /etc/nginx/nginx-dns/njs.d/dns/dns.js;
|
|
|
|
# The $dns_qname variable can be populated by preread calls, and can be used for DNS routing
|
|
js_set $dns_qname dns.get_qname;
|
|
|
|
# The DNS response packet, if we're blocking the domain, this will be set.
|
|
js_set $dns_response dns.get_response;
|
|
|
|
limit_conn_zone $binary_remote_addr zone=dns-addr:30m;
|
|
|
|
# When doing DNS routing, use $dns_qname to map the questions to the upstream pools.
|
|
map $dns_qname $upstream {
|
|
include /etc/nginx/domains.txt;
|
|
default blocked;
|
|
}
|
|
|
|
map $dns_qname $upstream_v6 {
|
|
include /etc/nginx/domains_v6.txt;
|
|
default blocked;
|
|
}
|
|
|
|
# upstream pool for blocked requests (returns nxdomain)
|
|
upstream blocked {
|
|
server 127.0.0.1:9953;
|
|
}
|
|
|
|
upstream dns_server {
|
|
server 127.0.0.1:53;
|
|
}
|
|
|
|
upstream dns_server_v6 {
|
|
server [::1]:53;
|
|
}
|
|
|
|
server {
|
|
listen 53;
|
|
listen 53 udp;
|
|
proxy_responses 1;
|
|
proxy_timeout 2s;
|
|
proxy_upload_rate 10k;
|
|
proxy_download_rate 10k;
|
|
# set_real_ip_from 0.0.0.0;
|
|
js_preread dns.preread_dns_request;
|
|
proxy_pass $upstream;
|
|
access_log off;
|
|
error_log /dev/null;
|
|
}
|
|
|
|
server {
|
|
listen [::]:53 ipv6only=on;
|
|
listen [::]:53 udp ipv6only=on;
|
|
proxy_responses 1;
|
|
proxy_timeout 2s;
|
|
proxy_upload_rate 10k;
|
|
proxy_download_rate 10k;
|
|
# set_real_ip_from [::];
|
|
js_preread dns.preread_dns_request;
|
|
proxy_pass $upstream_v6;
|
|
access_log off;
|
|
error_log /dev/null;
|
|
}
|
|
|
|
# Server for responding to blocked responses
|
|
server {
|
|
listen 127.0.0.1:9953;
|
|
listen 127.0.0.1:9953 udp;
|
|
limit_conn dns-addr 3;
|
|
proxy_responses 1;
|
|
js_preread dns.preread_dns_request;
|
|
access_log off;
|
|
error_log /dev/null;
|
|
return $dns_response;
|
|
}
|