diff --git a/.gitignore b/.gitignore index e69de29..d72de02 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,12 @@ +# Editor & OS +.idea + +# Env file +.env +scripts/.env.vars + +wireguard/ +unbound/* +etc-pihole/ +etc-dnsmasq.d/ +!unbound/unbound.conf \ No newline at end of file diff --git a/README.md b/README.md index ed3c911..10aac72 100644 --- a/README.md +++ b/README.md @@ -1,74 +1,36 @@ +## Fork difference -## Prerequisites: +Simple setup for personal usage -- 💻 **Installed**: **docker** and **docker-compose** -- ☁ If using a cloud provider: - - You need to allow ingress to port `51820` +Requirements: +* docker & docker compose [must be installed](https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-compose-on-ubuntu-22-04) -To get started all you need to do is clone the repository and spin up the containers. +Fork peculiarities: +* env vars usage +* auto-generated .env for docker-compose +* support user-defined vars via .env.vars file +* removed deprecations + +### Quickstart ```bash -git clone https://github.com/IAmStoxe/wirehole.git +git clone https://github.com/kamartem/wirehole.git cd wirehole -docker-compose up +cp ./scripts/.env.vars.example ./scripts/.env.vars ``` -Within the output of the terminal will be QR codes you can (if you choose) to setup it WireGuard on your phone. +Edit .env.vars file due to your requirements, then ```bash -wireguard | **** Internal subnet is set to 10.6.0.0 **** -wireguard | **** Peer DNS servers will be set to 10.1.0.100 **** -wireguard | **** No found wg0.conf found (maybe an initial install), generating 1 server and 1 peer/client confs **** -wireguard | PEER 1 QR code: -wireguard | █████████████████████████████████████████████████████████████████ -wireguard | █████████████████████████████████████████████████████████████████ -wireguard | ████ ▄▄▄▄▄ █▀▀▀▄ ▀▀▀▀▄█ ██ ▄▀ ██ ██▄▀█ █▄▄█▀ ▄ ██ ▄▄▄▄▄ ████ -wireguard | ████ █ █ █▀▄█▀█▄█▄██▀▄ ▀▀██▀▄█ ▀▄█ ▀ █▀▄█▄ ▄▄▄ ██ █ █ ████ -wireguard | ████ █▄▄▄█ █▀█ ▀▀▄ ▄██ █▄▄▄█ ████ -wireguard | ████▄▄▄▄▄▄▄█ ▀ ▀ █ █▄█▄▀ █▄▄▄▄▄▄▄████ -wireguard | ████ ▄▄ █▄▄▄ ▄▀█▀▀▄ ▀█ ▀█ ▄ █▀▀▄▄██▄▄▀▀█▄ ██▀▀ █ █▄█ ▀████ -wireguard | █████ ▄█ ▄ ▀▀█▄▄ █▀ ▀ ▀ ▄ ▄ ▀▄▀▀█ ██ ▀██▀ ▀ ▀▀ ▀ ▀▄ ████ -wireguard | ████▀▀██ ▄▄▄ ██▀▄▄██▀ ██▀▄ ▀▀ █▄█ ▄ ▄█▄██ ▀▄▄█ █▀▀█ ▄▀████ -wireguard | ████ ▄█▀█▀▄▄ ▄███ ▄█ ▀▀▀▀█ ▄█ ▀▀▀▀▀▄ █ █ ███▄ █ ▄▄▄▄▀▀▀ █████ -wireguard | ████▀▄ ▀▀ ▄▄ ▄▄ █▀██ ▀▀▀▀▀ ▄ █▀▀██ ██▀ ▀█▄█▄█ ▄▄▀ ▀████ -wireguard | ████ ▀█ ▄▄ █ ▀▀██████ -wireguard | ███████ ▄▄█ █ ▄█▀█▀▀▄████ -wireguard | ████ ▄ █▄▄▀ ▄ ▀▄ █ ▄██▀▀█▀ █▄▄█▀▄█▀█▄ █ ▀▄█ ▄█ ▀ █ █████ -wireguard | ████▄██▀█▄▄ ▀ ▄▀ ▀▄ ▄█ ▀▄ █▀ ▀██▀▄███████ -wireguard | ████ ▀█ ▄▄▄ ██▀███▄█▄█ █▄█▀ ▀ ▄▄▄ ▀▀ ▀▄ ▀▀█ █ █ ▄▄▄ ▄▀████ -wireguard | ████▄██ █▄█ █ ▀▀ ▀████ -wireguard | █████▀█▄▄▄▄▄ █▄ ▀▄ ██ ██▀ ▄ █▄ ▄▄▄▀ ▀▄▀█ █▀ █▄ ▄ ▄▄▄ ▄ ▀▄█████ -wireguard | █████▀▄▀ ▄▄█▄▀ ██▄▄▄ █▀ ██ ██ █▄ ██▄ ▄▀█▄██▀▄█ █▀████ -wireguard | ████▄ ▀ ▄ ▀ ▀▀▀▀▀▀█▀██▀ █ █▀█▀███ ▀▄█ █▄ █ ▀▀█▀██▀ ▄█████ -wireguard | ████ ▀ ▄ ██▄ ▀▀▀▄▀█ ▀▀▄ ▄ ▄ █▀▀▄█ ▄█▄▀█▄█▀ ▄▀█▄▀ ▀▀▀ ▀▀ ▀████ -wireguard | ███████ ▄█▄ ▀█▄▄ ▀█ █▀ █▀▄ ▄ ▀▄█▄▄█▀▄█▄▄▄▄█▀ ▀█ █▀ ▄ ██▀▄█████ -wireguard | ████▀█ █▀ ▄ █ ▄▀█████ -wireguard | ████▀▄ ▄▄█▄▄ ▄ ▄██▄ ▀ █ ▀ ▄▄█▀▀ ▄ ▀▀▄█▀▄██▀▀ ▄ ▄▄▄▄▀▀▄▀▀▀ ████ -wireguard | ████ ▀▄▄▀▀▄▀▀▀▄ ▄ █▄▄▀ ██▀▄▀ █▄██▀▀▄█▄▄█ ████▄ ▀█▄█▀▄▀ ▀▄ ▀ █████ -wireguard | ████ ▀ ▀▀▄▄ ▄ █▄ ▄ ██ ▄▀█▄▄ ▄ ▄ █▄▀ ▄▄▀██▄▀▀██▀▀▄▄ ▄ ██ ▄▀████ -wireguard | ██████████▄█▀▀█ ▄█ █▄▄ ▀▄▀█▀▀ ▄▄▄ ▀█▀█ ▄▀█▀█▀▀ ██▄▀ ▄▄▄ ▄██▄████ -wireguard | ████ ▄▄▄▄▄ █▄▄▄█▀▄█▀██ ▄ ▀█ ▀ █▄█ ▀▀█▄ ██▄█ ▀▄ ▀█▄▄ █▄█ █████ -wireguard | ████ █ █ █ ▄▄ ▄█ ▄▄█ █▀ ▄ ▄ █ ▄█▄▄█ █▀ ▄████ ▄▄ ▀▀▄▄████ -wireguard | ████ █▄▄▄█ █ ▀ ▄▄█ ▄ ▀▀▄██▄▀█▀█ █▀█▀▀▀▄ ▄ █▀▀▄▀ ▄▀███▀██▀██████ -wireguard | ████▄▄▄▄▄▄▄█▄██▄▄█▄▄▄▄▄██▄█▄▄▄█▄█▄█▄▄▄▄█▄▄▄█████▄▄█▄█▄▄████▄█████ -wireguard | █████████████████████████████████████████████████████████████████ -wireguard | █████████████████████████████████████████████████████████████████ -wireguard | [cont-init.d] 30-config: exited 0. -wireguard | [cont-init.d] 99-custom-scripts: executing... -wireguard | [custom-init] no custom files found exiting... -wireguard | [cont-init.d] 99-custom-scripts: exited 0. -wireguard | [cont-init.d] done. -wireguard | [services.d] starting services +./scripts/run.sh ``` -## Recommended configuration / Split tunnel: - -Modify your wireguard client `AllowedIps` to `10.1.0.0/24` to only tunnel the web panel and DNS traffic. +--- -## Access PiHole +Helped? -While connected to WireGuard, navigate to http://10.1.0.100/admin +Buy Me A Coffee -*The password (unless you set it in `docker-compose.yml`) is blank.