From c56d526bfe5498f5db7731778c6ec204106362b9 Mon Sep 17 00:00:00 2001 From: John Dorman Date: Thu, 4 Jun 2020 21:46:20 -0700 Subject: [PATCH] Final NextDNS changes --- nextdns/README.md | 28 +++++++++++++++++----------- nextdns/docker/Dockerfile | 18 ++++++++++-------- nextdns/install-cni-plugins.sh | 6 ++++++ nextdns/udm-files/on_boot.sh | 6 ++++++ 4 files changed, 39 insertions(+), 19 deletions(-) create mode 100644 nextdns/install-cni-plugins.sh diff --git a/nextdns/README.md b/nextdns/README.md index 58a64d9..4d09ced 100644 --- a/nextdns/README.md +++ b/nextdns/README.md @@ -1,21 +1,27 @@ # Run NextDNS on your UDM ### Features -1. Run PiHole on your UDM with a completely isolated network stack. This will not port conflict or be influenced by any changes on by Ubiquiti -2. Persists through reboots and firmware updates. +1. Run NextDNS on your UDM with a completely isolated network stack. This will not port conflict or be influenced by any changes on by Ubiquiti. +2. Resolves IP addresses handed out by DHCP on the UDM! +3. Persists through reboots and firmware updates. ### Requirements -1. You have setup the on boot script described [here](https://github.com/boostchicken/udmpro-utilities/tree/master/on-boot-script) -2. PiHole persists through firmware updates. The on-boot script does not. If you update your FM setup on-boot again and everything should work. +1. You have already setup the on boot script described [here](https://github.com/boostchicken/udmpro-utilities/tree/master/on-boot-script) +2. NextDNS persists through firmware updates. The on-boot script does not. If you update your FM setup on-boot again and everything should work. ### Customization * Feel free to change [20-dns.conflist](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/20-dns.conflist) to change the IP address of the container. Make sure to update all ip references and the iptables rules in [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/on_boot.sh). The IP address can be anywhere from x.x.x.3 to x.x.x.254. .1 is reserved for the gateway and .2 is reserved for the macvlan bridge. * If you don't want to use vlan5, just replace br5 with br(vlanid) in [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/on_boot.sh) and [20-dns.conflist](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/20-dns.conflist), also update all the ips accordingly +* The NextDNS docker image is not supported by NextDNS. It is built out of this repo. If you make any enhancements please constribute back via a Pull Request. ### Docker -The Dockerfile is included, you can build it locally on your UDM if you don't want to pull from Docker Hub +The Dockerfile is included, you can build it locally on your UDM if you don't want to pull from Docker Hub or make customizations ``` -podman build ./Dockerfile -t nextdns-udm:latest" +podman build . -t nextdns-udm:latest" +``` +Building from another device is possible. You must have [buildx](https://github.com/docker/buildx/) installed to do cross platform builds. This is useful if you want to mirror to a private repo +``` +docker buildx build --platform linux/arm64 -t nextdns-udm:latest . ``` ### Steps @@ -24,11 +30,11 @@ podman build ./Dockerfile -t nextdns-udm:latest" 3. Copy [20-dns.conflist](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/20-dns.conflist) to /mnt/data/podman/cni (or a place of your choosing and update [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/on_boot.sh) symlink). This will create your podman macvlan network 4. Update your on_boot.sh to include the commands in [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/on_boot.sh). You can leave out the iptables rules if you don't want to DNAT all DNS calls to your PiHole 5. Execute on_boot.sh -5. Make /mnt/data/nextdns and copy [nextdns.conf](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/nextdns.conf) to it. -6. Run the nextdns docker container. The mounts are very important. Also please change the --dns arguments to whatever was provided by NextDNS. +6. Make /mnt/data/nextdns and copy [nextdns.conf](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/nextdns.conf) to it. +7. Run the NextDNS docker container. The mounts are very important. Also, please change the --dns arguments to whatever was provided by NextDNS. ``` - podman run -d --network dns \ + podman run -d --privileged --network dns \ --name nextdns \ -v "/mnt/data/nextdns/:/etc/nextdns/" \ -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket \ @@ -37,6 +43,6 @@ podman build ./Dockerfile -t nextdns-udm:latest" --hostname nextdns \ boostchicken/nextdns-udm:latest ``` - +Note: Mounting dbus and running in privileged is not required. It's for mDNS. + 8. Update your DNS Servers to 10.0.5.3 (or your custom ip) in all your DHCP configs. - diff --git a/nextdns/docker/Dockerfile b/nextdns/docker/Dockerfile index e56c01b..d812d5c 100644 --- a/nextdns/docker/Dockerfile +++ b/nextdns/docker/Dockerfile @@ -1,12 +1,14 @@ +FROM alpine AS builder +ENV VERSION=1.6.4 +WORKDIR /tmp +RUN apk add curl \ + && mkdir nextdns \ + && curl -fsSL https://github.com/nextdns/nextdns/releases/download/v${VERSION}/nextdns_${VERSION}_linux_arm64.tar.gz -o nextdns.tar.gz \ + && tar zxf nextdns.tar.gz -C ./nextdns + FROM debian:buster-slim LABEL maintainer="John Dorman " - -ENV VERSION=1.6.4 -RUN apt update && apt install -y curl \ - && mkdir -p /opt/nextdns \ - && curl -fsSL https://github.com/nextdns/nextdns/releases/download/v${VERSION}/nextdns_${VERSION}_linux_arm64.tar.gz -o /tmp/nextdns.tar.gz \ - && tar zxf /tmp/nextdns.tar.gz -C /opt/nextdns - +COPY --from=builder /tmp/nextdns /opt/nextdns EXPOSE 53/tcp 53/udp - +VOLUME ['/etc/nextdns'] ENTRYPOINT ["/opt/nextdns/nextdns","run", "-config-file", "/etc/nextdns/nextdns.conf"] \ No newline at end of file diff --git a/nextdns/install-cni-plugins.sh b/nextdns/install-cni-plugins.sh new file mode 100644 index 0000000..0c1c811 --- /dev/null +++ b/nextdns/install-cni-plugins.sh @@ -0,0 +1,6 @@ +#!/bin/bash +cd /tmp +curl -L https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-arm64-v0.8.6.tgz -o cni.tgz + +mkdir -p /mnt/data/podman/cni/ +tar xf cni.tgz -C /mnt/data/podman/cni/ diff --git a/nextdns/udm-files/on_boot.sh b/nextdns/udm-files/on_boot.sh index 3c568b0..acf1ae7 100644 --- a/nextdns/udm-files/on_boot.sh +++ b/nextdns/udm-files/on_boot.sh @@ -11,3 +11,9 @@ ip addr add 10.0.5.2/24 dev br5.mac ip link set br5.mac up ip route add 10.0.5.3/32 dev br5.mac proto static scope link podman start nextdns + +# optional if you dont want to force everything through nextdns. also add anymore bridges for other networks (br5, 10 etc) +iptables -t nat -C PREROUTING -i br0 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br0 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 +iptables -t nat -C PREROUTING -i br0 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br0 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 +iptables -t nat -C POSTROUTING -o br0 -d 10.0.5.3 -p tcp --dport 53 -j MASQUERADE || iptables -t nat -A POSTROUTING -o br0 -d 10.0.5.3 -p tcp --dport 53 -j MASQUERADE +iptables -t nat -C POSTROUTING -o br0 -d 10.0.5.3 -p udp --dport 53 -j MASQUERADE || iptables -t nat -A POSTROUTING -o br0 -d 10.0.5.3 -p udp --dport 53 -j MASQUERADE