hosts/mermet/unbound.nix

   1 { pkgs, lib, config, host, ... }:
   2 let
   3   inherit (config.services) unbound;
   4   inherit (config.users) users;
   5   stateDir = "/var/lib/unbound";
   6 in
   7 {
   8 networking.resolvconf.useLocalResolver = true;
   9 # Avoid: warning: so-rcvbuf 1048576 was not granted. Got 425984.
  10 # To fix: start with root permissions(linux)
  11 # or sysctl bigger net.core.rmem_max(linux)
  12 # or kern.ipc.maxsockbuf(bsd) values.
  13 boot.kernel.sysctl."net.core.rmem_max" = 1048576;
  14 services.unbound = {
  15   enable = true;
  16   # DOC: https://calomel.org/unbound_dns.html
  17   settings = {
  18     remote-control = {
  19       control-enable = true;
  20       control-interface = "/run/unbound/unbound.socket";
  21     };
  22     server = {
  23       log-queries = false;
  24       verbosity = 1;
  25       interface = [ "127.0.0.1" "::1" ];
  26       prefer-ip4 = !config.networking.enableIPv6;
  27       port = 53;
  28
  29       # The file which contains the listing of primary root DNS servers.
  30       # To be updated once every six months.
  31       root-hints = "/var/lib/unbound/named.root";
  32
  33       # Do no answer id.server and hostname.bind queries.
  34       hide-identity = true;
  35       # Do not answer version.server and version.bind queries.
  36       hide-version = true;
  37
  38       # Will trust glue only if it is within the servers authority.
  39       # Harden against out of zone rrsets, to avoid spoofing attempts.
  40       # Hardening queries multiple name servers for the same data to make
  41       # spoofing significantly harder and does not mandate dnssec.
  42       harden-glue = true;
  43
  44       # Require DNSSEC data for trust-anchored zones, if such data is absent, the
  45       # zone becomes  bogus.  Harden against receiving dnssec-stripped data. If you
  46       # turn it off, failing to validate dnskey data for a trustanchor will trigger
  47       # insecure mode for that zone (like without a trustanchor).  Default on,
  48       # which insists on dnssec data for trust-anchored zones.
  49       harden-dnssec-stripped = true;
  50
  51       # Use 0x20-encoded random bits in the query to foil spoof attempts.
  52       # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
  53       #
  54       # When Unbound sends a query to a remote server it sends the hostname
  55       # string in random upper and lower characters. The remote server must
  56       # resolve the hostname as if all the characters were lower case. The remote
  57       # server must then send the query back to Unbound in the same random upper
  58       # and lower characters that Unbound sent. If the characters of the hostname
  59       # in the response are in the same format as the query then the dns-0x20
  60       # check is satisfied.
  61       # Attackers hoping to poison a Unbound DNS cache must therefore guess the
  62       # mixed-case encoding of the query and the timing of the return dns answer
  63       # in addition to all other fields required in a DNS poisoning attack.
  64       # dns-0x20 increases the difficulty of the attack significantly.
  65       #
  66       # It may result in maybe 0.4% of domains getting no answers
  67       # due to no support on the authoritative server side
  68       use-caps-for-id = true;
  69
  70       #cache-min-ttl = 3600;
  71       cache-max-ttl = 86400;
  72
  73       # Perform prefetching of close to expired message cache entries.  If a client
  74       # requests the dns lookup and the TTL of the cached hostname is going to
  75       # expire in less than 10% of its TTL, unbound will (1st) return the IP of the
  76       # host to the client and (2nd) pre-fetch the DNS request from the remote DNS server.
  77       # This method has been shown to increase the amount of cached hits by
  78       # local clients by 10% on average.
  79       prefetch = true;
  80
  81       # Number of threads to create. 1 disables threading.
  82       # This should equal the number of CPU cores in the host.
  83       num-threads = host.CPUs;
  84
  85       # The number of slabs to use for cache and must be a power of 2 times the
  86       # number of num-threads set above. more slabs reduce lock contention,
  87       # but fragment memory usage.
  88       msg-cache-slabs = 8;
  89       rrset-cache-slabs = 8;
  90       infra-cache-slabs = 8;
  91       key-cache-slabs = 8;
  92
  93       # Increase the memory size of the cache. Use roughly twice as much rrset cache
  94       # memory as you use msg cache memory. Due to malloc overhead, the total memory
  95       # usage is likely to rise to double (or 2.5x) the total cache memory.
  96       rrset-cache-size = "32m";
  97       msg-cache-size = "16m";
  98
  99       # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
 100       # the kernel buffer larger so that no messages are lost in spikes in the traffic.
 101       so-rcvbuf = "1m";
 102
 103       # Enforce privacy of these addresses. Strips them away from answers.
 104       # It may cause DNSSEC validation to additionally mark it as bogus.
 105       # Protects against 'DNS Rebinding' (uses browser as network proxy).
 106       #  Only 'private-domain' and 'local-data' names are allowed
 107       # to have these private addresses. No default.
 108       private-address = [
 109         "192.168.0.0/16"
 110         "172.16.0.0/12"
 111         "10.0.0.0/8"
 112       ];
 113
 114       # Allow the domain (and its subdomains) to contain private addresses.
 115       # local-data statements are allowed to contain private addresses too.
 116       #private-domain = "home.lan";
 117
 118       # If nonzero, unwanted replies are not only reported in statistics, but also
 119       # a running total is kept per thread. If it reaches the threshold, a warning
 120       # is printed and a defensive action is taken, the cache is cleared to flush
 121       # potential poison out of it.  A suggested value is 10000000, the default is
 122       # 0 (turned off). calomel.org thinks 10K is a good value.
 123       unwanted-reply-threshold = 10000;
 124
 125       # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
 126       # localhost you will want to allow the resolver to send queries to localhost.
 127       # Make sure to set do-not-query-localhost = true;.
 128       do-not-query-localhost = true;
 129
 130       # Should additional section of secure message also be kept clean of unsecure
 131       # data. Useful to shield the users of this validator from potential bogus
 132       # data in the additional section. All unsigned data in the additional section
 133       # is removed from secure messages.
 134       val-clean-additional = true;
 135     };
 136   };
 137 };
 138 networking.nftables.ruleset = ''
 139   add rule inet filter fw2net tcp dport 53 skuid ${users.unbound.name} counter accept comment "Unbound"
 140   add rule inet filter fw2net udp dport 53 skuid ${users.unbound.name} counter accept comment "Unbound"
 141 '';
 142 systemd.services.unbound = {
 143   serviceConfig = {
 144     RuntimeDirectory = "unbound";
 145     RuntimeDirectoryMode = "0700";
 146   };
 147   preStart = ''
 148     install -m 444 \
 149      ${../../networking/named.root} \
 150      /var/lib/unbound/named.root
 151   '';
 152 };
 153 }