knot: replace nsd as authoritative DNS

[sourcephile-nix.git] / servers / mermet / unbound.nix

{ pkgs, lib, config, ... }:
let inherit (config) users; in
{
  networking.resolvconf.useLocalResolver = true;
  services.unbound = {
    enable = true;
    # DOC: https://calomel.org/unbound_dns.html
    extraConfig = ''
      port: 53
      verbosity: 1

      server:
        log-queries: no

      # The file which contains the listing of primary root DNS servers. 
      # To be updated once every six months.
      root-hints: /var/lib/unbound/named.root

      # Do no answer id.server and hostname.bind queries.
      hide-identity: yes
      # Do not answer version.server and version.bind queries.
      hide-version: yes

      # Will trust glue only if it is within the servers authority.
      # Harden against out of zone rrsets, to avoid spoofing attempts.
      # Hardening queries multiple name servers for the same data to make
      # spoofing significantly harder and does not mandate dnssec.
      harden-glue: yes

      # Require DNSSEC data for trust-anchored zones, if such data is absent, the
      # zone becomes  bogus.  Harden against receiving dnssec-stripped data. If you
      # turn it off, failing to validate dnskey data for a trustanchor will trigger
      # insecure mode for that zone (like without a trustanchor).  Default on,
      # which insists on dnssec data for trust-anchored zones.
      harden-dnssec-stripped: yes

      # Use 0x20-encoded random bits in the query to foil spoof attempts.
      # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
      #
      # When Unbound sends a query to a remote server it sends the hostname
      # string in random upper and lower characters. The remote server must
      # resolve the hostname as if all the characters were lower case. The remote
      # server must then send the query back to Unbound in the same random upper
      # and lower characters that Unbound sent. If the characters of the hostname
      # in the response are in the same format as the query then the dns-0x20
      # check is satisfied.
      # Attackers hoping to poison a Unbound DNS cache must therefore guess the
      # mixed-case encoding of the query and the timing of the return dns answer
      # in addition to all other fields required in a DNS poisoning attack.
      # dns-0x20 increases the difficulty of the attack significantly.
      #
      # It may result in maybe 0.4% of domains getting no answers
      # due to no support on the authoritative server side
      use-caps-for-id: yes

      #cache-min-ttl: 3600
      cache-max-ttl: 86400

      # Perform prefetching of close to expired message cache entries.  If a client
      # requests the dns lookup and the TTL of the cached hostname is going to
      # expire in less than 10% of its TTL, unbound will (1st) return the IP of the
      # host to the client and (2nd) pre-fetch the DNS request from the remote DNS server.
      # This method has been shown to increase the amount of cached hits by
      # local clients by 10% on average.
      prefetch: yes

      # Number of threads to create. 1 disables threading.
      # This should equal the number of CPU cores in the machine.
      num-threads: ${toString config.nix.maxJobs}

      # The number of slabs to use for cache and must be a power of 2 times the
      # number of num-threads set above. more slabs reduce lock contention,
      # but fragment memory usage.
      msg-cache-slabs: 8
      rrset-cache-slabs: 8
      infra-cache-slabs: 8
      key-cache-slabs: 8

      # Increase the memory size of the cache. Use roughly twice as much rrset cache
      # memory as you use msg cache memory. Due to malloc overhead, the total memory
      # usage is likely to rise to double (or 2.5x) the total cache memory.
      rrset-cache-size: 32m
      msg-cache-size: 16m

      # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
      # the kernel buffer larger so that no messages are lost in spikes in the traffic.
      so-rcvbuf: 1m

      # Enforce privacy of these addresses. Strips them away from answers.
      # It may cause DNSSEC validation to additionally mark it as bogus.
      # Protects against 'DNS Rebinding' (uses browser as network proxy).
      #  Only 'private-domain' and 'local-data' names are allowed
      # to have these private addresses. No default.
      private-address: 192.168.0.0/16
      private-address: 172.16.0.0/12
      private-address: 10.0.0.0/8

      # Allow the domain (and its subdomains) to contain private addresses.
      # local-data statements are allowed to contain private addresses too.
      #private-domain: "home.lan"

      # If nonzero, unwanted replies are not only reported in statistics, but also
      # a running total is kept per thread. If it reaches the threshold, a warning
      # is printed and a defensive action is taken, the cache is cleared to flush
      # potential poison out of it.  A suggested value is 10000000, the default is
      # 0 (turned off). calomel.org thinks 10K is a good value.
      unwanted-reply-threshold: 10000

      # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
      # localhost you will want to allow the resolver to send queries to localhost.
      # Make sure to set do-not-query-localhost: yes.
      do-not-query-localhost: yes

      # Should additional section of secure message also be kept clean of unsecure
      # data. Useful to shield the users of this validator from potential bogus
      # data in the additional section. All unsigned data in the additional section
      # is removed from secure messages.
      val-clean-additional: yes
    '';
  };
  systemd.services.unbound.preStart = ''
    install -m 444 -o unbound -g nogroup \
     ${../../config/dns/named.root} \
     /var/lib/unbound/named.root
  '';
}