* +--- -![](https://i.imgur.com/hlHL6VA.png) +For full documentation & creds please visit [original repo](https://github.com/IAmStoxe/wirehole) diff --git a/docker-compose.yml b/docker-compose.yml index 98d994d..13e62c2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,73 +1,70 @@ version: "3" networks: - piguard: + private_network: ipam: driver: default config: - - subnet: 10.1.0.0/24 + - subnet: 10.2.0.0/24 + services: + unbound: + image: mvance/unbound:1.12.0 + container_name: unbound + hostname: unbound + restart: unless-stopped + volumes: + - "./unbound:/opt/unbound/etc/unbound/" + networks: + private_network: + ipv4_address: 10.2.0.200 + wireguard: - depends_on: [unbound] - privileged: false - image: linuxserver/wireguard + image: linuxserver/wireguard:latest container_name: wireguard + depends_on: [unbound, pihole] cap_add: - NET_ADMIN - SYS_MODULE environment: - - PUID=1000 - - PGID=1000 - - TZ=America/Los_Angeles - # - SERVERURL=wireguard.domain.com #optional - - SERVERPORT=5555 #optional - - PEERS=1 #optional - - PEERDNS=10.1.0.100 # Set it to point to pihole - - INTERNAL_SUBNET=10.6.0.0 #optional + PUID: 1000 + PGID: 1000 + TZ: "${TIMEZONE}" + SERVERPORT: 51820 + #- SERVERURL=my.ddns.net #optional - For use with DDNS (Uncomment to use) + PEERS: "${PEERS}" + PEERDNS: 10.2.0.100 # Set it to point to pihole + INTERNAL_SUBNET: 10.6.0.0 volumes: - ./wireguard:/config - /lib/modules:/lib/modules ports: - - 5555:51820/udp + - "51820:51820/udp" + dns: + - 10.2.0.100 # Points to pihole + - 10.2.0.200 # Points to unbound sysctls: - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped networks: - piguard: - ipv4_address: 10.1.0.3 - - unbound: - container_name: unbound - privileged: false - volumes: - - "./unbound:/opt/unbound/etc/unbound/" - # ports: - # - "53:53/tcp" - # - "53:53/udp" - restart: unless-stopped - image: "mvance/unbound:latest" - networks: - piguard: - ipv4_address: 10.1.0.200 + private_network: + ipv4_address: 10.2.0.3 pihole: - depends_on: [unbound] - container_name: pihole image: pihole/pihole:latest - privileged: false - ports: - - "53:53/tcp" - - "53:53/udp" - # - "67:67/udp" # Uncomment for pihole dhcp - - "80:80/tcp" - - "443:443/tcp" + container_name: pihole + hostname: pihole + depends_on: [unbound] + restart: unless-stopped + dns: + - 127.0.0.1 + - 10.2.0.200 # Points to unbound environment: - TZ: "America/Los_Angeles" - WEBPASSWORD: '' - ServerIP: 10.1.0.100 - DNS1: 10.1.0.200 - DNS2: 10.1.0.200 - # Volumes store your data between container upgrades + TZ: "${TIMEZONE}" + WEBPASSWORD: "${PIHOLE_PASSWORD}" + ServerIP: 10.2.0.100 # Internal IP of pihole + DNS1: 10.2.0.200 # Unbound IP + DNS2: 10.2.0.200 # If we don't specify two, it will auto pick google. volumes: - "./etc-pihole/:/etc/pihole/" - "./etc-dnsmasq.d/:/etc/dnsmasq.d/" @@ -75,7 +72,6 @@ services: # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities cap_add: - NET_ADMIN - restart: unless-stopped networks: - piguard: - ipv4_address: 10.1.0.100 + private_network: + ipv4_address: 10.2.0.100 diff --git a/scripts/.env.template b/scripts/.env.template new file mode 100644 index 0000000..2aadfc2 --- /dev/null +++ b/scripts/.env.template @@ -0,0 +1,7 @@ +TIMEZONE=${TIMEZONE:-Europe/Moscow} + +# PhiHole web admin password +PIHOLE_PASSWORD=${PIHOLE_PASSWORD:-pihole_default_password} + +# How many peers to generate for you (clients). Just digit or comma-separated aliases +PEERS=${PEERS:-1} diff --git a/scripts/.env.vars.example b/scripts/.env.vars.example new file mode 100644 index 0000000..baf51bc --- /dev/null +++ b/scripts/.env.vars.example @@ -0,0 +1,3 @@ +TIMEZONE=Europe/Moscow +PIHOLE_PASSWORD=pass1 +PEERS=macbook,iphone diff --git a/scripts/run.sh b/scripts/run.sh new file mode 100755 index 0000000..4b2139e --- /dev/null +++ b/scripts/run.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +# Available parameters are: +# --down - stops and removes containers of running services +# --logs - displays logs output +# --pull - pulls fresh images before starting containers + +set -ea + +./scripts/templater.sh ./scripts/.env.template ./scripts/.env.vars > ./.env + +[ -f .env ] && source .env + +UNKNOWN_POSITIONAL_PARAMS=() + +while [ "$#" -gt 0 ]; do + key="$1" + + case $key in + --down) + DOWN="$1" + shift # past parameter + ;; + --logs) + LOGS="$1" + shift # past parameter + ;; + --pull) + PULL="$1" + shift # past parameter + ;; + *) # unknown option + UNKNOWN_POSITIONAL_PARAMS+=("$1") + shift # past parameter + ;; + esac +done + +if [ "${#UNKNOWN_POSITIONAL_PARAMS[@]}" -ne 0 ]; then + printf '%s\n' "Unrecognized parameters: '${UNKNOWN_POSITIONAL_PARAMS[*]}'" + printf '%s\n' "Available parameters are:" + printf '%s\n' "--down - stops and removes containers of running services" + printf '%s\n' "--logs - displays logs output for all services" + printf '%s\n' "--pull - pulls fresh images before starting containers" + exit 0 +fi + +COMPOSE_PROFILES_PREFIX="COMPOSE_PROFILES=${COMPOSE_PROFILES}" +printf '%s\n' "Start with profiles: ${COMPOSE_PROFILES}" + +DOCKER_COMPOSE_CONFIG="${COMPOSE_PROFILES_PREFIX} docker-compose -f docker-compose.yml" +DOCKER_COMPOSE_UP_OPTIONS="" + +OVERRIDE_YML="docker-compose.override.yml" +if test -f "$OVERRIDE_YML"; then + DOCKER_COMPOSE_CONFIG+=" -f ${OVERRIDE_YML}" +fi + +#### DOWN #### +DOCKER_COMPOSE_DOWN=("${DOCKER_COMPOSE_CONFIG}" "down --remove-orphans") +if [ "${SERVICE_NAME:=false}" != "false" ]; then +# DOCKER_COMPOSE_DOWN=("${DOCKER_COMPOSE_DOWN[@]}" "${SERVICE_NAME}") + DOCKER_COMPOSE_DOWN=("${DOCKER_COMPOSE_CONFIG}" "rm -sv" "${SERVICE_NAME}") +fi + +if [ "${DOWN}" == "--down" ]; then + printf '%s\n' "Stopping containers, removing containers and networks ..." + printf '%s\n' "Running command: ${DOCKER_COMPOSE_DOWN[*]}" + eval "${DOCKER_COMPOSE_DOWN[@]}" + exit 0; +fi +#### END DOWN #### + +#### LOG #### +DOCKER_COMPOSE_LOGS=("${DOCKER_COMPOSE_CONFIG}" "logs" "${SERVICE_NAME}") +if [ "${SERVICE_NAME:=false}" != "false" ]; then + DOCKER_COMPOSE_LOGS=("${DOCKER_COMPOSE_LOGS[@]}" "${SERVICE_NAME}") +fi + +if [ "${LOGS}" == "--logs" ]; then + printf '%s\n' "Displaying logs output ..." + printf '%s\n' "Running command: ${DOCKER_COMPOSE_LOGS[*]}" + eval "${DOCKER_COMPOSE_LOGS[@]}" + exit 0; +fi +#### END LOG #### + +#### UP #### +DOCKER_COMPOSE_UP=("${DOCKER_COMPOSE_CONFIG}" "up" "${DOCKER_COMPOSE_UP_OPTIONS}") + +DOCKER_COMPOSE=( + "${DOCKER_COMPOSE_DOWN[@]}" "&&" + "${DOCKER_COMPOSE_UP[@]}" +) + +DOCKER_COMPOSE_PULL=("${DOCKER_COMPOSE_CONFIG}" "pull") + +if [ "${PULL}" == "--pull" ]; then + printf '%s\n' "Enforced pull of fresh images ..." + DOCKER_COMPOSE=("${DOCKER_COMPOSE[@]:0:3}" "${DOCKER_COMPOSE_PULL[@]}" "&&" "${DOCKER_COMPOSE[@]:3}") +fi + +if [ "${SERVICE_NAME:=false}" != "false" ]; then + DOCKER_COMPOSE=("${DOCKER_COMPOSE[@]}" "${SERVICE_NAME}") +fi + +printf '%s\n' "Running command: ${DOCKER_COMPOSE[*]}" + +eval "${DOCKER_COMPOSE[@]}" +#### END UP #### + +set +a diff --git a/scripts/templater.sh b/scripts/templater.sh new file mode 100755 index 0000000..6a20f7b --- /dev/null +++ b/scripts/templater.sh @@ -0,0 +1,38 @@ +#!/bin/sh + +# $1 - file template +# $2 (optional) - file vars + +#set -eu # unset variables are errors & non-zero return values exit the whole script +[ "${DEBUG:-}" = "true" ] && set -x + +template="./.env.template" +fin="./.env.vars" + +cat_template() { + echo "cat << EOT" + if [ -n "$1" ]; then + cat "$1" + else + [ -n $template ] && cat $template + fi + + + echo EOT +} + +# source file vars +if [ -f "$2" ]; then + set -a; . "$2"; set +a; +else + [ -f $fin ] && (set -a; . $fin; set +a; ) +fi + +# source file template +if [ -f "$1" ]; then + set -a; . "$1"; set +a; +else + [ -f "${template}" ] && (set -a; . "${template}"; set +a; ) +fi + +cat_template $1 | sh diff --git a/unbound/unbound.conf b/unbound/unbound.conf index f0bd343..6f31562 100644 --- a/unbound/unbound.conf +++ b/unbound/unbound.conf @@ -1,349 +1,165 @@ -# server: -# ########################################################################### -# # BASIC SETTINGS -# ########################################################################### -# # Time to live maximum for RRsets and messages in the cache. If the maximum -# # kicks in, responses to clients still get decrementing TTLs based on the -# # original (larger) values. When the internal TTL expires, the cache item -# # has expired. Can be set lower to force the resolver to query for data -# # often, and not trust (very large) TTL values. -# cache-max-ttl: 86400 - -# # Time to live minimum for RRsets and messages in the cache. If the minimum -# # kicks in, the data is cached for longer than the domain owner intended, -# # and thus less queries are made to look up the data. Zero makes sure the -# # data in the cache is as the domain owner intended, higher values, -# # especially more than an hour or so, can lead to trouble as the data in -# # the cache does not match up with the actual data any more. -# cache-min-ttl: 300 - -# # Set the working directory for the program. -# directory: "/opt/unbound/etc/unbound" - -# # RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer -# # size. This is the value put into datagrams over UDP towards peers. -# # 4096 is RFC recommended. 1472 has a reasonable chance to fit within a -# # single Ethernet frame, thus lessing the chance of fragmentation -# # reassembly problems (usually seen as timeouts). Setting to 512 bypasses -# # even the most stringent path MTU problems, but is not recommended since -# # the amount of TCP fallback generated is excessive. -# edns-buffer-size: 1472 - -# # Listen to for queries from clients and answer from this network interface -# # and port. -# interface: 0.0.0.0@53 - -# # Rotates RRSet order in response (the pseudo-random number is taken from -# # the query ID, for speed and thread safety). -# rrset-roundrobin: yes - -# # Drop user privileges after binding the port. -# username: "_unbound" - -# ########################################################################### -# # LOGGING -# ########################################################################### - -# # Do not print log lines to inform about local zone actions -# log-local-actions: no - -# # Do not print one line per query to the log -# log-queries: no - -# # Do not print one line per reply to the log -# log-replies: no - -# # Do not print log lines that say why queries return SERVFAIL to clients -# log-servfail: no - -# # Further limit logging -# logfile: /dev/null - -# # Only log errors -# verbosity: 5 - -# ########################################################################### -# # PRIVACY SETTINGS -# ########################################################################### - -# # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other -# # denials, using information from previous NXDO-MAINs answers. In other -# # words, use cached NSEC records to generate negative answers within a -# # range and positive answers from wildcards. This increases performance, -# # decreases latency and resource utilization on both authoritative and -# # recursive servers, and increases privacy. Also, it may help increase -# # resilience to certain DoS attacks in some circumstances. -# aggressive-nsec: yes - -# # Extra delay for timeouted UDP ports before they are closed, in msec. -# # This prevents very delayed answer packets from the upstream (recursive) -# # servers from bouncing against closed ports and setting off all sort of -# # close-port counters, with eg. 1500 msec. When timeouts happen you need -# # extra sockets, it checks the ID and remote IP of packets, and unwanted -# # packets are added to the unwanted packet counter. -# delay-close: 10000 - -# # Prevent the unbound server from forking into the background as a daemon -# do-daemonize: no - -# # Add localhost to the do-not-query-address list. -# do-not-query-localhost: no - -# # Number of bytes size of the aggressive negative cache. -# neg-cache-size: 4M - -# # Send minimum amount of information to upstream servers to enhance -# # privacy (best privacy). -# qname-minimisation: yes - -# ########################################################################### -# # SECURITY SETTINGS -# ########################################################################### -# # Only give access to recursion clients from LAN IPs -# access-control: 127.0.0.1/32 allow -# access-control: 192.168.0.0/16 allow -# access-control: 172.16.0.0/12 allow -# access-control: 10.0.0.0/8 allow -# # access-control: fc00::/7 allow -# # access-control: ::1/128 allow - -# # File with trust anchor for one zone, which is tracked with RFC5011 -# # probes. -# auto-trust-anchor-file: "var/root.key" - -# # Enable chroot (i.e, change apparent root directory for the current -# # running process and its children) -# chroot: "/opt/unbound/etc/unbound" - -# # Deny queries of type ANY with an empty response. -# deny-any: yes - -# # Harden against algorithm downgrade when multiple algorithms are -# # advertised in the DS record. -# harden-algo-downgrade: yes - -# # RFC 8020. returns nxdomain to queries for a name below another name that -# # is already known to be nxdomain. -# harden-below-nxdomain: yes - -# # Require DNSSEC data for trust-anchored zones, if such data is absent, the -# # zone becomes bogus. If turned off you run the risk of a downgrade attack -# # that disables security for a zone. -# harden-dnssec-stripped: yes - -# # Only trust glue if it is within the servers authority. -# harden-glue: yes - -# # Ignore very large queries. -# harden-large-queries: yes - -# # Perform additional queries for infrastructure data to harden the referral -# # path. Validates the replies if trust anchors are configured and the zones -# # are signed. This enforces DNSSEC validation on nameserver NS sets and the -# # nameserver addresses that are encountered on the referral path to the -# # answer. Experimental option. -# harden-referral-path: no - -# # Ignore very small EDNS buffer sizes from queries. -# harden-short-bufsize: yes - -# # Refuse id.server and hostname.bind queries -# hide-identity: yes - -# # Refuse version.server and version.bind queries -# hide-version: yes - -# # Report this identity rather than the hostname of the server. -# identity: "DNS" - -# # These private network addresses are not allowed to be returned for public -# # internet names. Any occurrence of such addresses are removed from DNS -# # answers. Additionally, the DNSSEC validator may mark the answers bogus. -# # This protects against DNS Rebinding -# private-address: 10.0.0.0/8 -# private-address: 172.16.0.0/12 -# private-address: 192.168.0.0/16 -# private-address: 169.254.0.0/16 -# # private-address: fd00::/8 -# # private-address: fe80::/10 -# # private-address: ::ffff:0:0/96 - -# # Enable ratelimiting of queries (per second) sent to nameserver for -# # performing recursion. More queries are turned away with an error -# # (servfail). This stops recursive floods (e.g., random query names), but -# # not spoofed reflection floods. Cached responses are not rate limited by -# # this setting. Experimental