Fix/block cloudflare ech type65

* fix(dns): block Cloudflare TYPE65/HTTPS records to prevent ECH failures

Chrome and Safari query Cloudflare-published HTTPS (TYPE65) records for
proxied domains, which include ECH parameters tied to Cloudflare's edge.
When PiHole resolves these domains to local Caddy IPs instead of
Cloudflare, browsers attempt ECH against a server that doesn't support it,
causing ERR_SSL_PROTOCOL_ERROR. Firefox handles ECH retry gracefully;
Chrome and Safari fail hard.

Fix: add local-zone 'static' blocks in Unbound for geeksbsmrt.com and
smrtgeekdevs.com. Unbound returns SERVFAIL for TYPE65 since no local-data
is defined for that type, while PiHole's address= directives continue to
serve A records for all subdomains.

Also adds Access-Control-Allow-Private-Network header to Caddy's external
snippet as a defensive measure for Chrome LNA (Private Network Access)
restrictions.

Affected: docker/unbound/unbound.conf (new), docker/caddy/Caddyfile

* fix(dns): remove hardcoded IPs from unbound local-zone config

local-data A record entries were redundant -- PiHole handles all A record
lookups for these zones via its own address= directives and never forwards
them to Unbound. Only TYPE65 (HTTPS/ECH) queries reach Unbound for these
domains, so local-zone: static alone is sufficient to return NXDOMAIN.

Removing local-data eliminates the hardcoded internal IP scheme from the
repo while preserving the fix.

Author: geeksbsmrt

docker/caddy/Caddyfile

@@ -74,6 +74,7 @@ uptime.home {
         Referrer-Policy "strict-origin-when-cross-origin"
         Cache-Control "public, max-age=15, must-revalidate"
         Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(self), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(*), speaker-selection=(), usb=(), xr-spatial-tracking=()"
+        Access-Control-Allow-Private-Network "true"
         [defer]
     }
     file_server

docker/unbound/unbound.conf

@@ -0,0 +1,88 @@
+server:
+    # If no logfile is specified, syslog is used
+    # logfile: "/var/log/unbound/unbound.log"
+    verbosity: 0
+
+    interface-automatic: yes
+    do-ip4: yes
+    do-udp: yes
+    do-tcp: yes
+
+    # May be set to no if you don't have IPv6 connectivity
+    do-ip6: yes
+
+    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
+    # Terredo tunnels your web browser should favor IPv4 for the same reasons
+    prefer-ip6: no
+
+    # Use this only when you downloaded the list of primary root servers!
+    # If you use the default dns-root-data package, unbound will find it automatically
+    #root-hints: "/var/lib/unbound/root.hints"
+
+    # Trust glue only if it is within the server's authority
+    harden-glue: yes
+
+    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
+    harden-dnssec-stripped: yes
+
+    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
+    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
+    use-caps-for-id: no
+
+    # Reduce EDNS reassembly buffer size.
+    # IP fragmentation is unreliable on the Internet today, and can cause
+    # transmission failures when large DNS messages are sent via UDP. Even
+    # when fragmentation does work, it may not be secure; it is theoretically
+    # possible to spoof parts of a fragmented DNS message, without easy
+    # detection at the receiving end. Recently, there was an excellent study
+    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
+    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
+    # in collaboration with NLnet Labs explored DNS using real world data from the
+    # the RIPE Atlas probes and the researchers suggested different values for
+    # IPv4 and IPv6 and in different scenarios. They advise that servers should
+    # be configured to limit DNS messages sent over UDP to a size that will not
+    # trigger fragmentation on typical network links. DNS servers can switch
+    # from UDP to TCP when a DNS response is too big to fit in this limited
+    # buffer size. This value has also been suggested in DNS Flag Day 2020.
+    edns-buffer-size: 1232
+
+    # Perform prefetching of close to expired message cache entries
+    # This only applies to domains that have been frequently queried
+    prefetch: yes
+
+    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
+    num-threads: 1
+
+    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
+    so-rcvbuf: 1m
+
+    # Ensure privacy of local IP ranges
+    private-address: 192.168.0.0/16
+    private-address: 169.254.0.0/16
+    private-address: 172.16.0.0/12
+    private-address: 10.0.0.0/8
+    private-address: fd00::/8
+    private-address: fe80::/10
+
+    # Ensure no reverse queries to non-public IP ranges (RFC6303 4.2)
+    private-address: 192.0.2.0/24
+    private-address: 198.51.100.0/24
+    private-address: 203.0.113.0/24
+    private-address: 255.255.255.255/32
+    private-address: 2001:db8::/32
+
+    access-control: 192.168.254.1/32 allow
+    access-control: 192.168.254.223/32 allow
+    access-control: 0.0.0.0/0 refuse
+
+
+    # Block HTTPS (TYPE65/ECH) records for local domains.
+    # Cloudflare publishes HTTPS records with ECH params for proxied domains. When
+    # PiHole returns local IPs for these domains, Chrome/Safari try to use those
+    # Cloudflare ECH params against the local server, causing ERR_SSL_PROTOCOL_ERROR.
+    # A 'static' zone returns NXDOMAIN for any RR type not explicitly defined via
+    # local-data. Since we define no local-data here, all TYPE65 queries get NXDOMAIN.
+    # A record lookups for these domains are handled upstream by PiHole (address=
+    # directives) and never reach Unbound, so this does not affect normal resolution.
+    local-zone: "geeksbsmrt.com." static
+    local-zone: "smrtgeekdevs.com." static