From 39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 Mon Sep 17 00:00:00 2001 From: Lukasz Kasprzak Date: Fri, 20 Mar 2026 19:16:32 +0100 Subject: feat: first fully successful run e2e on straper --- .../etc-unbound/unbound.conf.d/10-hardening.conf | 7 ++++++ .../dns/etc-unbound/unbound.conf.d/blocklist.conf | 2 ++ .../dns/etc-unbound/unbound.conf.d/recursive.conf | 27 ++++++++++++++++++++++ .../etc-unbound/unbound.conf.d/remote-control.conf | 5 ++++ .../root-auto-trust-anchor-file.conf.disabled | 4 ++++ 5 files changed, 45 insertions(+) create mode 100644 straper/db/public/dns/etc-unbound/unbound.conf.d/10-hardening.conf create mode 100644 straper/db/public/dns/etc-unbound/unbound.conf.d/blocklist.conf create mode 100644 straper/db/public/dns/etc-unbound/unbound.conf.d/recursive.conf create mode 100644 straper/db/public/dns/etc-unbound/unbound.conf.d/remote-control.conf create mode 100644 straper/db/public/dns/etc-unbound/unbound.conf.d/root-auto-trust-anchor-file.conf.disabled (limited to 'straper/db/public/dns/etc-unbound/unbound.conf.d') diff --git a/straper/db/public/dns/etc-unbound/unbound.conf.d/10-hardening.conf b/straper/db/public/dns/etc-unbound/unbound.conf.d/10-hardening.conf new file mode 100644 index 0000000..caf6213 --- /dev/null +++ b/straper/db/public/dns/etc-unbound/unbound.conf.d/10-hardening.conf @@ -0,0 +1,7 @@ +server: + prefetch: yes + harden-glue: yes + harden-dnssec-stripped: yes + qname-minimisation: yes + hide-identity: yes + hide-version: yes diff --git a/straper/db/public/dns/etc-unbound/unbound.conf.d/blocklist.conf b/straper/db/public/dns/etc-unbound/unbound.conf.d/blocklist.conf new file mode 100644 index 0000000..fe529ba --- /dev/null +++ b/straper/db/public/dns/etc-unbound/unbound.conf.d/blocklist.conf @@ -0,0 +1,2 @@ +server: +local-zone: "Not" always_nxdomain diff --git a/straper/db/public/dns/etc-unbound/unbound.conf.d/recursive.conf b/straper/db/public/dns/etc-unbound/unbound.conf.d/recursive.conf new file mode 100644 index 0000000..cf87fc4 --- /dev/null +++ b/straper/db/public/dns/etc-unbound/unbound.conf.d/recursive.conf @@ -0,0 +1,27 @@ +server: + interface: 127.0.0.1 + port: 5353 + do-ip4: yes + do-ip6: yes + do-udp: yes + do-tcp: yes + + root-hints: "/var/lib/unbound/root.hints" + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + hide-identity: yes + hide-version: yes + harden-glue: yes + harden-dnssec-stripped: yes + use-caps-for-id: yes + + cache-min-ttl: 3600 + cache-max-ttl: 86400 + + access-control: 127.0.0.1/8 allow + access-control: 192.168.33.0/24 allow + + # Fix DNSSEC + prefetch conflict + prefetch: yes + prefetch-key: yes + module-config: "validator iterator" diff --git a/straper/db/public/dns/etc-unbound/unbound.conf.d/remote-control.conf b/straper/db/public/dns/etc-unbound/unbound.conf.d/remote-control.conf new file mode 100644 index 0000000..6c18bd7 --- /dev/null +++ b/straper/db/public/dns/etc-unbound/unbound.conf.d/remote-control.conf @@ -0,0 +1,5 @@ +remote-control: + control-enable: yes + # by default the control interface is is 127.0.0.1 and ::1 and port 8953 + # it is possible to use a unix socket too + control-interface: /run/unbound.ctl diff --git a/straper/db/public/dns/etc-unbound/unbound.conf.d/root-auto-trust-anchor-file.conf.disabled b/straper/db/public/dns/etc-unbound/unbound.conf.d/root-auto-trust-anchor-file.conf.disabled new file mode 100644 index 0000000..433eff9 --- /dev/null +++ b/straper/db/public/dns/etc-unbound/unbound.conf.d/root-auto-trust-anchor-file.conf.disabled @@ -0,0 +1,4 @@ +server: + # The following line will configure unbound to perform cryptographic + # DNSSEC validation using the root trust anchor. + auto-trust-anchor-file: "/var/lib/unbound/root.key" -- cgit v1.3