initial commit
This commit is contained in:
commit
dc27d65439
|
@ -0,0 +1,44 @@
|
|||
FROM golang:alpine as builder
|
||||
LABEL maintainer "George Tankersley <george@zfnd.org>"
|
||||
|
||||
ENV PATH /go/bin:/usr/local/go/bin:$PATH
|
||||
ENV GOPATH /go
|
||||
|
||||
RUN apk --no-cache add \
|
||||
bash \
|
||||
ca-certificates \
|
||||
git \
|
||||
make
|
||||
|
||||
ENV COREDNS_VERSION v1.6.9
|
||||
|
||||
RUN git clone --depth 1 --branch ${COREDNS_VERSION} https://github.com/coredns/coredns /go/src/github.com/coredns/coredns
|
||||
|
||||
WORKDIR /go/src/github.com/coredns/coredns
|
||||
|
||||
RUN echo "dnsseed:github.com/zcashfoundation/dnsseeder/dnsseed" >> /go/src/github.com/coredns/coredns/plugin.cfg
|
||||
RUN echo "replace github.com/btcsuite/btcd => github.com/gtank/btcd v0.0.0-20191012142736-b43c61a68604" >> /go/src/github.com/coredns/coredns/go.mod
|
||||
|
||||
RUN make all \
|
||||
&& mv coredns /usr/bin/coredns
|
||||
|
||||
FROM alpine:latest
|
||||
|
||||
COPY --from=builder /usr/bin/coredns /usr/bin/coredns
|
||||
COPY --from=builder /etc/ssl/certs/ /etc/ssl/certs
|
||||
|
||||
COPY coredns/Corefile /etc/dnsseeder/Corefile
|
||||
|
||||
# DNS will bind to 8053
|
||||
EXPOSE 8053
|
||||
|
||||
# Global health check will respond 200 OK on 8080
|
||||
EXPOSE 8080
|
||||
|
||||
VOLUME /etc/dnsseeder
|
||||
|
||||
RUN adduser --disabled-password dnsseeder
|
||||
USER dnsseeder
|
||||
|
||||
ENTRYPOINT [ "coredns" ]
|
||||
CMD [ "-conf", "/etc/dnsseeder/Corefile", "-dns.port", "8053"]
|
|
@ -0,0 +1,24 @@
|
|||
.PHONY: docker docker-run install uninstall all clean
|
||||
|
||||
all: build_output/coredns
|
||||
|
||||
clean:
|
||||
rm -rf build_output
|
||||
|
||||
build_output:
|
||||
mkdir build_output
|
||||
|
||||
build_output/coredns: build_output
|
||||
bash scripts/build.sh
|
||||
|
||||
install: build_output/coredns
|
||||
bash scripts/install_systemd.sh
|
||||
|
||||
uninstall:
|
||||
bash scripts/uninstall_systemd.sh
|
||||
|
||||
docker:
|
||||
docker build -t zfnd-seeder:latest -f Dockerfile .
|
||||
|
||||
docker-run:
|
||||
docker run --rm -p 53:8053/udp -p 53:8053/tcp -p 8080 zfnd-seeder:latest
|
|
@ -0,0 +1,29 @@
|
|||
# Zcash DNS Seeder
|
||||
|
||||
This repo contains scripts for building and deploying the Zcash Foundation's DNS seeder. There are several options for how to deploy a seeder of your own:
|
||||
|
||||
### Docker
|
||||
|
||||
To build the container, run either `make docker` or `docker build -t zfnd-seeder:latest -f Dockerfile .`.
|
||||
|
||||
To run the container, use `make docker-run` or `docker run --rm -p 53:8053/udp -p 53:8053/tcp -p 8080 zfnd-seeder:latest`. That will bind the DNS listener to the host's port 53 and leave `:8080`, which is an HTTP health check endpoint, floating in Docker's automatic port mappings. The seeder is stateless so it's fine to `--rm` the containers when they exit.
|
||||
|
||||
If you want to override the default Corefile (and you should because it won't work with your domain), mount a volume over `/etc/dnsseeder/Corefile`.
|
||||
|
||||
### Debian package
|
||||
|
||||
TODO
|
||||
|
||||
### Deploying from binary to a generic systemd Linux
|
||||
|
||||
TODO
|
||||
|
||||
### Deploying from source to a generic systemd Linux
|
||||
|
||||
Clone this repo to the machine you want to deploy to, which will need to have a working Go build environment. Then run `sudo make install` and you're good to go. If you'd prefer not to do that, the only part of the build and install process that actually *needs* elevated permissions is linking the systemd configuration.
|
||||
|
||||
Further down the rabbit hole, you can look at what `scripts/build.sh` and `scripts/install_systemd.sh` do and then do that manually instead. It's Go, so you can pretty much just `scp` the coredns binary and Corefile to wherever you want.
|
||||
|
||||
## DNS configuration
|
||||
|
||||
Let's say you want to configure seeders for the Zcash mainnet and testnet under the domain `dnsseed.example.com`. Then you would add an `NS` record for the subdomain `dnsseed` under your `example.com` configuration pointing to the address where you've deployed the seeder. The seeder will automatically respond to any subdomains as configured, so if your Corefile looks like [the default](coredns/Corefile) you'll end up with `mainnet.dnsseed.example.com` and `testnet.dnsseed.example.com`.
