Conversation
![windsurf-bot[bot]](https://avatars.githubusercontent.com/in/1066231?s=60&v=4){kind=small}
| # "No disruption": restart immediately on failure, with burst protection. | ||
| Restart=always | ||
| RestartSec=2 | ||
| StartLimitBurst=5 |
There was a problem hiding this comment.
The service file defines StartLimitBurst=5 but is missing the required StartLimitIntervalSec parameter. Without specifying the time interval, the burst protection may not work as expected. Consider adding something like StartLimitIntervalSec=60 to define the time window for the burst limit.
There was a problem hiding this comment.
systemd in my host complained that StartLimitIntervalSec is unknown and will be ignored. I initially had it, but then got it removed.
| Description=dnsproxy — encrypted DNS forwarder (DoH/DoT/DoQ) | ||
| Documentation=https://github.com/AdguardTeam/dnsproxy | ||
| After=network-online.target nss-lookup.target | ||
| Wants=network-online.target |
There was a problem hiding this comment.
Since this service binds to port 53, consider adding Conflicts=systemd-resolved.service dnsmasq.service named.service in the [Unit] section to prevent conflicts with other DNS services that might be running on the system.
| StateDirectory=dnsproxy | ||
| LogsDirectory=dnsproxy |
There was a problem hiding this comment.
The service creates StateDirectory and LogsDirectory but doesn't specify directory permissions. Consider adding StateDirectoryMode=0750 and LogsDirectoryMode=0750 to ensure proper permissions are set.
|
/windsurf-review |
| # Fallback (DoT): all providers, used only if DoH is down | ||
| # --http3 enables HTTP/3 (QUIC transport) for DoH connections | ||
| ExecStart=/usr/local/bin/dnsproxy \ | ||
| --listen=127.0.0.1 \ |
There was a problem hiding this comment.
The service is configured to listen only on localhost (127.0.0.1). If users want to use this as a DNS server for other devices on their network, they would need to modify the --listen parameter. Consider documenting this limitation or providing an alternative configuration example for network-wide usage.
There was a problem hiding this comment.
it's not rocket science to update the listen address :)
| # StateDirectory creates /var/lib/private/dnsproxy owned by the | ||
| # dynamic user. Currently unused but ready for --output if needed. | ||
| StateDirectory=dnsproxy | ||
| LogsDirectory=dnsproxy |
There was a problem hiding this comment.
The service creates log directories (LogsDirectory=dnsproxy), but there's no documentation on how to access these logs or what logging options are available. Consider adding information about log locations and how to adjust verbosity if needed.
There was a problem hiding this comment.
there is a doc comment right above it
| # 1. Download the dnsproxy binary to /usr/local/bin/dnsproxy | ||
| # 2. chmod 755 /usr/local/bin/dnsproxy |
There was a problem hiding this comment.
Consider adding installation instructions for package managers (apt, yum, etc.) in addition to the manual binary download method. This would make the service more accessible to users on different distributions.
1 participant
I recently needed to install dnsproxy in my remote debian server and I needed a systemd-controlled setup.
So this is the result of that effort. This systemd service is already running on my own infra.
If you have any comments, I'll be happy to acomodate and adjust appropriately.