A BIG REVOLUTION

configuration/dns-resolver/kresd-forward.conf

@@ -0,0 +1,44 @@
+-- SPDX-License-Identifier: CC0-1.0
+-- vim:syntax=lua:set ts=4 sw=4:
+-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
+
+-- visit https://knot-resolver.readthedocs.io/en/stable/config-logging-monitoring.html for more info
+log_level('info')
+-- Network interface configuration
+net.listen('127.0.0.1', 5353, { kind = 'dns' })
+net.listen('::1', 5353, { kind = 'dns', freebind = true })
+net.listen('0.0.0.0', 53, { kind = 'dns' })
+net.listen('::', 53, { kind = 'dns', freebind = true })
+
+
+-- Load useful modules
+modules = {
+	'hints > iterate',  -- Load /etc/hosts and allow custom root hints
+	'stats',            -- Track internal statistics
+	'predict',          -- Prefetch expiring/frequent records
+        'policy'
+}
+
+
+-- policy help : https://knot-resolver.readthedocs.io/en/stable/modules-policy.html
+-- This is Just a Blocklist
+policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/minopallow.txt',true))
+policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/adguard-exceptions.txt',true))
+policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/minoplhyallowlist.txt',true))
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minopdeny.txt',true))
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minoplhy.txt',true))
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minoplhyneto.txt',true))
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-ultimate.txt',true))
+
+policy.add(policy.all(
+    policy.TLS_FORWARD({
+        -- multiple servers can be specified for a single slice
+        -- the one with lowest round-trip time will be used
+		--
+		-- You can changes this as your choices address below is DOT
+		-- and there's other protocol avvailable on : https://knot-resolver.readthedocs.io/en/stable/config-network-forwarding.html
+        {'9.9.9.9', hostname='dns.quad9.net'},
+        {'2620:fe::fe', hostname='dns.quad9.net'},
+    })
+))
+

configuration/dns-resolver/kresd.conf

@@ -10,6 +10,7 @@ net.listen('::1', 5353, { kind = 'dns', freebind = true })
 net.listen('0.0.0.0', 53, { kind = 'dns' })
 net.listen('::', 53, { kind = 'dns', freebind = true })
 
+
 -- Load useful modules
 modules = {
         'hints > iterate',  -- Load /etc/hosts and allow custom root hints
@@ -23,12 +24,11 @@ cache.size = 50 * MB
 
 -- policy help : https://knot-resolver.readthedocs.io/en/stable/modules-policy.html
 -- This is Just a Blocklist
-policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/minopallow.rpz',true))
+policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/minopallow.txt',true))
-policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/adguard-exceptions.rpz',true))
+policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/adguard-exceptions.txt',true))
-policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minoplhy-privatebuild.rpz',true))
+policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/minoplhyallowlist.txt',true))
-policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minopdeny.rpz',true))
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minopdeny.txt',true))
-policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-regional.rpz',true))
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minoplhy.txt',true))
-policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/urlhaus-abuse_ch.rpz',true))
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minoplhyneto.txt',true))
-policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-xtreme.rpz',true))
+policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-ultimate.txt',true))
-policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minop-cname-cloaking.rpz',true))
+
-policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/ad-cname-tracker.rpz',true))

configuration/reverseproxy/README.md

@@ -0,0 +1,5 @@
+# NGINX or Haproxy
+My Personal Recommendation is NGINX over Haproxy
+## Why?
+* NGINX is faster and easier to customize and take care of
+* Haproxy is ok but Performance is main issues of my configuration

configuration/reverseproxy/nginx/README.md

@@ -0,0 +1,9 @@
+# doh-stream
+Before copying this to somewhere else like '/etc/nginx/stream/dot-stream'
+
+Please add this line to /etc/nginx/nginx.conf :
+```
+stream {
+        include /etc/nginx/streams/*;
+}
+```

configuration/reverseproxy/nginx/doh

@@ -0,0 +1,25 @@
+server {
+  listen       443 ssl http2;
+  listen       [::]:443 ssl http2;
+  server_name  SERVER_NAME;
+
+  server_tokens off;
+  ssl_protocols TLSv1.3;
+  # HTTP Security Headers
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Strict-Transport-Security "max-age=63072000";
+  ssl_certificate /go/to/ket/;
+  ssl_certificate_key /go/to/ket/;
+  gzip off;
+  add_header Last-Modified $date_gmt;
+  etag off;
+  
+  location /dns-query {
+    proxy_pass       http://localhost:8053/dns-query;
+    proxy_set_header Host      $host;
+    proxy_set_header X-Real-IP $remote_addr;
+  }
+
+}

configuration/reverseproxy/nginx/dot-stream

@@ -0,0 +1,15 @@
+    # DNS upstream pool
+upstream dns {
+        zone dns 64k;
+        server 127.0.0.1:5353;
+    }
+
+    # DoT server for decryption
+server {
+        listen 853 ssl;
+		listen [::]:853 ssl;
+        ssl_certificate /go/to/ket/;
+        ssl_certificate_key /go/to/ket/;
+        proxy_pass dns;
+    }
+