feat(dns): Switch to blocky and DNS resolver

This patch is the first try of using blocky instead of adguard-dnsproxy as dns resolver. The idea is to get better metrics from blocky as well as supporting dns block lists if necessary.

feat(dns): Switch to blocky and DNS resolver
a08e0be8 · Sheogorath · 554eb8cc · a08e0be8
Verified Commit a08e0be8 authored 1 year ago by Sheogorath
--- a/apps/k8s01/dns/dns.yaml
+++ b/apps/k8s01/dns/dns.yaml
 ---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blocky-config
+  namespace: dns
+data:
+  config.yaml: |
+    ports:
+      dns: 53
+      tls: 853
+      https: 443
+      http: 4000
+    upstreams:
+      groups:
+        default:
+          - https://dns.quad9.net/dns-query
+    bootstrapDns:
+      - https://1.1.1.1/dns-query
+      - tcp+udp:9.9.9.9
+    startVerifyUpstream: true
+    caching:
+      minTime: 5m
+      maxItemsCount: 262144
+      prefetching: true
+      prefetchMaxItemsCount: 131072
+    prometheus:
+      enable: true
+    fqdnOnly:
+      enable: true
+    certFile: /etc/pki/dnsproxy/tls.crt
+    keyFile: /etc/pki/dnsproxy/tls.key
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -17,20 +49,10 @@ spec:
    spec:
      containers:
        - name: dnsproxy
-          image: quay.io/sheogorath/dnsproxy:0.54.0
+          image: ghcr.io/0xerr0r/blocky:v0.22
          args:
-            - /dnsproxy
+            - --config
-            - --upstream=https://dns.quad9.net/dns-query
+            - /etc/blocky/config.yaml
-            - --bootstrap=9.9.9.9
-            - --cache
-            # 96Mi
-            - --cache-size=100663296
-            - --cache-min-ttl=300
-            - --cache-optimistic
-            # Enable DoT
-            - --tls-port=853
-            - --tls-crt=/etc/pki/dnsproxy/tls.crt
-            - --tls-key=/etc/pki/dnsproxy/tls.key
          env:
            - name: GOMEMLIMIT
              valueFrom:
@@ -58,6 +80,8 @@ spec:
            - name: tls-secret
              mountPath: "/etc/pki/dnsproxy"
              readOnly: true
+            - name: config
+              mountPath: "/etc/blocky/"
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
@@ -69,6 +93,10 @@ spec:
          secret:
            secretName: ingress-dns-tls
            optional: false
+        - name: config
+          configMap:
+            name: blocky-config
+            optional: false
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000