hblock-resolver's Introduction

hBlock Resolver

A Docker image of Knot Resolver configured to automatically block ads, tracking and malware domains with hBlock.

Start an instance

docker run --detach \
  --name hblock-resolver \
  --publish 127.0.0.153:53:53/udp \
  --publish 127.0.0.153:53:53/tcp \
  --publish 127.0.0.153:443:443/tcp \
  --publish 127.0.0.153:853:853/tcp \
  --publish 127.0.0.153:8453:8453/tcp \
  --mount type=volume,src=hblock-resolver-data,dst=/var/lib/knot-resolver/ \
  docker.io/hectorm/hblock-resolver:latest

Warning: do not expose this service to the open internet. An open DNS resolver represents a significant threat and it can be used in a number of different attacks, such as DNS amplification attacks.

Environment variables

`KRESD_CACHE_SIZE` (default: `50`)

Maximum cache size in megabytes.

`KRESD_DNS{1..4}_IP` (default: `1.1.1.1@853` and `1.0.0.1@853`)

IP (and optionally port) of the DNS-over-TLS server to which the queries will be forwarded (alternative DoT servers).

`KRESD_DNS{1..4}_HOSTNAME` (default: `cloudflare-dns.com`)

Hostname of the DNS-over-TLS server to which the queries will be forwarded (CA+hostname authentication docs).

`KRESD_DNS{1..4}_PIN_SHA256` (default: empty)

Certificate hash of the DNS-over-TLS server to which the queries will be forwarded (key-pinned authentication docs).

`KRESD_INSTANCE_NUMBER` (default: `1`)

Number of instances to launch.

`KRESD_RECENTLY_BLOCKED_NUMBER` (default: `100`)

Number of recently blocked domains to store in memory for each instance. The /recently_blocked endpoint returns an aggregated list of all instances.

`KRESD_CERT_MANAGED` (default: `true`)

If equals true, a self-signed certificate will be generated. You can provide your own certificate with these options:

  --env KRESD_CERT_MANAGED=false \
  --mount type=bind,src=/path/to/server.key,dst=/var/lib/knot-resolver/ssl/server.key,ro \
  --mount type=bind,src=/path/to/server.crt,dst=/var/lib/knot-resolver/ssl/server.crt,ro \

Note: for a more advanced setup, look at the following example with Let's Encrypt and Caddy.

`KRESD_NIC` (default: empty)

If defined, kresd will only listen on the specified interface. Some users observed a considerable, close to 100%, performance gain in Docker containers when they bound the daemon to a single interface:ip address pair (dynamic configuration docs, CZ-NIC/knot-resolver#32).

`KRESD_LOG_LEVEL` (default: `notice`)

Set the global logging level. The possible values are: crit, err, warning, notice, info or debug.

Additional configuration

Main Knot DNS Resolver configuration is located in /etc/knot-resolver/kresd.conf. If you would like to add additional configuration, add one or more *.conf files under /etc/knot-resolver/kresd.conf.d/.