servers/mermet/unbound.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (config) users;
   4   stateDir = "/var/lib/unbound";
   5 in
   6 {
   7   networking.resolvconf.useLocalResolver = true;
   8   services.unbound = {
   9     enable = true;
  10     # DOC: https://calomel.org/unbound_dns.html
  11     extraConfig = ''
  12       remote-control:
  13         control-enable: yes
  14         control-interface: /run/unbound/unbound.socket
  15
  16       server:
  17         log-queries: no
  18         verbosity: 1
  19
  20         port: 53
  21
  22         # The file which contains the listing of primary root DNS servers.
  23         # To be updated once every six months.
  24         root-hints: /var/lib/unbound/named.root
  25
  26         # Do no answer id.server and hostname.bind queries.
  27         hide-identity: yes
  28         # Do not answer version.server and version.bind queries.
  29         hide-version: yes
  30
  31         # Will trust glue only if it is within the servers authority.
  32         # Harden against out of zone rrsets, to avoid spoofing attempts.
  33         # Hardening queries multiple name servers for the same data to make
  34         # spoofing significantly harder and does not mandate dnssec.
  35         harden-glue: yes
  36
  37         # Require DNSSEC data for trust-anchored zones, if such data is absent, the
  38         # zone becomes  bogus.  Harden against receiving dnssec-stripped data. If you
  39         # turn it off, failing to validate dnskey data for a trustanchor will trigger
  40         # insecure mode for that zone (like without a trustanchor).  Default on,
  41         # which insists on dnssec data for trust-anchored zones.
  42         harden-dnssec-stripped: yes
  43
  44         # Use 0x20-encoded random bits in the query to foil spoof attempts.
  45         # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
  46         #
  47         # When Unbound sends a query to a remote server it sends the hostname
  48         # string in random upper and lower characters. The remote server must
  49         # resolve the hostname as if all the characters were lower case. The remote
  50         # server must then send the query back to Unbound in the same random upper
  51         # and lower characters that Unbound sent. If the characters of the hostname
  52         # in the response are in the same format as the query then the dns-0x20
  53         # check is satisfied.
  54         # Attackers hoping to poison a Unbound DNS cache must therefore guess the
  55         # mixed-case encoding of the query and the timing of the return dns answer
  56         # in addition to all other fields required in a DNS poisoning attack.
  57         # dns-0x20 increases the difficulty of the attack significantly.
  58         #
  59         # It may result in maybe 0.4% of domains getting no answers
  60         # due to no support on the authoritative server side
  61         use-caps-for-id: yes
  62
  63         #cache-min-ttl: 3600
  64         cache-max-ttl: 86400
  65
  66         # Perform prefetching of close to expired message cache entries.  If a client
  67         # requests the dns lookup and the TTL of the cached hostname is going to
  68         # expire in less than 10% of its TTL, unbound will (1st) return the IP of the
  69         # host to the client and (2nd) pre-fetch the DNS request from the remote DNS server.
  70         # This method has been shown to increase the amount of cached hits by
  71         # local clients by 10% on average.
  72         prefetch: yes
  73
  74         # Number of threads to create. 1 disables threading.
  75         # This should equal the number of CPU cores in the machine.
  76         num-threads: ${toString config.nix.maxJobs}
  77
  78         # The number of slabs to use for cache and must be a power of 2 times the
  79         # number of num-threads set above. more slabs reduce lock contention,
  80         # but fragment memory usage.
  81         msg-cache-slabs: 8
  82         rrset-cache-slabs: 8
  83         infra-cache-slabs: 8
  84         key-cache-slabs: 8
  85
  86         # Increase the memory size of the cache. Use roughly twice as much rrset cache
  87         # memory as you use msg cache memory. Due to malloc overhead, the total memory
  88         # usage is likely to rise to double (or 2.5x) the total cache memory.
  89         rrset-cache-size: 32m
  90         msg-cache-size: 16m
  91
  92         # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
  93         # the kernel buffer larger so that no messages are lost in spikes in the traffic.
  94         so-rcvbuf: 1m
  95
  96         # Enforce privacy of these addresses. Strips them away from answers.
  97         # It may cause DNSSEC validation to additionally mark it as bogus.
  98         # Protects against 'DNS Rebinding' (uses browser as network proxy).
  99         #  Only 'private-domain' and 'local-data' names are allowed
 100         # to have these private addresses. No default.
 101         private-address: 192.168.0.0/16
 102         private-address: 172.16.0.0/12
 103         private-address: 10.0.0.0/8
 104
 105         # Allow the domain (and its subdomains) to contain private addresses.
 106         # local-data statements are allowed to contain private addresses too.
 107         #private-domain: "home.lan"
 108
 109         # If nonzero, unwanted replies are not only reported in statistics, but also
 110         # a running total is kept per thread. If it reaches the threshold, a warning
 111         # is printed and a defensive action is taken, the cache is cleared to flush
 112         # potential poison out of it.  A suggested value is 10000000, the default is
 113         # 0 (turned off). calomel.org thinks 10K is a good value.
 114         unwanted-reply-threshold: 10000
 115
 116         # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
 117         # localhost you will want to allow the resolver to send queries to localhost.
 118         # Make sure to set do-not-query-localhost: yes.
 119         do-not-query-localhost: yes
 120
 121         # Should additional section of secure message also be kept clean of unsecure
 122         # data. Useful to shield the users of this validator from potential bogus
 123         # data in the additional section. All unsigned data in the additional section
 124         # is removed from secure messages.
 125         val-clean-additional: yes
 126     '';
 127   };
 128   systemd.services.unbound = {
 129     serviceConfig = {
 130       RuntimeDirectory = "unbound";
 131       RuntimeDirectoryMode = "0700";
 132       # FIXME: upstream service shouldn't overwrite ExecStopPost
 133       # so that postStop can be used.
 134       ExecStopPost = lib.mkForce (pkgs.writeShellScript "unit-script-unbound-post-stop" ''
 135         ${pkgs.utillinux}/bin/umount ${stateDir}/dev/random
 136         ${pkgs.utillinux}/bin/umount ${stateDir}/run/unbound
 137       '');
 138     };
 139     preStart = ''
 140       install -m 444 -o unbound -g nogroup \
 141        ${../../config/dns/named.root} \
 142        /var/lib/unbound/named.root
 143       mkdir -p ${stateDir}/run/unbound
 144       ${pkgs.utillinux}/bin/mount --bind -n /run/unbound ${stateDir}/run/unbound
 145     '';
 146   };
 147 }