dnsink 0.3.0

A high-performance DNS proxy with threat intelligence, Shannon-entropy tunneling detection, and Prometheus metrics
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

# Container-appropriate defaults. The image bakes this at
# /etc/dnsink/config.toml; override with a bind-mount to customize:
#
#   docker run -v /path/to/my-config.toml:/etc/dnsink/config.toml:ro ...

[listen]
# fly.io needs asymmetric binding:
#   UDP must bind to fly-global-services so Linux uses the right source
#   IP on replies (wildcard binds break UDP on fly).
#   TCP must bind to a wildcard so fly-proxy's external route-in lands.
# `tcp_address` overrides the UDP bind address for TCP specifically.
# 5353 avoids NET_BIND_SERVICE on the distroless nonroot user.
# For local Docker runs (no fly-global-services), users override the
# config via `-v` bind-mount.
address = "fly-global-services"
tcp_address = "[::]"
port = 5353

[upstream]
address = "1.1.1.1"
port = 53
timeout_ms = 5000

[feeds]
urlhaus = true
openphish = true
# oisd = true                    # ad/tracker blocking (~32K domains, opt-in)
refresh_secs = 3600

[tunneling_detection]
enabled = true
entropy_threshold = 3.5
min_subdomain_length = 20

[tunneling_detection.cdn_whitelist]
enabled = true
providers = ["aws", "akamai", "cloudflare"]

[metrics]
enabled = true
bind_addr = "[::]:9090"

# Per-source rate limiter — on by default in the container image since
# the typical deployment is internet-exposed. Bucket = requests_per_minute
# tokens accruing at a steady rate of rpm/60 per second, with burst as the
# instantaneous capacity. Deny is a silent UDP drop.
[ratelimit]
enabled = true
requests_per_minute = 120
burst = 60