thommay · August 4, 2022 22:47
diff --git a/adblock.lua b/adblock.lua
 adservers=newDS()
 permitted=newDS()

 function preresolve(dq)
  if permitted:check(dq.qname) or (not adservers:check(dq.qname)) then
    return false
  end

  if(dq.qtype == pdns.A) then
    dq:addAnswer(dq.qtype, "127.0.0.1")
  elseif(dq.qtype == pdns.AAAA) then
    dq:addAnswer(dq.qtype, "::1")
  end
  return true
 end

 adservers:add(dofile("/srv/data/blocklist.lua"))
 permitted:add(dofile("/srv/data/permitted.lua"))
diff --git a/config.toml b/config.toml
 blocklists = [
    "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt",
    "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt",
    "https://v.firebog.net/hosts/static/w3kbl.txt",
    "https://v.firebog.net/hosts/AdguardDNS.txt",
    ]
 permitted = [ "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt" ]

 blocklist_output = "/srv/data/blocklist.lua"
 permitted_output = "/srv/data/permitted.lua"
diff --git a/recursor-restart.yaml b/recursor-restart.yaml
 kind: ServiceAccount
 apiVersion: v1
 metadata:
  name: recursor-restart
  namespace: default
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: recursor-restart
  namespace: default
 rules:
  - apiGroups: ["apps","extensions"]
    resources: ["deployments"]
    resourceNames: ["recursor"]
    verbs: ["get","patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: recursor-restart
  namespace: default
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: recursor-restart
 subjects:
 - kind: ServiceAccount
  name: recursor-restart
  namespace: default
 ---
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
  name: recursor-restart
  namespace: default
 spec:
  concurrencyPolicy: Forbid
  schedule: '0 3 * * *' # 3am daily
  jobTemplate:
    spec:
      backoffLimit: 2
      activeDeadlineSeconds: 600
      template:
        spec:
          serviceAccountName: recursor-restart
          restartPolicy: Never
          containers:
          - name: kubectl
            image: bitnami/kubectl
            command: ["kubectl","rollout","restart","deployment/recursor"]
diff --git a/recursor-svc.yaml b/recursor-svc.yaml
 ---
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    metallb.universe.tf/allow-shared-ip: k8s-ext57
  labels:
    app.kubernetes.io/instance: recursor
  name: recursor-udp
  namespace: default
 spec:
  selector:
    app: recursor
  loadBalancerIP: 192.168.1.232
  type: LoadBalancer
  ports:
  - name: udp-dns
    port: 53
    protocol: UDP
    targetPort: udp-dns
 ---
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    metallb.universe.tf/allow-shared-ip: k8s-ext57
  labels:
    app.kubernetes.io/instance: recursor
  name: recursor-tcp
  namespace: default
 spec:
  selector:
    app: recursor
  loadBalancerIP: 192.168.1.232
  type: LoadBalancer
  ports:
  - name: tcp-dns
    port: 53
    protocol: TCP
    targetPort: tcp-dns
diff --git a/recursor.conf b/recursor.conf
 local-address=0.0.0.0, ::
 disable-syslog=yes
 webserver=yes
 webserver-address=0.0.0.0
 lua-dns-script=/srv/config/adblock.lua

diff --git a/recursor.yaml b/recursor.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: recursor
    version: 4.3.1-1
  name: recursor
  namespace: default
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: recursor
  strategy:
    type: Recreate
  template:
    metadata:
      annotations:
        prometheus.io/port: "8082"
        prometheus.io/scrape: "true"
      labels:
        app: recursor
        version: 4.3.1-1
    spec:
      initContainers:
      - name: blocklister
        image: docker.io/thommay/blocklister:latest
        command: ["/usr/local/bin/blocklister","/srv/blocklister/config.toml"]
        volumeMounts:
        - name: blocklister-config-volume
          mountPath: /srv/blocklister
        - name: data
          mountPath: /srv/data
      containers:
      - image: docker.io/thommay/pdns_recursor:4.3.1-1
        imagePullPolicy: IfNotPresent
        name: recursor
        ports:
          - containerPort: 53
            protocol: UDP
            name: udp-dns
          - containerPort: 53
            protocol: TCP
            name: tcp-dns
          - containerPort: 8082
            name: metrics
        volumeMounts:
        - name: recursor-config-volume
          mountPath: /srv/config
        - name: data
          mountPath: /srv/data
      volumes:
      - name: recursor-config-volume
        configMap:
          name: recursor-config
      - name: blocklister-config-volume
        configMap:
          name: blocklister-config
      - name: data
        emptyDir: {}
	adservers=newDS()
	permitted=newDS()

