From 135a7be6a2b30b74a9fc239adac45f08ad4eace7 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 10 Nov 2023 12:58:31 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- unbound-1.20.0/doc/example.conf.in | 199 +++++++++++++++++++---------- 1 file changed, 128 insertions(+), 71 deletions(-) diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in index 0368c8d..5873db5 100644 --- a/unbound-1.20.0/doc/example.conf.in +++ b/unbound-1.20.0/doc/example.conf.in @@ -17,11 +17,12 @@ server: # whitespace is not necessary, but looks cleaner. # verbosity number, 0 is least verbose. 1 is default. - # verbosity: 1 + verbosity: 1 # print statistics to the log (for every thread) every N seconds. # Set to "" or 0 to disable. Default is disabled. - # statistics-interval: 0 + # Needs to be disabled for munin plugin + statistics-interval: 0 # enable shm for stats, default no. if you enable also enable # statistics-interval, every time it also writes stats to the @@ -32,11 +33,13 @@ server: # shm-key: 11777 # enable cumulative statistics, without clearing them after printing. - # statistics-cumulative: no + # Needs to be disabled for munin plugin + statistics-cumulative: no # enable extended statistics (query types, answer codes, status) - # printed from unbound-control. Default off, because of speed. - # extended-statistics: no + # printed from unbound-control. default off, because of speed. + # Needs to be enabled for munin plugin + extended-statistics: yes # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, # rpz-actions) from printing if their value is 0. @@ -44,22 +47,35 @@ server: # statistics-inhibit-zero: yes # number of threads to create. 1 disables threading. - # num-threads: 1 + num-threads: 4 # specify the interfaces to answer queries from by ip-address. # The default is to listen to localhost (127.0.0.1 and ::1). # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 # interface: 192.0.2.153 # interface: 192.0.2.154 # interface: 192.0.2.154@5003 # interface: 2001:DB8::5 # interface: eth0@5003 + # + # for dns over tls and raw dns over port 80 + # interface: 0.0.0.0@443 + # interface: ::0@443 + # interface: 0.0.0.0@80 + # interface: ::0@80 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. - # interface-automatic: no + # interface-automatic: yes + # + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled + interface-automatic: no # instead of the default port, open additional ports separated by # spaces when interface-automatic is enabled, by listing them here. @@ -94,7 +110,8 @@ server: # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. - # outgoing-port-permit: 32768 + # Only ephemeral ports are allowed by SElinux + outgoing-port-permit: 32768-60999 # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. @@ -103,7 +120,9 @@ server: # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options # are present, they are processed in order. - # outgoing-port-avoid: "3200-3208" + # Our SElinux policy does not allow non-ephemeral ports to be used + outgoing-port-avoid: 0-32767 + outgoing-port-avoid: 61000-65535 # number of outgoing simultaneous tcp buffers to hold per thread. # outgoing-num-tcp: 10 @@ -121,12 +140,12 @@ server: # use SO_REUSEPORT to distribute queries over threads. # at extreme load it could be better to turn it off to distribute even. - # so-reuseport: yes + so-reuseport: yes # use IP_TRANSPARENT so the interface: addresses can be non-local # and you can config non-existing IPs that are going to work later on # (uses IP_BINDANY on FreeBSD). - # ip-transparent: no + ip-transparent: yes # use IP_FREEBIND so the interface: addresses can be non-local # and you can bind to nonexisting IPs and interfaces that are down. @@ -276,6 +295,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". + # NOTE: if setting up an Unbound on tls443 for public use, you might want to + # disable UDP to avoid being used in DNS amplification attacks. # do-udp: yes # Enable TCP, "yes" or "no". @@ -301,7 +322,7 @@ server: # tcp-idle-timeout: 30000 # Enable EDNS TCP keepalive option. - # edns-tcp-keepalive: no + edns-tcp-keepalive: yes # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout # if edns-tcp-keepalive is set. @@ -311,6 +332,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no @@ -424,6 +448,7 @@ server: # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "@UNBOUND_CHROOT_DIR@" + chroot: "" # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". @@ -435,7 +460,7 @@ server: # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. - # directory: "@UNBOUND_RUN_DIR@" + directory: "/etc/unbound" # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". @@ -450,7 +475,7 @@ server: # log-identity: "" # print UTC timestamp in ascii to logfile, default is epoch in seconds. - # log-time-ascii: no + log-time-ascii: yes # print one line with time, IP, name, type, class for every query. # log-queries: no @@ -522,22 +547,22 @@ server: # harden-large-queries: no # Harden against out of zone rrsets, to avoid spoofing attempts. - # harden-glue: yes + harden-glue: yes # Harden against receiving dnssec-stripped data. If you turn it # off, failing to validate dnskey data for a trustanchor will # trigger insecure mode for that zone (like without a trustanchor). # Default on, which insists on dnssec data for trust-anchored zones. - # harden-dnssec-stripped: yes + harden-dnssec-stripped: yes # Harden against queries that fall under dnssec-signed nxdomain names. - # harden-below-nxdomain: yes + harden-below-nxdomain: yes # Harden the referral path by performing additional queries for # infrastructure data. Validates the replies (if possible). # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. - # harden-referral-path: no + harden-referral-path: yes # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm @@ -551,7 +576,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. - # qname-minimisation: yes + qname-minimisation: yes # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be @@ -561,7 +586,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. - # aggressive-nsec: yes + aggressive-nsec: yes # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. @@ -594,7 +619,7 @@ server: # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). - # unwanted-reply-threshold: 0 + unwanted-reply-threshold: 10000000 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, @@ -606,20 +631,20 @@ server: # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. - # prefetch: no + prefetch: yes # if yes, perform key lookups adjacent to normal lookups. - # prefetch-key: no + prefetch-key: yes # deny queries of type ANY with an empty response. - # deny-any: no + deny-any: yes # if yes, Unbound rotates RRSet order in response. - # rrset-roundrobin: yes + rrset-roundrobin: yes # if yes, Unbound doesn't insert authority/additional sections # into response messages when those sections are not required. - # minimal-responses: yes + minimal-responses: yes # true to disable DNSSEC lameness check in iterator. # disable-dnssec-lame-check: no @@ -629,7 +654,9 @@ server: # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). - # module-config: "validator iterator" + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" + module-config: "ipsecmod validator iterator" # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. @@ -643,10 +670,10 @@ server: # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. - # trust-anchor-signaling: yes + trust-anchor-signaling: yes # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) - # root-key-sentinel: yes + root-key-sentinel: yes # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. @@ -667,6 +694,9 @@ server: # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" + # + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" @@ -694,14 +724,15 @@ server: # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. - # val-clean-additional: yes + val-clean-additional: yes # Turn permissive mode on to permit bogus messages. Thus, messages # for which security checks failed will be returned to clients, # instead of SERVFAIL. It still performs the security checks, which # result in interesting log files and possibly the AD bit in # replies if the message is found secure. The default is off. - # val-permissive-mode: no + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) @@ -715,11 +746,11 @@ server: # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. - # serve-expired: no + serve-expired: yes # # Limit serving of expired responses to configured seconds after # expiration. 0 disables the limit. - # serve-expired-ttl: 0 + serve-expired-ttl: 14400 # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure @@ -746,7 +777,7 @@ server: # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. - # val-log-level: 0 + val-log-level: 1 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. @@ -890,6 +921,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" + include: /etc/unbound/local.d/*.conf + # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" @@ -900,8 +933,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. - # tls-service-key: "path/to/privatekeyfile.key" - # tls-service-pem: "path/to/publiccertfile.pem" + # tls-service-key: "/etc/unbound/unbound_server.key" + # tls-service-pem: "/etc/unbound/unbound_server.pem" # tls-port: 853 # https-port: 443 @@ -909,6 +942,8 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" # Pad responses to padded queries received over TLS # pad-responses: yes @@ -1045,12 +1080,12 @@ server: # cookie-secret: <128 bit random hex string> # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # ede: no + ede: yes # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale # Answer as EDNS0 option to expired responses. # Note that the ede option above needs to be enabled for this to