diff options
| author | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-03-20 19:16:32 +0100 |
|---|---|---|
| committer | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-03-20 19:16:32 +0100 |
| commit | 39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 (patch) | |
| tree | 9221704f413398cfb5d5759083b1e7032566820e /straper/db/public/dns/etc-unbound/unbound.conf.d | |
| parent | 6b59b75c3a294060dea66bdee16ffaf95ae92889 (diff) | |
| download | bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.tar.gz bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.zip | |
feat: first fully successful run e2e on straper
Diffstat (limited to 'straper/db/public/dns/etc-unbound/unbound.conf.d')
5 files changed, 45 insertions, 0 deletions
diff --git a/straper/db/public/dns/etc-unbound/unbound.conf.d/10-hardening.conf b/straper/db/public/dns/etc-unbound/unbound.conf.d/10-hardening.conf new file mode 100644 index 0000000..caf6213 --- /dev/null +++ b/straper/db/public/dns/etc-unbound/unbound.conf.d/10-hardening.conf @@ -0,0 +1,7 @@ +server: + prefetch: yes + harden-glue: yes + harden-dnssec-stripped: yes + qname-minimisation: yes + hide-identity: yes + hide-version: yes diff --git a/straper/db/public/dns/etc-unbound/unbound.conf.d/blocklist.conf b/straper/db/public/dns/etc-unbound/unbound.conf.d/blocklist.conf new file mode 100644 index 0000000..fe529ba --- /dev/null +++ b/straper/db/public/dns/etc-unbound/unbound.conf.d/blocklist.conf @@ -0,0 +1,2 @@ +server: +local-zone: "Not" always_nxdomain diff --git a/straper/db/public/dns/etc-unbound/unbound.conf.d/recursive.conf b/straper/db/public/dns/etc-unbound/unbound.conf.d/recursive.conf new file mode 100644 index 0000000..cf87fc4 --- /dev/null +++ b/straper/db/public/dns/etc-unbound/unbound.conf.d/recursive.conf @@ -0,0 +1,27 @@ +server: + interface: 127.0.0.1 + port: 5353 + do-ip4: yes + do-ip6: yes + do-udp: yes + do-tcp: yes + + root-hints: "/var/lib/unbound/root.hints" + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + hide-identity: yes + hide-version: yes + harden-glue: yes + harden-dnssec-stripped: yes + use-caps-for-id: yes + + cache-min-ttl: 3600 + cache-max-ttl: 86400 + + access-control: 127.0.0.1/8 allow + access-control: 192.168.33.0/24 allow + + # Fix DNSSEC + prefetch conflict + prefetch: yes + prefetch-key: yes + module-config: "validator iterator" diff --git a/straper/db/public/dns/etc-unbound/unbound.conf.d/remote-control.conf b/straper/db/public/dns/etc-unbound/unbound.conf.d/remote-control.conf new file mode 100644 index 0000000..6c18bd7 --- /dev/null +++ b/straper/db/public/dns/etc-unbound/unbound.conf.d/remote-control.conf @@ -0,0 +1,5 @@ +remote-control: + control-enable: yes + # by default the control interface is is 127.0.0.1 and ::1 and port 8953 + # it is possible to use a unix socket too + control-interface: /run/unbound.ctl diff --git a/straper/db/public/dns/etc-unbound/unbound.conf.d/root-auto-trust-anchor-file.conf.disabled b/straper/db/public/dns/etc-unbound/unbound.conf.d/root-auto-trust-anchor-file.conf.disabled new file mode 100644 index 0000000..433eff9 --- /dev/null +++ b/straper/db/public/dns/etc-unbound/unbound.conf.d/root-auto-trust-anchor-file.conf.disabled @@ -0,0 +1,4 @@ +server: + # The following line will configure unbound to perform cryptographic + # DNSSEC validation using the root trust anchor. + auto-trust-anchor-file: "/var/lib/unbound/root.key" |
