initial commit

2020-05-29 17:58:14 -04:00 · 2020-05-29 17:58:14 -04:00 · dc27d65439
commit dc27d65439
9 changed files with 212 additions and 0 deletions
--- a/44
+++ b/44
@ -0,0 +1,44 @@
+FROM golang:alpine as builder
+LABEL maintainer "George Tankersley <george@zfnd.org>"
+
+ENV PATH /go/bin:/usr/local/go/bin:$PATH
+ENV GOPATH /go
+
+RUN apk --no-cache add \
+	bash \
+	ca-certificates \
+	git \
+	make
+
+ENV COREDNS_VERSION v1.6.9
+
+RUN git clone --depth 1 --branch ${COREDNS_VERSION} https://github.com/coredns/coredns /go/src/github.com/coredns/coredns
+
+WORKDIR /go/src/github.com/coredns/coredns
+
+RUN echo "dnsseed:github.com/zcashfoundation/dnsseeder/dnsseed" >> /go/src/github.com/coredns/coredns/plugin.cfg
+RUN echo "replace github.com/btcsuite/btcd => github.com/gtank/btcd v0.0.0-20191012142736-b43c61a68604" >> /go/src/github.com/coredns/coredns/go.mod
+
+RUN make all \
+	&& mv coredns /usr/bin/coredns
+
+FROM alpine:latest
+
+COPY --from=builder /usr/bin/coredns /usr/bin/coredns
+COPY --from=builder /etc/ssl/certs/ /etc/ssl/certs
+
+COPY coredns/Corefile /etc/dnsseeder/Corefile
+
+# DNS will bind to 8053
+EXPOSE 8053
+
+# Global health check will respond 200 OK on 8080
+EXPOSE 8080
+
+VOLUME /etc/dnsseeder
+
+RUN adduser --disabled-password dnsseeder
+USER dnsseeder
+
+ENTRYPOINT [ "coredns" ]
+CMD [ "-conf", "/etc/dnsseeder/Corefile", "-dns.port", "8053"]
--- a/24
+++ b/24
@ -0,0 +1,24 @@
+.PHONY: docker docker-run install uninstall all clean
+
+all: build_output/coredns
+
+clean:
+	rm -rf build_output
+
+build_output:
+	mkdir build_output
+
+build_output/coredns: build_output
+	bash scripts/build.sh
+
+install: build_output/coredns
+	bash scripts/install_systemd.sh
+
+uninstall:
+	bash scripts/uninstall_systemd.sh
+
+docker:
+	docker build -t zfnd-seeder:latest -f Dockerfile .
+
+docker-run:
+	docker run --rm -p 53:8053/udp -p 53:8053/tcp -p 8080 zfnd-seeder:latest
--- a/README.md
+++ b/README.md
@ -0,0 +1,29 @@
+# Zcash DNS Seeder
+
+This repo contains scripts for building and deploying the Zcash Foundation's DNS seeder. There are several options for how to deploy a seeder of your own:
+
+### Docker
+
+To build the container, run either `make docker` or `docker build -t zfnd-seeder:latest -f Dockerfile .`.
+
+To run the container, use `make docker-run` or `docker run --rm -p 53:8053/udp -p 53:8053/tcp -p 8080 zfnd-seeder:latest`. That will bind the DNS listener to the host's port 53 and leave `:8080`, which is an HTTP health check endpoint, floating in Docker's automatic port mappings. The seeder is stateless so it's fine to `--rm` the containers when they exit.
+
+If you want to override the default Corefile (and you should because it won't work with your domain), mount a volume over `/etc/dnsseeder/Corefile`.
+
+### Debian package
+
+TODO
+
+### Deploying from binary to a generic systemd Linux
+
+TODO
+
+### Deploying from source to a generic systemd Linux
+
+Clone this repo to the machine you want to deploy to, which will need to have a working Go build environment. Then run `sudo make install` and you're good to go. If you'd prefer not to do that, the only part of the build and install process that actually *needs* elevated permissions is linking the systemd configuration.
+
+Further down the rabbit hole, you can look at what `scripts/build.sh` and `scripts/install_systemd.sh` do and then do that manually instead. It's Go, so you can pretty much just `scp` the coredns binary and Corefile to wherever you want.
+
+## DNS configuration
+
+Let's say you want to configure seeders for the Zcash mainnet and testnet under the domain `dnsseed.example.com`. Then you would add an `NS` record for the subdomain `dnsseed` under your `example.com` configuration pointing to the address where you've deployed the seeder. The seeder will automatically respond to any subdomains as configured, so if your Corefile looks like [the default](coredns/Corefile) you'll end up with `mainnet.dnsseed.example.com` and `testnet.dnsseed.example.com`.
