feat(): remove DoT in favor of DoQ

desec-io · Jan 22, 2024 · a3e1c87 · a3e1c87
1 parent 9e087e0
commit a3e1c87
Show file tree

Hide file tree

Showing 9 changed files with 3 additions and 133 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -68,7 +68,6 @@ jobs:
 
     - name: Create necessary symlinks in desec-stack  # desec-stack is docker-compose base directory
       run: |
-        ln -s ../desec-ns/dnsdist
         ln -s ../desec-ns/dox-certs
         ln -s ../desec-ns/ns
         ln -s ../desec-ns/knot-exporter

diff --git a/README.md b/README.md
@@ -2,8 +2,7 @@
 
 This is a docker-compose application to run a nameserver. Zone data is automatically provided to this application via database replication. The application consists of
 
-- `dnsdist`: Frontend DNS load balancer (dnsdist), currently forwarding to the `ns` container. It is mainly there to support more advanced features in the future.
-- `ns`: Actual DNS server (PowerDNS).
+- `ns`: Actual DNS server.
 - `replicator`: Python container running a replication loop.
 - `openvpn-client`: OpenVPN client container providing network services for `ns` and `replicator`.
 
@@ -74,7 +73,7 @@ Take a backup file created in the previous step and store it at `./lmdb-backup/b
     exposing ports on the host IPv6 address through `docker-proxy`.
 
   - This stack is IPv6-capable. To prevent evil people from abusing this app for DNS amplification attacks, it is highly recommended to rate limit requests by IP (or take 
-    some smarter precaution). In particular, consider using the iptables hashlimit module, or dnsdist's traffic policy settings.
+    some smarter precaution). In particular, consider using he nameserver's policy settings, or the iptables hashlimit module.
 
     When using iptables, note that whenever you restart the docker daemon or this application (`docker-compose down; docker-compose up`), docker will insert its own rules 
     at the top of the chain. You therefore have to make sure that these rules get re-applied whenever docker decides to jump the queue.

diff --git a/dnsdist/Dockerfile b/dnsdist/Dockerfile
diff --git a/dnsdist/conf/dnsdist.conf b/dnsdist/conf/dnsdist.conf
diff --git a/dnsdist/entrypoint.sh b/dnsdist/entrypoint.sh
diff --git a/docker-compose.connect-stack.yml b/docker-compose.connect-stack.yml
@@ -22,7 +22,7 @@ services:
       - openvpn-server
     networks:
       nsfront:
-        ipv4_address: 10.16.0.127  # reaches dnsdist at 10.16.0.2
+        ipv4_address: 10.16.0.127
 
 networks:
   vpnconnect:

diff --git a/docker-compose.dump.yml b/docker-compose.dump.yml
@@ -2,10 +2,6 @@ version: '2.2'
 
 # mostly extending from main .yml
 services:
-  dnsdist:
-    entrypoint: ["echo", "Service disabled"]
-    restart: "no"
-
   openvpn-client_monitor:
     entrypoint: ["echo", "Service disabled"]
     restart: "no"

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -64,33 +64,6 @@ services:
         tag: "desec-ns/knot-exporter"
     restart: unless-stopped
 
-  dnsdist:
-    build: dnsdist
-    image: ${DOCKER_REGISTRY}desec/desec-ns-dnsdist:latest
-    init: true
-    depends_on:
-    - ns
-    - dox-certs
-    cap_add:
-    - NET_ADMIN
-    ports:
-    - "${DESEC_NS_PUBLIC_PORT_DOT:-853}:853/tcp"
-    environment:
-    - DESEC_NS_CARBONSERVER
-    - DESEC_NS_CARBONOURNAME
-    volumes:
-    - dox-certs:/etc/dnsdist/certs
-    networks:
-      nsmiddle:
-        ipv4_address: 10.16.2.3
-      nsrearmonitoring_dnsdist:
-        ipv4_address: 10.16.4.10
-    logging:
-      driver: "syslog"
-      options:
-        tag: "desec-ns/dnsdist"
-    restart: unless-stopped
-
   openvpn-client:
     build: openvpn-client
     image: desec/openvpn-client:latest
@@ -160,8 +133,6 @@ services:
     - prometheus:/prometheus
     networks:
       nsrearmonitoring_openvpn-client:
-      nsrearmonitoring_dnsdist:
-        ipv4_address: 10.16.4.11
     logging:
       driver: "syslog"
       options:
@@ -209,10 +180,3 @@ networks:
         config:
         - subnet: 10.16.4.0/29
           gateway: 10.16.4.1
-  nsrearmonitoring_dnsdist:
-      driver: bridge
-      ipam:
-        driver: default
-        config:
-        - subnet: 10.16.4.8/29
-          gateway: 10.16.4.9
diff --git a/prometheus/conf/prometheus.yml b/prometheus/conf/prometheus.yml
@@ -15,12 +15,6 @@ scrape_configs:
   - job_name: 'openvpn-client'
     static_configs:
       - targets: ['openvpn-client_monitor:9176']
-  - job_name: 'dnsdist'
-    static_configs:
-      - targets: ['dnsdist:8083']
-    basic_auth:
-      username: arbitrary
-      password: we+ensure+security+via+network+segmentation
   - job_name: 'knot-exporter'
     static_configs:
       - targets: ['knot-exporter:9433']