git » dnss » commit b20db2b

Add some documentation and configuration examples

author Alberto Bertogli
2015-10-25 03:18:38 UTC
committer Alberto Bertogli
2015-10-25 04:03:55 UTC
parent e3b371e1ded5f8f1eaec8db9ff62b0265db9ddd7
Add some documentation and configuration examples
.gitignore +5 -0
README.md +30 -0
etc/systemd/dnss-dns_to_grpc.service +31 -0
etc/systemd/dnss-dns_to_grpc.socket +11 -0
etc/systemd/dnss-grpc_to_dns.service +23 -0 
diff --git a/.gitignore b/.gitignore
index a01ee28..0e21219 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,6 @@
 .*.swp
+
+# Help prevent accidental inclusion of certificates and keys.
+*.pem
+*.crt
+*.key
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..4f1a4f9
--- /dev/null
+++ b/README.md
@@ -0,0 +1,30 @@
+
+# dnss - Encapsulate DNS over GRPC
+
+dnss encapsulates DNS over GRPC.
+
+It can be useful when you want to use a particular DNS server, but don't want
+some parts of the network in between to be able to see your traffic.
+
+
+```
++--------+       +---------------+        +---------------+       +------------+
+|        |       |     dnss      |        |     dnss      |       |            |
+| client +-------> (dns-to-grpc) +--------> (grpc-to-dns) +-------> DNS server |
+|        |  DNS  |               |  DNS   |               |  DNS  |            |
++--------+  UDP  +---------------+  GRPC  +---------------+  UDP  +------------+
+                                    SSL
+                                    TCP
+```
+
+In "dns-to-grpc" mode, it listens to DNS requests and pass them on to a server
+using GRPC. It also has a small cache.
+
+In "grpc-to-dns" mode, it receives DNS requests via GRPC, and resolves them
+using a normal, fixed DNS server.
+
+
+## Alternatives
+
+https://dnscrypt.org/ is a great, more end-to-end alternative to dnss.
+
diff --git a/etc/systemd/dnss-dns_to_grpc.service b/etc/systemd/dnss-dns_to_grpc.service
new file mode 100644
index 0000000..56c5c82
--- /dev/null
+++ b/etc/systemd/dnss-dns_to_grpc.service
@@ -0,0 +1,31 @@
+[Unit]
+Description = dnss daemon - DNS to GRPC mode
+
+# Note we get the sockets via systemd, see the matching .socket configuration.
+
+[Service]
+ExecStart = /usr/bin/dnss --dns_to_grpc \
+	--dns_listen_addr=systemd \
+        --grpc_client_cafile=/etc/ssl/dnss/1.2.3.4-cert.pem \
+	--grpc_upstream=1.2.3.4:9953 \
+        --monitoring_listen_addr=127.0.0.1:9982 \
+	--logtostderr
+
+Type = simple
+
+
+# The user can be created with no permissions using:
+#
+#   sudo useradd -U dnss -M -d /nonexistent -s /bin/false
+
+User = ddns
+Group = ddns
+
+# Simple security measures just in case.
+CapabilityBoundingSet = CAP_NET_BIND_SERVICE
+ProtectSystem = full
+
+
+[Install]
+WantedBy = multi-user.target
+
diff --git a/etc/systemd/dnss-dns_to_grpc.socket b/etc/systemd/dnss-dns_to_grpc.socket
new file mode 100644
index 0000000..984432d
--- /dev/null
+++ b/etc/systemd/dnss-dns_to_grpc.socket
@@ -0,0 +1,11 @@
+# Sockets for dnss in DNS to GRPC mode.
+#
+# This lets dnss run unprivileged.
+# We typically want one UDP and one TCP socket.
+
+[Socket]
+ListenDatagram=53
+ListenStream=53
+
+[Install]
+WantedBy=sockets.target
diff --git a/etc/systemd/dnss-grpc_to_dns.service b/etc/systemd/dnss-grpc_to_dns.service
new file mode 100644
index 0000000..6a5d196
--- /dev/null
+++ b/etc/systemd/dnss-grpc_to_dns.service
@@ -0,0 +1,23 @@
+[Unit]
+Description = dnss daemon - GRPC to DNS mode
+
+[Service]
+ExecStart = /usr/bin/dnss --enable_grpc_to_dns \
+        --grpc_key=/etc/ssl/dnss/key.pem \
+        --grpc_cert=/etc/ssl/dnss/cert.pem
+        --monitoring_listen_addr=127.0.0.1:9981 \
+        --logtostderr
+
+Type = simple
+
+User = ddns
+Group = ddns
+
+# Simple security measures just in case.
+CapabilityBoundingSet =
+ProtectSystem = full
+
+
+[Install]
+WantedBy = multi-user.target
+