	function preresolve(dq)
	if permitted:check(dq.qname) or (not adservers:check(dq.qname)) then
	return false
	end

	if(dq.qtype == pdns.A) then
	dq:addAnswer(dq.qtype, "127.0.0.1")
	elseif(dq.qtype == pdns.AAAA) then
	dq:addAnswer(dq.qtype, "::1")
	end
	return true
	end

	adservers:add(dofile("/srv/data/blocklist.lua"))
	permitted:add(dofile("/srv/data/permitted.lua"))
	blocklists = [
	"https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt",
	"https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt",
	"https://v.firebog.net/hosts/static/w3kbl.txt",
	"https://v.firebog.net/hosts/AdguardDNS.txt",
	]
	permitted = [ "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt" ]

	blocklist_output = "/srv/data/blocklist.lua"
	permitted_output = "/srv/data/permitted.lua"
	kind: ServiceAccount
	apiVersion: v1
	metadata:
	name: recursor-restart
	namespace: default
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: recursor-restart
	namespace: default
	rules:
	- apiGroups: ["apps","extensions"]
	resources: ["deployments"]
	resourceNames: ["recursor"]
	verbs: ["get","patch"]
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: recursor-restart
	namespace: default
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: recursor-restart
	subjects:
	- kind: ServiceAccount
	name: recursor-restart
	namespace: default
	---
	apiVersion: batch/v1beta1
	kind: CronJob
	metadata:
	name: recursor-restart
	namespace: default
	spec:
	concurrencyPolicy: Forbid
	schedule: '0 3 * * *' # 3am daily
	jobTemplate:
	spec:
	backoffLimit: 2
	activeDeadlineSeconds: 600
	template:
	spec:
	serviceAccountName: recursor-restart
	restartPolicy: Never
	containers:
	- name: kubectl
	image: bitnami/kubectl
	command: ["kubectl","rollout","restart","deployment/recursor"]
	---
	apiVersion: v1
	kind: Service
	metadata:
	annotations:
	metallb.universe.tf/allow-shared-ip: k8s-ext57
	labels:
	app.kubernetes.io/instance: recursor
	name: recursor-udp
	namespace: default
	spec:
	selector:
	app: recursor
	loadBalancerIP: 192.168.1.232
	type: LoadBalancer
	ports:
	- name: udp-dns
	port: 53
	protocol: UDP
	targetPort: udp-dns
	---
	apiVersion: v1
	kind: Service
	metadata:
	annotations:
	metallb.universe.tf/allow-shared-ip: k8s-ext57
	labels:
	app.kubernetes.io/instance: recursor
	name: recursor-tcp
	namespace: default
	spec:
	selector:
	app: recursor
	loadBalancerIP: 192.168.1.232
	type: LoadBalancer
	ports:
	- name: tcp-dns
	port: 53
	protocol: TCP
	targetPort: tcp-dns
	local-address=0.0.0.0, ::
	disable-syslog=yes
	webserver=yes
	webserver-address=0.0.0.0
	lua-dns-script=/srv/config/adblock.lua
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	labels:
	app: recursor
	version: 4.3.1-1
	name: recursor
	namespace: default
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: recursor
	strategy:
	type: Recreate
	template:
	metadata:
	annotations:
	prometheus.io/port: "8082"
	prometheus.io/scrape: "true"
	labels:
	app: recursor
	version: 4.3.1-1
	spec:
	initContainers:
	- name: blocklister
	image: docker.io/thommay/blocklister:latest
	command: ["/usr/local/bin/blocklister","/srv/blocklister/config.toml"]
	volumeMounts:
	- name: blocklister-config-volume
	mountPath: /srv/blocklister
	- name: data
	mountPath: /srv/data
	containers:
	- image: docker.io/thommay/pdns_recursor:4.3.1-1
	imagePullPolicy: IfNotPresent
	name: recursor
	ports:
	- containerPort: 53
	protocol: UDP
	name: udp-dns
	- containerPort: 53
	protocol: TCP
	name: tcp-dns
	- containerPort: 8082
	name: metrics
	volumeMounts:
	- name: recursor-config-volume
	mountPath: /srv/config
	- name: data
	mountPath: /srv/data
	volumes:
	- name: recursor-config-volume
	configMap:
	name: recursor-config
	- name: blocklister-config-volume
	configMap:
	name: blocklister-config
	- name: data
	emptyDir: {}