work. - # ede-serve-expired: no + ede-serve-expired: yes # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. @@ -1058,12 +1093,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). - # ipsecmod-enabled: yes - # + # Fedora: module will be enabled on-demand by libreswan + ipsecmod-enabled: no + # Path to executable external hook. It must be defined when ipsecmod is # listed in module-config (above). # ipsecmod-hook: "./my_executable" - # + ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook + # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no @@ -1096,7 +1133,7 @@ server: # o and give a python-script to run. python: # Script file to load - # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" + # python-script: "/etc/unbound/ubmodule-tst.py" # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. @@ -1107,13 +1144,18 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load - # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" + # dynlib-file: "/etc/unbound/dynlib.so" # Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. - # control-enable: no + # Note: required for unbound-munin package + control-enable: yes + + # Set to no and use an absolute path as control-interface to use + # a unix local named pipe for unbound-control. + # control-use-cert: yes # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. @@ -1127,19 +1169,22 @@ remote-control: # for localhost, you can disable use of TLS by setting this to "no" # For local sockets this option is ignored, and TLS is not used. - # control-use-cert: "yes" + control-use-cert: "no" # Unbound server key file. - # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" + server-key-file: "/etc/unbound/unbound_server.key" # Unbound server certificate file. - # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" + server-cert-file: "/etc/unbound/unbound_server.pem" # unbound-control key file. - # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" + control-key-file: "/etc/unbound/unbound_control.key" # unbound-control certificate file. - # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" + control-cert-file: "/etc/unbound/unbound_control.pem" + +# Stub and Forward zones +include: /etc/unbound/conf.d/*.conf # Stub zones. # Create entries like below, to make all queries for 'example.com' and @@ -1161,6 +1206,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. +# You can now also dynamically create and delete stub-zone's using +# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 +# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 + # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle @@ -1178,6 +1227,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com +# +# You can now also dynamically create and delete forward-zone's using +# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 +# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 # Authority zones # The data for these zones is kept locally, from a file or downloaded. @@ -1188,27 +1241,28 @@ remote-control: # download it), primary: fetches with AXFR and IXFR, or url to zonefile. # With allow-notify: you can give additional (apart from primaries and urls) # sources of notifies. -# auth-zone: -# name: "." -# primary: 170.247.170.2 # b.root-servers.net -# primary: 192.33.4.12 # c.root-servers.net -# primary: 199.7.91.13 # d.root-servers.net -# primary: 192.5.5.241 # f.root-servers.net -# primary: 192.112.36.4 # g.root-servers.net -# primary: 193.0.14.129 # k.root-servers.net -# primary: 192.0.47.132 # xfr.cjr.dns.icann.org -# primary: 192.0.32.132 # xfr.lax.dns.icann.org -# primary: 2801:1b8:10::b # b.root-servers.net -# primary: 2001:500:2::c # c.root-servers.net -# primary: 2001:500:2d::d # d.root-servers.net -# primary: 2001:500:2f::f # f.root-servers.net -# primary: 2001:500:12::d0d # g.root-servers.net -# primary: 2001:7fd::1 # k.root-servers.net -# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org -# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org -# fallback-enabled: yes -# for-downstream: no -# for-upstream: yes +auth-zone: + name: "." + primary: 170.247.170.2 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2801:1b8:10::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes + for-downstream: no + for-upstream: yes + # auth-zone: # name: "example.org" # for-downstream: yes @@ -1234,6 +1288,9 @@ remote-control: # name: "anotherview" # local-zone: "example.com" refuse +# Fedora: DNSCrypt support not enabled since it requires linking to +# another crypto library +# # DNSCrypt # To enable, use --enable-dnscrypt to configure before compiling. # Caveats: @@ -1309,7 +1366,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes -# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" +# dnstap-socket-path: "/etc/unbound/dnstap.sock" # # if "" use the unix socket in dnstap-socket-path, otherwise, # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" -- 2.45.2