From a08e0be88eb9694b2752e7bb6523714e2e7b041f Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 19 Nov 2023 23:28:17 +0100
Subject: [PATCH] feat(dns): Switch to blocky and DNS resolver

This patch is the first try of using blocky instead of adguard-dnsproxy
as dns resolver. The idea is to get better metrics from blocky as well
as supporting dns block lists if necessary.
---
 apps/k8s01/dns/dns.yaml | 54 +++++++++++++++++++++++++++++++----------
 1 file changed, 41 insertions(+), 13 deletions(-)

diff --git a/apps/k8s01/dns/dns.yaml b/apps/k8s01/dns/dns.yaml
index 653e5e1df..d3d8d00f5 100644
--- a/apps/k8s01/dns/dns.yaml
+++ b/apps/k8s01/dns/dns.yaml
@@ -1,4 +1,36 @@
 ---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blocky-config
+  namespace: dns
+data:
+  config.yaml: |
+    ports:
+      dns: 53
+      tls: 853
+      https: 443
+      http: 4000
+    upstreams:
+      groups:
+        default:
+          - https://dns.quad9.net/dns-query
+    bootstrapDns:
+      - https://1.1.1.1/dns-query
+      - tcp+udp:9.9.9.9
+    startVerifyUpstream: true
+    caching:
+      minTime: 5m
+      maxItemsCount: 262144
+      prefetching: true
+      prefetchMaxItemsCount: 131072
+    prometheus:
+      enable: true
+    fqdnOnly:
+      enable: true
+    certFile: /etc/pki/dnsproxy/tls.crt
+    keyFile: /etc/pki/dnsproxy/tls.key
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -17,20 +49,10 @@ spec:
     spec:
       containers:
         - name: dnsproxy
-          image: quay.io/sheogorath/dnsproxy:0.54.0
+          image: ghcr.io/0xerr0r/blocky:v0.22
           args:
-            - /dnsproxy
-            - --upstream=https://dns.quad9.net/dns-query
-            - --bootstrap=9.9.9.9
-            - --cache
-            # 96Mi
-            - --cache-size=100663296
-            - --cache-min-ttl=300
-            - --cache-optimistic
-            # Enable DoT
-            - --tls-port=853
-            - --tls-crt=/etc/pki/dnsproxy/tls.crt
-            - --tls-key=/etc/pki/dnsproxy/tls.key
+            - --config
+            - /etc/blocky/config.yaml
           env:
             - name: GOMEMLIMIT
               valueFrom:
@@ -58,6 +80,8 @@ spec:
             - name: tls-secret
               mountPath: "/etc/pki/dnsproxy"
               readOnly: true
+            - name: config
+              mountPath: "/etc/blocky/"
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
@@ -69,6 +93,10 @@ spec:
           secret:
             secretName: ingress-dns-tls
             optional: false
+        - name: config
+          configMap:
+            name: blocky-config
+            optional: false
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000
-- 
GitLab