From e75172d57c63f4f88ee306e25b44502c6ad04dce Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Tue, 13 May 2025 19:37:34 -0400 Subject: [PATCH] replace nginx with dnsdist for DNS-over-TLS --- etc/nftables/nftables-ns1.conf | 6 +++--- etc/nftables/nftables-ns2.conf | 6 +++--- packages/0.ns1.grapheneos.org | 2 +- packages/0.ns2.grapheneos.org | 2 +- packages/1.ns1.grapheneos.org | 2 +- packages/1.ns2.grapheneos.org | 2 +- packages/2.ns1.grapheneos.org | 2 +- packages/2.ns2.grapheneos.org | 2 +- packages/3.ns1.grapheneos.org | 2 +- packages/ns1.staging.grapheneos.org | 2 +- 10 files changed, 14 insertions(+), 14 deletions(-) diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf index a2fff1d..7d6c088 100644 --- a/etc/nftables/nftables-ns1.conf +++ b/etc/nftables/nftables-ns1.conf @@ -119,7 +119,7 @@ table inet filter { type filter hook output priority raw oif lo goto output-raw-loopback - skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, geoipupdate, zerotier-one, bird } counter goto graceful-reject + skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate, zerotier-one, bird } counter goto graceful-reject udp sport 53 notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -128,8 +128,8 @@ table inet filter { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept skuid { alpm, chrony, geoipupdate, zerotier-one } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept - skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept - skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept + skuid powerdns meta l4proto { tcp, udp } th sport 54 th dport >= 1024 notrack accept + skuid dnsdist meta l4proto { tcp, udp } th sport >= 1024 th dport 54 notrack accept skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept diff --git a/etc/nftables/nftables-ns2.conf b/etc/nftables/nftables-ns2.conf index 18ec1f5..c3b43d4 100644 --- a/etc/nftables/nftables-ns2.conf +++ b/etc/nftables/nftables-ns2.conf @@ -117,7 +117,7 @@ table inet filter { type filter hook output priority raw oif lo goto output-raw-loopback - skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, geoipupdate } counter goto graceful-reject + skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate } counter goto graceful-reject udp sport 53 notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } @@ -126,8 +126,8 @@ table inet filter { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept skuid { alpm, chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept - skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept - skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept + skuid powerdns meta l4proto { tcp, udp } th sport 54 th dport >= 1024 notrack accept + skuid dnsdist meta l4proto { tcp, udp } th sport >= 1024 th dport 54 notrack accept skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept diff --git a/packages/0.ns1.grapheneos.org b/packages/0.ns1.grapheneos.org index c850504..50a9946 100644 --- a/packages/0.ns1.grapheneos.org +++ b/packages/0.ns1.grapheneos.org @@ -4,6 +4,7 @@ certbot chrony cloud-guest-utils conntrack-tools +dnsdist fish geoip geoipupdate @@ -21,7 +22,6 @@ mtr neovim nftables nginx -nginx-mod-stream nmap openssh pacman-contrib diff --git a/packages/0.ns2.grapheneos.org b/packages/0.ns2.grapheneos.org index ac04744..f877d7f 100644 --- a/packages/0.ns2.grapheneos.org +++ b/packages/0.ns2.grapheneos.org @@ -3,6 +3,7 @@ certbot chrony cloud-guest-utils conntrack-tools +dnsdist fish geoip geoipupdate @@ -20,7 +21,6 @@ mtr neovim nftables nginx -nginx-mod-stream nmap openssh pacman-contrib diff --git a/packages/1.ns1.grapheneos.org b/packages/1.ns1.grapheneos.org index c9199b2..65193f3 100644 --- a/packages/1.ns1.grapheneos.org +++ b/packages/1.ns1.grapheneos.org @@ -3,6 +3,7 @@ bird chrony cloud-guest-utils conntrack-tools +dnsdist fish geoip geoipupdate @@ -20,7 +21,6 @@ mtr neovim nftables nginx -nginx-mod-stream nmap openssh pacman-contrib diff --git a/packages/1.ns2.grapheneos.org b/packages/1.ns2.grapheneos.org index e484622..c30896d 100644 --- a/packages/1.ns2.grapheneos.org +++ b/packages/1.ns2.grapheneos.org @@ -2,6 +2,7 @@ base chrony cloud-guest-utils conntrack-tools +dnsdist fish geoip geoipupdate @@ -19,7 +20,6 @@ mtr neovim nftables nginx -nginx-mod-stream nmap openssh pacman-contrib diff --git a/packages/2.ns1.grapheneos.org b/packages/2.ns1.grapheneos.org index c9199b2..65193f3 100644 --- a/packages/2.ns1.grapheneos.org +++ b/packages/2.ns1.grapheneos.org @@ -3,6 +3,7 @@ bird chrony cloud-guest-utils conntrack-tools +dnsdist fish geoip geoipupdate @@ -20,7 +21,6 @@ mtr neovim nftables nginx -nginx-mod-stream nmap openssh pacman-contrib diff --git a/packages/2.ns2.grapheneos.org b/packages/2.ns2.grapheneos.org index e484622..c30896d 100644 --- a/packages/2.ns2.grapheneos.org +++ b/packages/2.ns2.grapheneos.org @@ -2,6 +2,7 @@ base chrony cloud-guest-utils conntrack-tools +dnsdist fish geoip geoipupdate @@ -19,7 +20,6 @@ mtr neovim nftables nginx -nginx-mod-stream nmap openssh pacman-contrib diff --git a/packages/3.ns1.grapheneos.org b/packages/3.ns1.grapheneos.org index c9199b2..65193f3 100644 --- a/packages/3.ns1.grapheneos.org +++ b/packages/3.ns1.grapheneos.org @@ -3,6 +3,7 @@ bird chrony cloud-guest-utils conntrack-tools +dnsdist fish geoip geoipupdate @@ -20,7 +21,6 @@ mtr neovim nftables nginx -nginx-mod-stream nmap openssh pacman-contrib diff --git a/packages/ns1.staging.grapheneos.org b/packages/ns1.staging.grapheneos.org index c850504..50a9946 100644 --- a/packages/ns1.staging.grapheneos.org +++ b/packages/ns1.staging.grapheneos.org @@ -4,6 +4,7 @@ certbot chrony cloud-guest-utils conntrack-tools +dnsdist fish geoip geoipupdate @@ -21,7 +22,6 @@ mtr neovim nftables nginx -nginx-mod-stream nmap openssh pacman-contrib