hosts/mermet/unbound.nix

   1 { config, inputs, host, ... }:
   2 let
   3   inherit (config.services) unbound;
   4   inherit (config.users) users;
   5 in
   6 {
   7   networking.resolvconf.useLocalResolver = true;
   8   # Avoid: warning: so-rcvbuf 1048576 was not granted. Got 425984.
   9   # To fix: start with root permissions(linux)
  10   # or sysctl bigger net.core.rmem_max(linux)
  11   # or kern.ipc.maxsockbuf(bsd) values.
  12   boot.kernel.sysctl."net.core.rmem_max" = 1048576;
  13   services.unbound = {
  14     enable = true;
  15     # DOC: https://calomel.org/unbound_dns.html
  16     settings = {
  17       remote-control = {
  18         control-enable = true;
  19         control-interface = "/run/unbound/unbound.socket";
  20       };
  21       server = {
  22         log-queries = false;
  23         verbosity = 1;
  24         interface = [
  25           "127.0.0.1"
  26           "::1"
  27         ];
  28         access-control = [
  29           "0.0.0.0/0 refuse"
  30           "::0/0 refuse"
  31           "127.0.0.0/8 allow"
  32           "::1 allow"
  33         ];
  34         prefer-ip4 = !config.networking.enableIPv6;
  35         port = 53;
  36
  37         # The file which contains the listing of primary root DNS servers.
  38         # To be updated once every six months.
  39         root-hints = "/var/lib/unbound/named.root";
  40
  41         # Do no answer id.server and hostname.bind queries.
  42         hide-identity = true;
  43         # Do not answer version.server and version.bind queries.
  44         hide-version = true;
  45
  46         # Will trust glue only if it is within the servers authority.
  47         # Harden against out of zone rrsets, to avoid spoofing attempts.
  48         # Hardening queries multiple name servers for the same data to make
  49         # spoofing significantly harder and does not mandate dnssec.
  50         harden-glue = true;
  51
  52         # Require DNSSEC data for trust-anchored zones, if such data is absent, the
  53         # zone becomes  bogus.  Harden against receiving dnssec-stripped data. If you
  54         # turn it off, failing to validate dnskey data for a trustanchor will trigger
  55         # insecure mode for that zone (like without a trustanchor).  Default on,
  56         # which insists on dnssec data for trust-anchored zones.
  57         harden-dnssec-stripped = true;
  58
  59         # Use 0x20-encoded random bits in the query to foil spoof attempts.
  60         # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
  61         #
  62         # When Unbound sends a query to a remote server it sends the hostname
  63         # string in random upper and lower characters. The remote server must
  64         # resolve the hostname as if all the characters were lower case. The remote
  65         # server must then send the query back to Unbound in the same random upper
  66         # and lower characters that Unbound sent. If the characters of the hostname
  67         # in the response are in the same format as the query then the dns-0x20
  68         # check is satisfied.
  69         # Attackers hoping to poison a Unbound DNS cache must therefore guess the
  70         # mixed-case encoding of the query and the timing of the return dns answer
  71         # in addition to all other fields required in a DNS poisoning attack.
  72         # dns-0x20 increases the difficulty of the attack significantly.
  73         #
  74         # It may result in maybe 0.4% of domains getting no answers
  75         # due to no support on the authoritative server side
  76         use-caps-for-id = true;
  77
  78         #cache-min-ttl = 3600;
  79         cache-max-ttl = 86400;
  80
  81         # Perform prefetching of close to expired message cache entries.  If a client
  82         # requests the dns lookup and the TTL of the cached hostname is going to
  83         # expire in less than 10% of its TTL, unbound will (1st) return the IP of the
  84         # host to the client and (2nd) pre-fetch the DNS request from the remote DNS server.
  85         # This method has been shown to increase the amount of cached hits by
  86         # local clients by 10% on average.
  87         prefetch = true;
  88
  89         # Number of threads to create. 1 disables threading.
  90         # This should equal the number of CPU cores in the host.
  91         num-threads = host.CPUs;
  92
  93         # The number of slabs to use for cache and must be a power of 2 times the
  94         # number of num-threads set above. more slabs reduce lock contention,
  95         # but fragment memory usage.
  96         msg-cache-slabs = 8;
  97         rrset-cache-slabs = 8;
  98         infra-cache-slabs = 8;
  99         key-cache-slabs = 8;
 100
 101         # Increase the memory size of the cache. Use roughly twice as much rrset cache
 102         # memory as you use msg cache memory. Due to malloc overhead, the total memory
 103         # usage is likely to rise to double (or 2.5x) the total cache memory.
 104         rrset-cache-size = "32m";
 105         msg-cache-size = "16m";
 106
 107         # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
 108         # the kernel buffer larger so that no messages are lost in spikes in the traffic.
 109         so-rcvbuf = "1m";
 110
 111         # Enforce privacy of these addresses. Strips them away from answers.
 112         # It may cause DNSSEC validation to additionally mark it as bogus.
 113         # Protects against 'DNS Rebinding' (uses browser as network proxy).
 114         #  Only 'private-domain' and 'local-data' names are allowed
 115         # to have these private addresses. No default.
 116         private-address = [
 117           "192.168.0.0/16"
 118           "172.16.0.0/12"
 119           "10.0.0.0/8"
 120         ];
 121
 122         # Allow the domain (and its subdomains) to contain private addresses.
 123         # local-data statements are allowed to contain private addresses too.
 124         #private-domain = "home.lan";
 125
 126         # If nonzero, unwanted replies are not only reported in statistics, but also
 127         # a running total is kept per thread. If it reaches the threshold, a warning
 128         # is printed and a defensive action is taken, the cache is cleared to flush
 129         # potential poison out of it.  A suggested value is 10000000, the default is
 130         # 0 (turned off). calomel.org thinks 10K is a good value.
 131         unwanted-reply-threshold = 10000;
 132
 133         # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
 134         # localhost you will want to allow the resolver to send queries to localhost.
 135         # Make sure to set do-not-query-localhost = true;.
 136         do-not-query-localhost = true;
 137
 138         # Should additional section of secure message also be kept clean of unsecure
 139         # data. Useful to shield the users of this validator from potential bogus
 140         # data in the additional section. All unsigned data in the additional section
 141         # is removed from secure messages.
 142         val-clean-additional = true;
 143       };
 144     };
 145   };
 146   networking.nftables.ruleset = ''
 147     table inet filter {
 148       chain output-net {
 149         skuid ${users.unbound.name} \
 150           meta l4proto { udp, tcp } th dport domain \
 151           counter accept comment "unbound"
 152       }
 153     }
 154   '';
 155   systemd.services.unbound = {
 156     serviceConfig = {
 157       #RuntimeDirectoryMode = "0700";
 158       BindReadOnlyPaths = [
 159         "${inputs.self}/share/networking/named.root:/var/lib/unbound/named.root"
 160       ];
 161     };
 162   };
 163 }