option. -# ratelimit: 1000 - -# # Use this certificate bundle for authenticating connections made to -# # outside peers (e.g., auth-zone urls, DNS over TLS connections). -# tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - -# # Set the total number of unwanted replies to eep track of in every thread. -# # When it reaches the threshold, a defensive action of clearing the rrset -# # and message caches is taken, hopefully flushing away any poison. -# # Unbound suggests a value of 10 million. -# unwanted-reply-threshold: 10000 - -# # Use 0x20-encoded random bits in the query to foil spoof attempts. This -# # perturbs the lowercase and uppercase of query names sent to authority -# # servers and checks if the reply still has the correct casing. -# # This feature is an experimental implementation of draft dns-0x20. -# # Experimental option. -# use-caps-for-id: yes - -# # Help protect users that rely on this validator for authentication from -# # potentially bad data in the additional section. Instruct the validator to -# # remove data from the additional section of secure messages that are not -# # signed properly. Messages that are insecure, bogus, indeterminate or -# # unchecked are not affected. -# val-clean-additional: yes - -# ########################################################################### -# # PERFORMANCE SETTINGS -# ########################################################################### -# # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ -# # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/ - -# # Number of slabs in the infrastructure cache. Slabs reduce lock contention -# # by threads. Must be set to a power of 2. -# infra-cache-slabs: 4 - -# # Number of incoming TCP buffers to allocate per thread. Default -# # is 10. If set to 0, or if do-tcp is "no", no TCP queries from -# # clients are accepted. For larger installations increasing this -# # value is a good idea. -# incoming-num-tcp: 10 - -# # Number of slabs in the key cache. Slabs reduce lock contention by -# # threads. Must be set to a power of 2. Setting (close) to the number -# # of cpus is a reasonable guess. -# key-cache-slabs: 4 - -# # Number of bytes size of the message cache. -# # Unbound recommendation is to Use roughly twice as much rrset cache memory -# # as you use msg cache memory. -# msg-cache-size: 855658496 - -# # Number of slabs in the message cache. Slabs reduce lock contention by -# # threads. Must be set to a power of 2. Setting (close) to the number of -# # cpus is a reasonable guess. -# msg-cache-slabs: 4 - -# # The number of queries that every thread will service simultaneously. If -# # more queries arrive that need servicing, and no queries can be jostled -# # out (see jostle-timeout), then the queries are dropped. -# # This is best set at half the number of the outgoing-range. -# # This Unbound instance was compiled with libevent so it can efficiently -# # use more than 1024 file descriptors. -# num-queries-per-thread: 4096 - -# # The number of threads to create to serve clients. -# # This is set dynamically at run time to effectively use available CPUs -# # resources -# num-threads: 2 - -# # Number of ports to open. This number of file descriptors can be opened -# # per thread. -# # This Unbound instance was compiled with libevent so it can efficiently -# # use more than 1024 file descriptors. -# outgoing-range: 8192 - -# # Number of bytes size of the RRset cache. -# # Use roughly twice as much rrset cache memory as msg cache memory -# rrset-cache-size: 1711316992 - -# # Number of slabs in the RRset cache. Slabs reduce lock contention by -# # threads. Must be set to a power of 2. -# rrset-cache-slabs: 4 - -# # Do no insert authority/additional sections into response messages when -# # those sections are not required. This reduces response size -# # significantly, and may avoid TCP fallback for some responses. This may -# # cause a slight speedup. -# minimal-responses: yes - -# # # Fetch the DNSKEYs earlier in the validation process, when a DS record -# # is encountered. This lowers the latency of requests at the expense of -# # little more CPU usage. -# prefetch: yes - -# # Fetch the DNSKEYs earlier in the validation process, when a DS record is -# # encountered. This lowers the latency of requests at the expense of little -# # more CPU usage. -# prefetch-key: yes - -# # Have unbound attempt to serve old responses from cache with a TTL of 0 in -# # the response without waiting for the actual resolution to finish. The -# # actual resolution answer ends up in the cache later on. -# serve-expired: yes - -# # Open dedicated listening sockets for incoming queries for each thread and -# # try to set the SO_REUSEPORT socket option on each socket. May distribute -# # incoming queries to threads more evenly. -# so-reuseport: yes - -# ########################################################################### -# # LOCAL