machines/mermet/unbound.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (config.services) unbound;
   4   inherit (config.users) users;
   5   stateDir = "/var/lib/unbound";
   6 in
   7 {
   8 networking.resolvconf.useLocalResolver = true;
   9 services.unbound = {
  10   enable = true;
  11   # DOC: https://calomel.org/unbound_dns.html
  12   extraConfig = ''
  13     remote-control:
  14       control-enable: yes
  15       control-interface: /run/unbound/unbound.socket
  16
  17     server:
  18       log-queries: no
  19       verbosity: 1
  20       interface: 127.0.0.1
  21       interface: ::1
  22
  23       port: 53
  24
  25       # The file which contains the listing of primary root DNS servers.
  26       # To be updated once every six months.
  27       root-hints: /var/lib/unbound/named.root
  28
  29       # Do no answer id.server and hostname.bind queries.
  30       hide-identity: yes
  31       # Do not answer version.server and version.bind queries.
  32       hide-version: yes
  33
  34       # Will trust glue only if it is within the servers authority.
  35       # Harden against out of zone rrsets, to avoid spoofing attempts.
  36       # Hardening queries multiple name servers for the same data to make
  37       # spoofing significantly harder and does not mandate dnssec.
  38       harden-glue: yes
  39
  40       # Require DNSSEC data for trust-anchored zones, if such data is absent, the
  41       # zone becomes  bogus.  Harden against receiving dnssec-stripped data. If you
  42       # turn it off, failing to validate dnskey data for a trustanchor will trigger
  43       # insecure mode for that zone (like without a trustanchor).  Default on,
  44       # which insists on dnssec data for trust-anchored zones.
  45       harden-dnssec-stripped: yes
  46
  47       # Use 0x20-encoded random bits in the query to foil spoof attempts.
  48       # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
  49       #
  50       # When Unbound sends a query to a remote server it sends the hostname
  51       # string in random upper and lower characters. The remote server must
  52       # resolve the hostname as if all the characters were lower case. The remote
  53       # server must then send the query back to Unbound in the same random upper
  54       # and lower characters that Unbound sent. If the characters of the hostname
  55       # in the response are in the same format as the query then the dns-0x20
  56       # check is satisfied.
  57       # Attackers hoping to poison a Unbound DNS cache must therefore guess the
  58       # mixed-case encoding of the query and the timing of the return dns answer
  59       # in addition to all other fields required in a DNS poisoning attack.
  60       # dns-0x20 increases the difficulty of the attack significantly.
  61       #
  62       # It may result in maybe 0.4% of domains getting no answers
  63       # due to no support on the authoritative server side
  64       use-caps-for-id: yes
  65
  66       #cache-min-ttl: 3600
  67       cache-max-ttl: 86400
  68
  69       # Perform prefetching of close to expired message cache entries.  If a client
  70       # requests the dns lookup and the TTL of the cached hostname is going to
  71       # expire in less than 10% of its TTL, unbound will (1st) return the IP of the
  72       # host to the client and (2nd) pre-fetch the DNS request from the remote DNS server.
  73       # This method has been shown to increase the amount of cached hits by
  74       # local clients by 10% on average.
  75       prefetch: yes
  76
  77       # Number of threads to create. 1 disables threading.
  78       # This should equal the number of CPU cores in the machine.
  79       num-threads: ${toString config.nix.maxJobs}
  80
  81       # The number of slabs to use for cache and must be a power of 2 times the
  82       # number of num-threads set above. more slabs reduce lock contention,
  83       # but fragment memory usage.
  84       msg-cache-slabs: 8
  85       rrset-cache-slabs: 8
  86       infra-cache-slabs: 8
  87       key-cache-slabs: 8
  88
  89       # Increase the memory size of the cache. Use roughly twice as much rrset cache
  90       # memory as you use msg cache memory. Due to malloc overhead, the total memory
  91       # usage is likely to rise to double (or 2.5x) the total cache memory.
  92       rrset-cache-size: 32m
  93       msg-cache-size: 16m
  94
  95       # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
  96       # the kernel buffer larger so that no messages are lost in spikes in the traffic.
  97       so-rcvbuf: 1m
  98
  99       # Enforce privacy of these addresses. Strips them away from answers.
 100       # It may cause DNSSEC validation to additionally mark it as bogus.
 101       # Protects against 'DNS Rebinding' (uses browser as network proxy).
 102       #  Only 'private-domain' and 'local-data' names are allowed
 103       # to have these private addresses. No default.
 104       private-address: 192.168.0.0/16
 105       private-address: 172.16.0.0/12
 106       private-address: 10.0.0.0/8
 107
 108       # Allow the domain (and its subdomains) to contain private addresses.
 109       # local-data statements are allowed to contain private addresses too.
 110       #private-domain: "home.lan"
 111
 112       # If nonzero, unwanted replies are not only reported in statistics, but also
 113       # a running total is kept per thread. If it reaches the threshold, a warning
 114       # is printed and a defensive action is taken, the cache is cleared to flush
 115       # potential poison out of it.  A suggested value is 10000000, the default is
 116       # 0 (turned off). calomel.org thinks 10K is a good value.
 117       unwanted-reply-threshold: 10000
 118
 119       # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
 120       # localhost you will want to allow the resolver to send queries to localhost.
 121       # Make sure to set do-not-query-localhost: yes.
 122       do-not-query-localhost: yes
 123
 124       # Should additional section of secure message also be kept clean of unsecure
 125       # data. Useful to shield the users of this validator from potential bogus
 126       # data in the additional section. All unsigned data in the additional section
 127       # is removed from secure messages.
 128       val-clean-additional: yes
 129   '';
 130 };
 131 networking.nftables.ruleset = ''
 132   add rule inet filter fw2net tcp dport 53 skuid ${users.unbound.name} counter accept comment "Unbound"
 133   add rule inet filter fw2net udp dport 53 skuid ${users.unbound.name} counter accept comment "Unbound"
 134 '';
 135 systemd.services.unbound = {
 136   serviceConfig = {
 137     RuntimeDirectory = "unbound";
 138     RuntimeDirectoryMode = "0700";
 139   };
 140   preStart = ''
 141     install -m 444 -o unbound -g nogroup \
 142      ${../../var/named.root} \
 143      /var/lib/unbound/named.root
 144   '';
 145 };
 146 }