|
|
@ -0,0 +1,24 @@
|
|||
# Bootstrap from mainnet.z.cash
|
||||
mainnet.seeder.yolo.money {
|
||||
dnsseed {
|
||||
network mainnet
|
||||
bootstrap_peers 104.236.180.231:8233
|
||||
crawl_interval 30m
|
||||
record_ttl 600
|
||||
}
|
||||
}
|
||||
|
||||
# Bootstrap from testnet.z.cash
|
||||
testnet.seeder.yolo.money {
|
||||
dnsseed {
|
||||
network testnet
|
||||
bootstrap_peers 198.199.112.230:18233
|
||||
crawl_interval 15m
|
||||
record_ttl 300
|
||||
}
|
||||
}
|
||||
|
||||
# Returns 200 OK on :8080/health
|
||||
. {
|
||||
health :8080
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -exuo pipefail
|
||||
|
||||
WORKDIR="$(pwd)"
|
||||
BUILD_DIR=$(mktemp -d)
|
||||
COREDNS_VERSION="v1.6.9"
|
||||
|
||||
git clone --branch ${COREDNS_VERSION} https://github.com/coredns/coredns ${BUILD_DIR}
|
||||
cd ${BUILD_DIR}
|
||||
echo "dnsseed:github.com/zcashfoundation/dnsseeder/dnsseed" >> plugin.cfg
|
||||
echo "replace github.com/btcsuite/btcd => github.com/gtank/btcd v0.0.0-20191012142736-b43c61a68604" >> go.mod
|
||||
make
|
||||
|
||||
if [ ! -d ${WORKDIR}/build_output ]; then
|
||||
mkdir ${WORKDIR}/build_output
|
||||
fi
|
||||
|
||||
cp ${BUILD_DIR}/coredns ${WORKDIR}/build_output/coredns
|
||||
cd ${WORKDIR}
|
||||
rm -rf ${BUILD_DIR}
|
|
@ -0,0 +1,32 @@
|
|||
#!/bin/bash
|
||||
# Sketch of a working deployment of the DNS seeder with systemd
|
||||
|
||||
set -uxeo pipefail
|
||||
|
||||
mkdir /etc/dnsseeder
|
||||
mkdir /etc/systemd/resolved.conf.d/
|
||||
|
||||
cp build_output/coredns /etc/dnsseeder/coredns
|
||||
cp coredns/Corefile /etc/dnsseeder/Corefile
|
||||
|
||||
cat <<EOF >> /etc/dnsseeder/Corefile
|
||||
# Replace systemd-resolved so we can bind .:53 without breaking the system DNS.
|
||||
# Load-balances forwarded queries across Cloudflare and both Google DNS servers
|
||||
. {
|
||||
bind 127.0.0.53
|
||||
cache 120
|
||||
forward . 1.1.1.1 8.8.8.8 8.8.4.4
|
||||
}
|
||||
EOF
|
||||
|
||||
cp systemd/dnsseeder.service /etc/dnsseeder/
|
||||
cp systemd/10-resolved-override.conf /etc/dnsseeder/
|
||||
|
||||
ln -s /etc/dnsseeder/dnsseeder.service /etc/systemd/system/
|
||||
ln -s /etc/dnsseeder/dnsseeder.service /etc/systemd/system/multi-user.target.wants/
|
||||
ln -s /etc/dnsseeder/10-resolved-override.conf /etc/systemd/resolved.conf.d/
|
||||
|
||||
systemctl daemon-reload
|
||||
systemctl stop systemd-resolved
|
||||
systemctl start dnsseeder
|
||||
systemctl start systemd-resolved
|
|
@ -0,0 +1,14 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -uxeo pipefail
|
||||
|
||||
systemctl stop dnsseeder
|
||||
|
||||
rm /etc/systemd/system/multi-user.target.wants/dnsseeder.service
|
||||
rm /etc/systemd/system/dnsseeder.service
|
||||
rm /etc/systemd/resolved.conf.d/10-resolved-override.conf
|
||||
|
||||
rm -r /etc/dnsseeder
|
||||
|
||||
systemctl daemon-reload
|
||||
systemctl restart systemd-resolved
|
|
@ -0,0 +1,3 @@
|
|||
[Resolve]
|
||||
DNS=127.0.0.53
|
||||
DNSStubListener=no
|
|
@ -0,0 +1,21 @@
|
|||
[Unit]
|
||||
Description=DNS seeder for the Zcash network
|
||||
Before=systemd-resolved
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/etc/dnsseeder/coredns -conf /etc/dnsseeder/Corefile
|
||||
ExecReload=/bin/kill -HUP ${MAINPID}
|
||||
KillSignal=SIGINT
|
||||
TimeoutSec=60
|
||||
Restart=on-failure
|
||||
|
||||
DynamicUser=yes
|
||||
ProtectHome=yes
|
||||
ProtectSystem=strict
|
||||
NoNewPrivileges=yes
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Loading…
Reference in New Issue