]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/unbound.nix
losurdo: syncoid: move to LoadCredentialEncrypted=
[sourcephile-nix.git] / hosts / mermet / unbound.nix
1 { pkgs, lib, config, host, ... }:
2 let
3 inherit (config.services) unbound;
4 inherit (config.users) users;
5 in
6 {
7 networking.resolvconf.useLocalResolver = true;
8 # Avoid: warning: so-rcvbuf 1048576 was not granted. Got 425984.
9 # To fix: start with root permissions(linux)
10 # or sysctl bigger net.core.rmem_max(linux)
11 # or kern.ipc.maxsockbuf(bsd) values.
12 boot.kernel.sysctl."net.core.rmem_max" = 1048576;
13 services.unbound = {
14 enable = true;
15 # DOC: https://calomel.org/unbound_dns.html
16 settings = {
17 remote-control = {
18 control-enable = true;
19 control-interface = "/run/unbound/unbound.socket";
20 };
21 server = {
22 log-queries = false;
23 verbosity = 1;
24 interface = [
25 "127.0.0.1"
26 "::1"
27 ];
28 access-control = [
29 "0.0.0.0/0 refuse"
30 "::0/0 refuse"
31 "127.0.0.0/8 allow"
32 "::1 allow"
33 ];
34 prefer-ip4 = !config.networking.enableIPv6;
35 port = 53;
36
37 # The file which contains the listing of primary root DNS servers.
38 # To be updated once every six months.
39 root-hints = "/var/lib/unbound/named.root";
40
41 # Do no answer id.server and hostname.bind queries.
42 hide-identity = true;
43 # Do not answer version.server and version.bind queries.
44 hide-version = true;
45
46 # Will trust glue only if it is within the servers authority.
47 # Harden against out of zone rrsets, to avoid spoofing attempts.
48 # Hardening queries multiple name servers for the same data to make
49 # spoofing significantly harder and does not mandate dnssec.
50 harden-glue = true;
51
52 # Require DNSSEC data for trust-anchored zones, if such data is absent, the
53 # zone becomes bogus. Harden against receiving dnssec-stripped data. If you
54 # turn it off, failing to validate dnskey data for a trustanchor will trigger
55 # insecure mode for that zone (like without a trustanchor). Default on,
56 # which insists on dnssec data for trust-anchored zones.
57 harden-dnssec-stripped = true;
58
59 # Use 0x20-encoded random bits in the query to foil spoof attempts.
60 # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
61 #
62 # When Unbound sends a query to a remote server it sends the hostname
63 # string in random upper and lower characters. The remote server must
64 # resolve the hostname as if all the characters were lower case. The remote
65 # server must then send the query back to Unbound in the same random upper
66 # and lower characters that Unbound sent. If the characters of the hostname
67 # in the response are in the same format as the query then the dns-0x20
68 # check is satisfied.
69 # Attackers hoping to poison a Unbound DNS cache must therefore guess the
70 # mixed-case encoding of the query and the timing of the return dns answer
71 # in addition to all other fields required in a DNS poisoning attack.
72 # dns-0x20 increases the difficulty of the attack significantly.
73 #
74 # It may result in maybe 0.4% of domains getting no answers
75 # due to no support on the authoritative server side
76 use-caps-for-id = true;
77
78 #cache-min-ttl = 3600;
79 cache-max-ttl = 86400;
80
81 # Perform prefetching of close to expired message cache entries. If a client
82 # requests the dns lookup and the TTL of the cached hostname is going to
83 # expire in less than 10% of its TTL, unbound will (1st) return the IP of the
84 # host to the client and (2nd) pre-fetch the DNS request from the remote DNS server.
85 # This method has been shown to increase the amount of cached hits by
86 # local clients by 10% on average.
87 prefetch = true;
88
89 # Number of threads to create. 1 disables threading.
90 # This should equal the number of CPU cores in the host.
91 num-threads = host.CPUs;
92
93 # The number of slabs to use for cache and must be a power of 2 times the
94 # number of num-threads set above. more slabs reduce lock contention,
95 # but fragment memory usage.
96 msg-cache-slabs = 8;
97 rrset-cache-slabs = 8;
98 infra-cache-slabs = 8;
99 key-cache-slabs = 8;
100
101 # Increase the memory size of the cache. Use roughly twice as much rrset cache
102 # memory as you use msg cache memory. Due to malloc overhead, the total memory
103 # usage is likely to rise to double (or 2.5x) the total cache memory.
104 rrset-cache-size = "32m";
105 msg-cache-size = "16m";
106
107 # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
108 # the kernel buffer larger so that no messages are lost in spikes in the traffic.
109 so-rcvbuf = "1m";
110
111 # Enforce privacy of these addresses. Strips them away from answers.
112 # It may cause DNSSEC validation to additionally mark it as bogus.
113 # Protects against 'DNS Rebinding' (uses browser as network proxy).
114 # Only 'private-domain' and 'local-data' names are allowed
115 # to have these private addresses. No default.
116 private-address = [
117 "192.168.0.0/16"
118 "172.16.0.0/12"
119 "10.0.0.0/8"
120 ];
121
122 # Allow the domain (and its subdomains) to contain private addresses.
123 # local-data statements are allowed to contain private addresses too.
124 #private-domain = "home.lan";
125
126 # If nonzero, unwanted replies are not only reported in statistics, but also
127 # a running total is kept per thread. If it reaches the threshold, a warning
128 # is printed and a defensive action is taken, the cache is cleared to flush
129 # potential poison out of it. A suggested value is 10000000, the default is
130 # 0 (turned off). calomel.org thinks 10K is a good value.
131 unwanted-reply-threshold = 10000;
132
133 # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
134 # localhost you will want to allow the resolver to send queries to localhost.
135 # Make sure to set do-not-query-localhost = true;.
136 do-not-query-localhost = true;
137
138 # Should additional section of secure message also be kept clean of unsecure
139 # data. Useful to shield the users of this validator from potential bogus
140 # data in the additional section. All unsigned data in the additional section
141 # is removed from secure messages.
142 val-clean-additional = true;
143 };
144 };
145 };
146 networking.nftables.ruleset = ''
147 table inet filter {
148 chain output-net {
149 skuid ${users.unbound.name} \
150 meta l4proto { udp, tcp } th dport domain \
151 counter accept comment "unbound"
152 }
153 }
154 '';
155 systemd.services.unbound = {
156 serviceConfig = {
157 #RuntimeDirectoryMode = "0700";
158 BindReadOnlyPaths = [
159 "${../../networking/named.root}:/var/lib/unbound/named.root"
160 ];
161 };
162 };
163 }