hblock-resolver icon indicating copy to clipboard operation
hblock-resolver copied to clipboard

Published 20 hours ago verified publisher icon hectorm

Metadata

A Docker image of Knot DNS Resolver with hBlock.

hBlock Resolver

A Docker image of Knot Resolver configured to automatically block ads, tracking and malware domains with hBlock.

Start an instance

docker run --detach \
  --name hblock-resolver \
  --publish 127.0.0.153:53:53/udp \
  --publish 127.0.0.153:53:53/tcp \
  --publish 127.0.0.153:443:443/tcp \
  --publish 127.0.0.153:853:853/tcp \
  --publish 127.0.0.153:8453:8453/tcp \
  --mount type=volume,src=hblock-resolver-data,dst=/var/lib/knot-resolver/ \
  docker.io/hectorm/hblock-resolver:latest

Warning: do not expose this service to the open internet. An open DNS resolver represents a significant threat and it can be used in a number of different attacks, such as DNS amplification attacks.

Environment variables

KRESD_CACHE_SIZE (default: 50)

Maximum cache size in megabytes.

KRESD_DNS{1..4}_IP (default: 1.1.1.1@853 and 1.0.0.1@853)

IP (and optionally port) of the DNS-over-TLS server to which the queries will be forwarded (alternative DoT servers).

KRESD_DNS{1..4}_HOSTNAME (default: cloudflare-dns.com)

Hostname of the DNS-over-TLS server to which the queries will be forwarded (CA+hostname authentication docs).

KRESD_DNS{1..4}_PIN_SHA256 (default: empty)

Certificate hash of the DNS-over-TLS server to which the queries will be forwarded (key-pinned authentication docs).

KRESD_INSTANCE_NUMBER (default: 1)

Number of instances to launch.

KRESD_RECENTLY_BLOCKED_NUMBER (default: 100)

Number of recently blocked domains to store in memory for each instance. The /recently_blocked endpoint returns an aggregated list of all instances.

KRESD_CERT_MANAGED (default: true)

If equals true, a self-signed certificate will be generated. You can provide your own certificate with these options:

  --env KRESD_CERT_MANAGED=false \
  --mount type=bind,src=/path/to/server.key,dst=/var/lib/knot-resolver/ssl/server.key,ro \
  --mount type=bind,src=/path/to/server.crt,dst=/var/lib/knot-resolver/ssl/server.crt,ro \

Note: for a more advanced setup, look at the following example with Let's Encrypt and Caddy.

KRESD_NIC (default: empty)

If defined, kresd will only listen on the specified interface. Some users observed a considerable, close to 100%, performance gain in Docker containers when they bound the daemon to a single interface:ip address pair (dynamic configuration docs, CZ-NIC/knot-resolver#32).

KRESD_LOG_LEVEL (default: notice)

Set the global logging level. The possible values are: crit, err, warning, notice, info or debug.

Additional configuration

Main Knot DNS Resolver configuration is located in /etc/knot-resolver/kresd.conf. If you would like to add additional configuration, add one or more *.conf files under /etc/knot-resolver/kresd.conf.d/.

License

See the license file.

Metadata

27
Stars
4
Forks
Watchers

Owner

verified publisher icon hectorm

Metadata

A Docker image of Knot DNS Resolver with hBlock.

Back