An opinionated mashup of existing open-source DNS efforts, packaged for easy self-hosting.
- Unbound (v1.24.2) as recursive resolver (queries root servers directly, not a forwarder).
- DNSSEC validation with automatic trust anchor management and aggressive NSEC.
- QNAME minimization and identity hiding for query privacy, with no query logging by default.
- Cache with minimum TTL and prefetching to keep popular domains warm as TTLs expire.
- DNS rebinding protection through
private-addressconfiguration directives.
- Integrated DNS blocking via Hagezi response policy zone (RPZ) files.
- Automatic periodic blocklist updates with ETag-based conditional fetching and selective reloading.
- Bootstrap with DNS-over-HTTPS resolution to avoid circular DNS dependency on first boot.
- IDN homograph attack protection by blocking punycode (
xn--) domains.
- Custom allow/deny lists and DNS rewrites via config volume mount.
nix buildThe image artifact is stored in result. Load it into Docker:
docker load < resultThe image is tagged with the short git revision, or dirty for uncommitted trees.
TODO
The following environment variables can be used to configure the container:
| Variable | Default | Description |
|---|---|---|
BOOTSTRAP_DOH_URL |
https://9.9.9.9/dns-query |
DoH URL used during initial blocklist fetch. |
UPDATE_INTERVAL_HOURS |
6 |
Hours between blocklist refresh cycles. |