]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/profiles/services/unbound.nix
nftables: harden input checks on mermet
[sourcephile-nix.git] / nixos / profiles / services / unbound.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config.services) unbound;
4 inherit (config.users) users;
5 stateDir = "/var/lib/unbound";
6 in
7 {
8 networking.resolvconf.useLocalResolver = true;
9 services.unbound = {
10 enable = true;
11 # DOC: https://calomel.org/unbound_dns.html
12 extraConfig = ''
13 remote-control:
14 control-enable: yes
15 control-interface: /run/unbound/unbound.socket
16
17 server:
18 log-queries: no
19 verbosity: 1
20
21 port: 53
22
23 # The file which contains the listing of primary root DNS servers.
24 # To be updated once every six months.
25 root-hints: /var/lib/unbound/named.root
26
27 # Do no answer id.server and hostname.bind queries.
28 hide-identity: yes
29 # Do not answer version.server and version.bind queries.
30 hide-version: yes
31
32 # Will trust glue only if it is within the servers authority.
33 # Harden against out of zone rrsets, to avoid spoofing attempts.
34 # Hardening queries multiple name servers for the same data to make
35 # spoofing significantly harder and does not mandate dnssec.
36 harden-glue: yes
37
38 # Require DNSSEC data for trust-anchored zones, if such data is absent, the
39 # zone becomes bogus. Harden against receiving dnssec-stripped data. If you
40 # turn it off, failing to validate dnskey data for a trustanchor will trigger
41 # insecure mode for that zone (like without a trustanchor). Default on,
42 # which insists on dnssec data for trust-anchored zones.
43 harden-dnssec-stripped: yes
44
45 # Use 0x20-encoded random bits in the query to foil spoof attempts.
46 # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
47 #
48 # When Unbound sends a query to a remote server it sends the hostname
49 # string in random upper and lower characters. The remote server must
50 # resolve the hostname as if all the characters were lower case. The remote
51 # server must then send the query back to Unbound in the same random upper
52 # and lower characters that Unbound sent. If the characters of the hostname
53 # in the response are in the same format as the query then the dns-0x20
54 # check is satisfied.
55 # Attackers hoping to poison a Unbound DNS cache must therefore guess the
56 # mixed-case encoding of the query and the timing of the return dns answer
57 # in addition to all other fields required in a DNS poisoning attack.
58 # dns-0x20 increases the difficulty of the attack significantly.
59 #
60 # It may result in maybe 0.4% of domains getting no answers
61 # due to no support on the authoritative server side
62 use-caps-for-id: yes
63
64 #cache-min-ttl: 3600
65 cache-max-ttl: 86400
66
67 # Perform prefetching of close to expired message cache entries. If a client
68 # requests the dns lookup and the TTL of the cached hostname is going to
69 # expire in less than 10% of its TTL, unbound will (1st) return the IP of the
70 # host to the client and (2nd) pre-fetch the DNS request from the remote DNS server.
71 # This method has been shown to increase the amount of cached hits by
72 # local clients by 10% on average.
73 prefetch: yes
74
75 # Number of threads to create. 1 disables threading.
76 # This should equal the number of CPU cores in the machine.
77 num-threads: ${toString config.nix.maxJobs}
78
79 # The number of slabs to use for cache and must be a power of 2 times the
80 # number of num-threads set above. more slabs reduce lock contention,
81 # but fragment memory usage.
82 msg-cache-slabs: 8
83 rrset-cache-slabs: 8
84 infra-cache-slabs: 8
85 key-cache-slabs: 8
86
87 # Increase the memory size of the cache. Use roughly twice as much rrset cache
88 # memory as you use msg cache memory. Due to malloc overhead, the total memory
89 # usage is likely to rise to double (or 2.5x) the total cache memory.
90 rrset-cache-size: 32m
91 msg-cache-size: 16m
92
93 # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
94 # the kernel buffer larger so that no messages are lost in spikes in the traffic.
95 so-rcvbuf: 1m
96
97 # Enforce privacy of these addresses. Strips them away from answers.
98 # It may cause DNSSEC validation to additionally mark it as bogus.
99 # Protects against 'DNS Rebinding' (uses browser as network proxy).
100 # Only 'private-domain' and 'local-data' names are allowed
101 # to have these private addresses. No default.
102 private-address: 192.168.0.0/16
103 private-address: 172.16.0.0/12
104 private-address: 10.0.0.0/8
105
106 # Allow the domain (and its subdomains) to contain private addresses.
107 # local-data statements are allowed to contain private addresses too.
108 #private-domain: "home.lan"
109
110 # If nonzero, unwanted replies are not only reported in statistics, but also
111 # a running total is kept per thread. If it reaches the threshold, a warning
112 # is printed and a defensive action is taken, the cache is cleared to flush
113 # potential poison out of it. A suggested value is 10000000, the default is
114 # 0 (turned off). calomel.org thinks 10K is a good value.
115 unwanted-reply-threshold: 10000
116
117 # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
118 # localhost you will want to allow the resolver to send queries to localhost.
119 # Make sure to set do-not-query-localhost: yes.
120 do-not-query-localhost: yes
121
122 # Should additional section of secure message also be kept clean of unsecure
123 # data. Useful to shield the users of this validator from potential bogus
124 # data in the additional section. All unsigned data in the additional section
125 # is removed from secure messages.
126 val-clean-additional: yes
127 '';
128 };
129 networking.nftables.ruleset = ''
130 add rule inet filter fw2net tcp dport 53 skuid ${users.unbound.name} counter accept comment "Unbound"
131 add rule inet filter fw2net udp dport 53 skuid ${users.unbound.name} counter accept comment "Unbound"
132 '';
133 systemd.services.unbound = {
134 serviceConfig = {
135 RuntimeDirectory = "unbound";
136 RuntimeDirectoryMode = "0700";
137 # FIXME: upstream service shouldn't overwrite ExecStopPost
138 # so that postStop can be used.
139 ExecStopPost = lib.mkForce (pkgs.writeShellScript "unit-script-unbound-post-stop" ''
140 ${pkgs.utillinux}/bin/umount ${stateDir}/dev/random
141 ${pkgs.utillinux}/bin/umount ${stateDir}/run/unbound
142 '');
143 };
144 preStart = ''
145 install -m 444 -o unbound -g nogroup \
146 ${unbound/named.root} \
147 /var/lib/unbound/named.root
148 mkdir -p ${stateDir}/run/unbound
149 ${pkgs.utillinux}/bin/mount --bind -n /run/unbound ${stateDir}/run/unbound
150 '';
151 };
152 }