diff --git a/docker-build/99-edns.conf b/docker-build/99-edns.conf new file mode 100644 index 0000000..5e2dac2 --- /dev/null +++ b/docker-build/99-edns.conf @@ -0,0 +1,2 @@ +# signal FTL to adhere to this limit +edns-packet-max=1232 diff --git a/docker-build/Dockerfile b/docker-build/Dockerfile index 5cf2326..d43194f 100644 --- a/docker-build/Dockerfile +++ b/docker-build/Dockerfile @@ -1,5 +1,5 @@ # Get the latest Pi-hole version -FROM pihole/pihole:2022.07.1 +FROM pihole/pihole:2022.08.3 # Install necessary programs RUN apt-get update && \ @@ -10,21 +10,24 @@ RUN apt-get update && \ # Additional configs # unbound -COPY unbound-v1.9_pihole.conf /etc/unbound/unbound.conf.d/pihole.conf -#COPY unbound-v1.13.1_pihole.conf /etc/unbound/unbound.conf.d/pihole.conf +COPY unbound-pihole.conf /etc/unbound/unbound.conf.d/pihole.conf -# Download the DNS-Root-Zone. +# Set edns packet limit for dnsmasq +COPY 99-edns.conf /etc/dnsmasq.d/99-edns.conf + +# Download DNS-Root-Zone. # Create the chroot directory and generate root.key. # Copy / move files and change owner. RUN wget -O root.hints https://www.internic.net/domain/named.root && \ mv root.hints /var/lib/unbound/ && \ chown -R unbound:unbound /var/lib/unbound/root.hints -# Unbound startup script -COPY start_unbound_and_s6_init.sh start_unbound_and_s6_init.sh -RUN chmod +x start_unbound_and_s6_init.sh -ENTRYPOINT ./start_unbound_and_s6_init.sh - # Remove unnecessary programs RUN apt-get remove -y \ wget + +# Unbound startup script +RUN mkdir -p /etc/services.d/unbound +COPY unbound-run /etc/services.d/unbound/run + +ENTRYPOINT ./s6-init diff --git a/docker-build/VERSION b/docker-build/VERSION index 54ed325..69b09f1 100644 --- a/docker-build/VERSION +++ b/docker-build/VERSION @@ -1 +1 @@ -2022.07.1 +2022.08.3 diff --git a/docker-build/unbound-v1.9_pihole.conf b/docker-build/unbound-pihole.conf similarity index 63% rename from docker-build/unbound-v1.9_pihole.conf rename to docker-build/unbound-pihole.conf index a788c33..e997bf9 100644 --- a/docker-build/unbound-v1.9_pihole.conf +++ b/docker-build/unbound-pihole.conf @@ -31,8 +31,21 @@ server: use-caps-for-id: no # Reduce EDNS reassembly buffer size. - # Suggested by the unbound man page to reduce fragmentation reassembly problems - edns-buffer-size: 1472 + # IP fragmentation is unreliable on the Internet today, and can cause + # transmission failures when large DNS messages are sent via UDP. Even + # when fragmentation does work, it may not be secure; it is theoretically + # possible to spoof parts of a fragmented DNS message, without easy + # detection at the receiving end. Recently, there was an excellent study + # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< + # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) + # in collaboration with NLnet Labs explored DNS using real world data from the + # the RIPE Atlas probes and the researchers suggested different values for + # IPv4 and IPv6 and in different scenarios. They advise that servers should + # be configured to limit DNS messages sent over UDP to a size that will not + # trigger fragmentation on typical network links. DNS servers can switch + # from UDP to TCP when a DNS response is too big to fit in this limited + # buffer size. This value has also been suggested in DNS Flag Day 2020. + edns-buffer-size: 1232 # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried diff --git a/docker-build/unbound-run b/docker-build/unbound-run new file mode 100644 index 0000000..e289182 --- /dev/null +++ b/docker-build/unbound-run @@ -0,0 +1,24 @@ +#!/command/with-contenv bash + +s6-echo "Starting unbound" + +NAME="unbound" +DESC="DNS server" +DAEMON="/usr/sbin/unbound" +PIDFILE="/run/unbound.pid" + +HELPER="/usr/lib/unbound/package-helper" + +test -x $DAEMON || exit 0 + +# Override this variable by editing or creating /etc/default/unbound. +DAEMON_OPTS="" + +if [ -f /etc/default/unbound ]; then + . /etc/default/unbound +fi + +$HELPER chroot_setup +$HELPER root_trust_anchor_update 2>&1 | logger -p daemon.info -t unbound-anchor + +$DAEMON -d $DAEMON_OPTS diff --git a/docker-build/unbound-v1.13.1_pihole.conf b/docker-build/unbound-v1.13.1_pihole.conf deleted file mode 100644 index dce59c4..0000000 --- a/docker-build/unbound-v1.13.1_pihole.conf +++ /dev/null @@ -1,232 +0,0 @@ -server: - ########################################################################### - # BASIC SETTINGS - ########################################################################### - - # Listen to for queries from clients and answer from this network interface - # and port. - interface: 127.0.0.1 - port: 5335 - do-ip4: yes - do-udp: yes - do-tcp: yes - - # Maybe set to yes if you have IPv6 connectivity - do-ip6: no - # and for *native* IPv6 - prefer-ip6: no - - # Enable DNSSEC - # Enabled with root-auto-trust-anchor-file.conf - #auto-trust-anchor-file: "/var/lib/unbound/root.key" - - # where to find root server data - root-hints: "/var/lib/unbound/root.hints" - - # Reduce EDNS reassembly buffer size. - # Suggested by the unbound man page to reduce fragmentation reassembly problems - edns-buffer-size: 1472 - - # Rotates RRSet order in response (the pseudo-random number is taken from - # the query ID, for speed and thread safety). - rrset-roundrobin: yes - - # Drop privileges after binding the port. - username: "unbound" - - ########################################################################### - # LOGGING - ########################################################################### - - # If no logfile is specified, syslog is used - #logfile: "/var/log/unbound/unbound.log" - log-time-ascii: yes - - # The verbosity number, - # level 0 means no verbosity, only errors. - # level 1 gives operational information. - verbosity: 0 - - # Do not print log lines to inform about local zone actions - log-local-actions: no - - # Do not print one line per query to the log - log-queries: no - - # Do not print one line per reply to the log - log-replies: no - - # Do not print log lines that say why queries return SERVFAIL to clients - log-servfail: no - - # Further limit logging - logfile: /dev/null - - ########################################################################### - # PRIVACY SETTINGS - ########################################################################### - - # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other - # denials, using information from previous NXDO-MAINs answers. In other - # words, use cached NSEC records to generate negative answers within a - # range and positive answers from wildcards. This increases performance, - # decreases latency and resource utilization on both authoritative and - # recursive servers, and increases privacy. Also, it may help increase - # resilience to certain DoS attacks in some circumstances. - aggressive-nsec: yes - - # Extra delay for timeouted UDP ports before they are closed, in msec. - # This prevents very delayed answer packets from the upstream (recursive) - # servers from bouncing against closed ports and setting off all sort of - # close-port counters, with eg. 1500 msec. When timeouts happen you need - # extra sockets, it checks the ID and remote IP of packets, and unwanted - # packets are added to the unwanted packet counter. - delay-close: 10000 - - # Prevent the unbound server from forking into the background as a daemon - do-daemonize: no - - # Add localhost to the do-not-query-address list. - do-not-query-localhost: no - - # Number of bytes size of the aggressive negative cache. - neg-cache-size: 4M - - # Send minimum amount of information to upstream servers to enhance - # privacy (best privacy). - qname-minimisation: yes - - ########################################################################### - # SECURITY SETTINGS - ########################################################################### - - # Only give access to recursion clients from LAN IPs - access-control: 127.0.0.1/32 allow - access-control: 192.168.0.0/16 allow - access-control: 172.16.0.0/12 allow - access-control: 10.0.0.0/8 allow - - # Enable chroot (i.e, change apparent root directory for the current - # running process and its children) - #chroot: "/usr/local/etc/unbound" - - # Deny queries of type ANY with an empty response. - deny-any: yes - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. - harden-algo-downgrade: yes - - # RFC 8020. returns nxdomain to queries for a name below another name that - # is already known to be nxdomain. - harden-below-nxdomain: yes - - # Require DNSSEC data for trust-anchored zones, if such data is absent, the - # zone becomes bogus. If turned off you run the risk of a downgrade attack - # that disables security for a zone. - harden-dnssec-stripped: yes - - # Trust glue only if it is within the server's authority - harden-glue: yes - - # Ignore very large queries. - harden-large-queries: yes - - # Perform additional queries for infrastructure data to harden the referral - # path. Validates the replies if trust anchors are configured and the zones - # are signed. This enforces DNSSEC validation on nameserver NS sets and the - # nameserver addresses that are encountered on the referral path to the - # answer. Experimental option. - harden-referral-path: no - - # Ignore very small EDNS buffer sizes from queries. - harden-short-bufsize: yes - - # Refuse id.server and hostname.bind queries - hide-identity: yes - - # Refuse version.server and version.bind queries - hide-version: yes - - # Set the HTTP User-Agent header for outgoing HTTP requests. If - # set to "", the default, then the package name and version are - # used. - #http-user-agent: "DNS" - - # Report this identity rather than the hostname of the server. - identity: "DNS" - - # These private network addresses are not allowed to be returned for public - # internet names. Any occurrence of such addresses are removed from DNS - # answers. Additionally, the DNSSEC validator may mark the answers bogus. - # This protects against DNS Rebinding - private-address: 10.0.0.0/8 - private-address: 172.16.0.0/12 - private-address: 169.254.0.0/16 - private-address: 192.168.0.0/16 - private-address: fd00::/8 - private-address: fe80::/10 - - # Enable ratelimiting of queries (per second) sent to nameserver for - # performing recursion. More queries are turned away with an error - # (servfail). This stops recursive floods (e.g., random query names), but - # not spoofed reflection floods. Cached responses are not rate limited by - # this setting. Experimental option. - ratelimit: 1000 - - # Set the total number of unwanted replies to eep track of in every thread. - # When it reaches the threshold, a defensive action of clearing the rrset - # and message caches is taken, hopefully flushing away any poison. - # Unbound suggests a value of 10 million. - unwanted-reply-threshold: 10000 - - # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes - # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details - # !! Änderung gegenüber Pi-hole. Wenn es Fehler gibt, hier no statt yes probieren. !! - use-caps-for-id: yes - - # Help protect users that rely on this validator for authentication from - # potentially bad data in the additional section. Instruct the validator to - # remove data from the additional section of secure messages that are not - # signed properly. Messages that are insecure, bogus, indeterminate or - # unchecked are not affected. - val-clean-additional: yes - - ########################################################################### - # PERFORMANCE SETTINGS - ########################################################################### - # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ - # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/ - - # Perform prefetching of close to expired message cache entries - # This only applies to domains that have been frequently queried - prefetch: yes - - # fetch DS records earlier (DNSSEC): more cpu usage, less latency - prefetch-key: yes - - # One thread should be sufficient, can be increased on beefy machines - num-threads: 1 - - # increase cache size to utilize more RAM, rrset=msg*2 - msg-cache-size: 64m - rrset-cache-size: 128m - - -remote-control: - control-enable: no - -# get data for all TLDs by IXFR (or AXFR) from root servers -# these are the only servers that answer an IXFR query -auth-zone: - name: "." - primary: 199.9.14.201 # b.root-servers.net - primary: 192.33.4.12 # c.root-servers.net - primary: 192.112.36.4 # g.root-servers.net - primary: 2001:500:200::b # b.root-servers.net - primary: 2001:500:2::c # c.root-servers.net - primary: 2001:500:12::d0d # g.root-servers.net - fallback-enabled: yes - for-downstream: no - for-upstream: yes - zonefile: /var/lib/unbound/root.zone