ZONE -# ########################################################################### - -# # # Include file for local-data and local-data-ptr -# # include: /opt/unbound/etc/unbound/a-records.conf -# # include: /opt/unbound/etc/unbound/srv-records.conf - -# # ########################################################################### -# # # FORWARD ZONE -# # ########################################################################### - -# # include: /opt/unbound/etc/unbound/forward-records.conf - - -# remote-control: -# control-enable: no - server: - verbosity: 1 - num-threads: 3 - interface: 0.0.0.0@53 - so-reuseport: yes - edns-buffer-size: 1472 - delay-close: 10000 - cache-min-ttl: 60 + ########################################################################### + # BASIC SETTINGS + ########################################################################### + # Time to live maximum for RRsets and messages in the cache. If the maximum + # kicks in, responses to clients still get decrementing TTLs based on the + # original (larger) values. When the internal TTL expires, the cache item + # has expired. Can be set lower to force the resolver to query for data + # often, and not trust (very large) TTL values. cache-max-ttl: 86400 - do-daemonize: no + + # Time to live minimum for RRsets and messages in the cache. If the minimum + # kicks in, the data is cached for longer than the domain owner intended, + # and thus less queries are made to look up the data. Zero makes sure the + # data in the cache is as the domain owner intended, higher values, + # especially more than an hour or so, can lead to trouble as the data in + # the cache does not match up with the actual data any more. + cache-min-ttl: 60 + + # Set the working directory for the program. + directory: "/opt/unbound/etc/unbound" + + # RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer + # size. This is the value put into datagrams over UDP towards peers. + # 4096 is RFC recommended. 1472 has a reasonable chance to fit within a + # single Ethernet frame, thus lessing the chance of fragmentation + # reassembly problems (usually seen as timeouts). Setting to 512 bypasses + # even the most stringent path MTU problems, but is not recommended since + # the amount of TCP fallback generated is excessive. + edns-buffer-size: 1472 + + # Listen to for queries from clients and answer from this network interface + # and port. + interface: 0.0.0.0@53 + + # Rotates RRSet order in response (the pseudo-random number is taken from + # the query ID, for speed and thread safety). + rrset-roundrobin: yes + + # Drop user privileges after binding the port. username: "_unbound" + + ########################################################################### + # LOGGING + ########################################################################### + + # Do not print log lines to inform about local zone actions + log-local-actions: no + + # Do not print one line per query to the log log-queries: no - hide-version: yes - hide-identity: yes - identity: "DNS" - harden-algo-downgrade: yes - harden-short-bufsize: yes - harden-large-queries: yes - harden-glue: yes - harden-dnssec-stripped: yes - harden-below-nxdomain: yes - harden-referral-path: no + + # Do not print one line per reply to the log + log-replies: no + + # Do not print log lines that say why queries return SERVFAIL to clients + log-servfail: no + + # Further limit logging + logfile: /dev/null + + # Only log errors + verbosity: 0 + + ########################################################################### + # PRIVACY SETTINGS + ########################################################################### + + # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other + # denials, using information from previous NXDO-MAINs answers. In other + # words, use cached NSEC records to generate negative answers within a + # range and positive answers from wildcards. This increases performance, + # decreases latency and resource utilization on both authoritative and + # recursive servers, and increases privacy. Also, it may help increase + # resilience to certain DoS attacks in some circumstances. + aggressive-nsec: yes + + # Extra delay for timeouted UDP ports before they are closed, in msec. + # This prevents very delayed answer packets from the upstream (recursive) + # servers from bouncing against closed ports and setting off all sort of + # close-port counters, with eg. 1500 msec. When timeouts happen you need + # extra sockets, it checks the ID and remote IP of packets, and unwanted + # packets are added to the unwanted packet counter. + delay-close: 10000 + + # Prevent the unbound server from forking into the background as a daemon + do-daemonize: no + + # Add localhost to the do-not-query-address list. do-not-query-localhost: no - prefetch: yes - prefetch-key: yes + + # Number of bytes size of the aggressive negative