--- a/coredns/Corefile
+++ b/coredns/Corefile
@ -0,0 +1,24 @@
+# Bootstrap from mainnet.z.cash
+mainnet.seeder.yolo.money {
+    dnsseed {
+        network mainnet
+        bootstrap_peers 104.236.180.231:8233
+        crawl_interval 30m
+        record_ttl 600
+    }
+}
+
+# Bootstrap from testnet.z.cash
+testnet.seeder.yolo.money {
+    dnsseed {
+        network testnet
+        bootstrap_peers 198.199.112.230:18233
+        crawl_interval 15m
+        record_ttl 300
+    }
+}
+
+# Returns 200 OK on :8080/health
+. {
+    health :8080
+}
--- a/scripts/build.sh
+++ b/scripts/build.sh
@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -exuo pipefail
+
+WORKDIR="$(pwd)"
+BUILD_DIR=$(mktemp -d)
+COREDNS_VERSION="v1.6.9"
+
+git clone --branch ${COREDNS_VERSION} https://github.com/coredns/coredns ${BUILD_DIR}
+cd ${BUILD_DIR}
+echo "dnsseed:github.com/zcashfoundation/dnsseeder/dnsseed" >> plugin.cfg
+echo "replace github.com/btcsuite/btcd => github.com/gtank/btcd v0.0.0-20191012142736-b43c61a68604" >> go.mod
+make
+
+if [ ! -d ${WORKDIR}/build_output ]; then
+    mkdir ${WORKDIR}/build_output
+fi
+
+cp ${BUILD_DIR}/coredns ${WORKDIR}/build_output/coredns
+cd ${WORKDIR}
+rm -rf ${BUILD_DIR}
--- a/scripts/install_systemd.sh
+++ b/scripts/install_systemd.sh
@ -0,0 +1,32 @@
+#!/bin/bash
+# Sketch of a working deployment of the DNS seeder with systemd
+
+set -uxeo pipefail
+
+mkdir /etc/dnsseeder
+mkdir /etc/systemd/resolved.conf.d/
+
+cp build_output/coredns /etc/dnsseeder/coredns
+cp coredns/Corefile /etc/dnsseeder/Corefile
+
+cat <<EOF >> /etc/dnsseeder/Corefile
+# Replace systemd-resolved so we can bind .:53 without breaking the system DNS.
+# Load-balances forwarded queries across Cloudflare and both Google DNS servers
+. {
+    bind 127.0.0.53
+    cache 120
+    forward . 1.1.1.1 8.8.8.8 8.8.4.4
+}
+EOF
+
+cp systemd/dnsseeder.service /etc/dnsseeder/
+cp systemd/10-resolved-override.conf /etc/dnsseeder/
+
+ln -s /etc/dnsseeder/dnsseeder.service /etc/systemd/system/
+ln -s /etc/dnsseeder/dnsseeder.service /etc/systemd/system/multi-user.target.wants/
+ln -s /etc/dnsseeder/10-resolved-override.conf /etc/systemd/resolved.conf.d/
+
+systemctl daemon-reload
+systemctl stop systemd-resolved
+systemctl start dnsseeder
+systemctl start systemd-resolved
--- a/scripts/uninstall_systemd.sh
+++ b/scripts/uninstall_systemd.sh
@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -uxeo pipefail
+
+systemctl stop dnsseeder
+
+rm /etc/systemd/system/multi-user.target.wants/dnsseeder.service
+rm /etc/systemd/system/dnsseeder.service
+rm /etc/systemd/resolved.conf.d/10-resolved-override.conf
+
+rm -r /etc/dnsseeder
+
+systemctl daemon-reload
+systemctl restart systemd-resolved
--- a/systemd/10-resolved-override.conf
+++ b/systemd/10-resolved-override.conf
@ -0,0 +1,3 @@
+[Resolve]
+DNS=127.0.0.53
+DNSStubListener=no
--- a/systemd/dnsseeder.service
+++ b/systemd/dnsseeder.service
@ -0,0 +1,21 @@
+[Unit]
+Description=DNS seeder for the Zcash network
+Before=systemd-resolved
+
+[Service]
+Type=simple
+ExecStart=/etc/dnsseeder/coredns -conf /etc/dnsseeder/Corefile
+ExecReload=/bin/kill -HUP ${MAINPID}
+KillSignal=SIGINT
+TimeoutSec=60
+Restart=on-failure
+
+DynamicUser=yes
+ProtectHome=yes
+ProtectSystem=strict
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target