cache. + neg-cache-size: 4M + + # Send minimum amount of information to upstream servers to enhance + # privacy (best privacy). qname-minimisation: yes - aggressive-nsec: yes - ratelimit: 1000 - rrset-roundrobin: yes - minimal-responses: yes - chroot: "/opt/unbound/etc/unbound" - directory: "/opt/unbound/etc/unbound" + + ########################################################################### + # SECURITY SETTINGS + ########################################################################### + # Only give access to recursion clients from LAN IPs + access-control: 127.0.0.1/32 allow + access-control: 192.168.0.0/16 allow + access-control: 172.16.0.0/12 allow + access-control: 10.0.0.0/8 allow + # access-control: fc00::/7 allow + # access-control: ::1/128 allow + + # File with trust anchor for one zone, which is tracked with RFC5011 + # probes. auto-trust-anchor-file: "var/root.key" - num-queries-per-thread: 4096 - outgoing-range: 8192 - msg-cache-size: 260991658 - rrset-cache-size: 260991658 - neg-cache-size: 4M - serve-expired: yes - unwanted-reply-threshold: 10000 - use-caps-for-id: yes - val-clean-additional: yes - tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + + # Enable chroot (i.e, change apparent root directory for the current + # running process and its children) + chroot: "/opt/unbound/etc/unbound" + + # Deny queries of type ANY with an empty response. + #deny-any: yes + + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. + harden-algo-downgrade: yes + + # RFC 8020. returns nxdomain to queries for a name below another name that + # is already known to be nxdomain. + harden-below-nxdomain: yes + + # Require DNSSEC data for trust-anchored zones, if such data is absent, the + # zone becomes bogus. If turned off you run the risk of a downgrade attack + # that disables security for a zone. + harden-dnssec-stripped: yes + + # Only trust glue if it is within the servers authority. + harden-glue: yes + + # Ignore very large queries. + harden-large-queries: yes + + # Perform additional queries for infrastructure data to harden the referral + # path. Validates the replies if trust anchors are configured and the zones + # are signed. This enforces DNSSEC validation on nameserver NS sets and the + # nameserver addresses that are encountered on the referral path to the + # answer. Experimental option. + harden-referral-path: no + + # Ignore very small EDNS buffer sizes from queries. + harden-short-bufsize: yes + + # Refuse id.server and hostname.bind queries + hide-identity: yes + + # Refuse version.server and version.bind queries + hide-version: yes + + # Report this identity rather than the hostname of the server. + identity: "DNS" + + # These private network addresses are not allowed to be returned for public + # internet names. Any occurrence of such addresses are removed from DNS + # answers. Additionally, the DNSSEC validator may mark the answers bogus. + # This protects against DNS Rebinding private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 @@ -351,18 +167,150 @@ server: private-address: fd00::/8 private-address: fe80::/10 private-address: ::ffff:0:0/96 - access-control: 127.0.0.1/32 allow - access-control: 192.168.1.1/24 allow - access-control: 172.16.0.0/12 allow - access-control: 10.0.0.0/8 allow - logfile: /var/log/unbound.log - #include: /opt/unbound/etc/unbound/a-records.conf - forward-zone: - name: "." - forward-addr: 1.1.1.1@853#cloudflare-dns.com - forward-addr: 1.0.0.1@853#cloudflare-dns.com - forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com - forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com - forward-tls-upstream: yes + + # Enable ratelimiting of queries (per second) sent to nameserver for + # performing recursion. More queries are turned away with an error + # (servfail). This stops recursive floods (e.g., random query names), but + # not spoofed reflection floods. Cached responses are not rate limited by + # this setting. Experimental option. + #ratelimit: 1000 + + # Use this certificate bundle for authenticating connections made to + # outside peers (e.g., auth-zone urls, DNS over TLS connections). + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + + # Set the total number of unwanted replies to eep track of in every thread. + # When it reaches the threshold, a defensive action of clearing the rrset + # and message caches is taken, hopefully flushing away any poison. + # Unbound suggests a value of 10 million. + unwanted-reply-threshold: 10000000 + + # Use 0x20-encoded random bits in the query to foil spoof attempts. This + # perturbs the lowercase and uppercase of query names sent to authority + # servers and checks if the reply still has the correct casing. + # This feature is an experimental implementation of draft dns-0x20. + # Experimental option. + #use-caps-for-id: yes + + # Help protect users that rely on this validator for authentication from + # potentially bad data in the additional section. Instruct the validator to + # remove data from the additional section of secure messages that are not + # signed properly. Messages that are insecure, bogus, indeterminate or + # unchecked are not affected. + val-clean-additional: yes + + ########################################################################### + # PERFORMANCE SETTINGS + ########################################################################### + # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ + # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/ + + # Number of slabs in the infrastructure cache. Slabs reduce lock contention + # by threads. Must be set to a power of 2. + # infra-cache-slabs: 4 + + # Number of incoming TCP buffers to allocate per thread. Default + # is 10. If set to 0, or if do-tcp is "no", no TCP queries from + # clients are accepted. For larger installations increasing this + # value is a good idea. + # incoming-num-tcp: 10 + + # Number of slabs in the key cache. Slabs reduce lock contention by + # threads. Must be set to a power of 2. Setting (close) to the number + # of cpus is a reasonable guess. + # key-cache-slabs: 4 + + # Number of bytes size of the message cache. + # Unbound recommendation is to Use roughly twice as much rrset cache memory + # as you use msg cache memory. + msg-cache-size: 260991658 + + # Number of slabs in the message cache. Slabs reduce lock contention by + # threads. Must be set to a power of 2. Setting (close) to the number of + # cpus is a reasonable guess. + #msg-cache-slabs: 4 + + # The number of queries that every thread will service simultaneously. If + # more queries arrive that need servicing, and no queries can be jostled + # out (see jostle-timeout), then the queries are dropped. + # This is best set at half the number of the outgoing-range. + # This Unbound instance was compiled with libevent so it can efficiently + # use more than 1024 file descriptors. + num-queries-per-thread: 4096 + + # The number of threads to create to serve clients. + # This is set dynamically at run time to effectively use available CPUs + # resources + #num-threads: 3 + + # Number of ports to open. This number of file descriptors can be opened + # per thread. + # This Unbound instance was compiled with libevent so it can efficiently + # use more than 1024 file descriptors. + outgoing-range: 8192 + + # Number of bytes size of the RRset cache. + # Use roughly twice as much rrset cache memory as msg cache memory + rrset-cache-size: 260991658 + + # Number of slabs in the RRset cache. Slabs reduce lock contention by + # threads. Must be set to a power of 2. + #rrset-cache-slabs: 4 + + # Do no insert authority/additional sections into response messages when + # those sections are not required. This reduces response size + # significantly, and may avoid TCP fallback for some responses. This may + # cause a slight speedup. + minimal-responses: yes + + # # Fetch the DNSKEYs earlier in the validation process, when a DS record + # is encountered. This lowers the latency of requests at the expense of + # little more CPU usage. + prefetch: yes + + # Fetch the DNSKEYs earlier in the validation process, when a DS record is + # encountered. This lowers the latency of requests at the expense of little + # more CPU usage. + prefetch-key: yes + + # Have unbound attempt to serve old responses from cache with a TTL of 0 in + # the response without waiting for the actual resolution to finish. The + # actual resolution answer ends up in the cache later on. + serve-expired: yes + + # Open dedicated listening sockets for incoming queries for each thread and + # try to set the SO_REUSEPORT socket option on each socket. May distribute + # incoming queries to threads more evenly. + so-reuseport: yes + + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + so-rcvbuf: 1m + + ########################################################################### + # LOCAL ZONE + ########################################################################### + + # # Include file for local-data and local-data-ptr + # include: /opt/unbound/etc/unbound/a-records.conf + # include: /opt/unbound/etc/unbound/srv-records.conf + + # ########################################################################### + # # FORWARD ZONE + # ########################################################################### + + # include: /opt/unbound/etc/unbound/forward-records.conf + + # OPTIONAL: + # Forward Secure DNS to upstream provider Cloudflare DNS + + # forward-zone: + # name: "." + # forward-addr: 1.1.1.1@853#cloudflare-dns.com + # forward-addr: 1.0.0.1@853#cloudflare-dns.com + # forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com + # forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com + # forward-tls-upstream: yes + remote-control: - control-enable: no \ No newline at end of file + control-enable: no +