mirror of
https://github.com/sujiba/pihole-unbound-hyperlocal.git
synced 2025-07-10 13:55:12 +02:00
changed edns settings, added s6-ovleray for unbound, update to V2022.08.3
This commit is contained in:
parent
fbab33d71c
commit
5fcd8dd67e
6 changed files with 54 additions and 244 deletions
2
docker-build/99-edns.conf
Normal file
2
docker-build/99-edns.conf
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
# signal FTL to adhere to this limit
|
||||||
|
edns-packet-max=1232
|
|
@ -1,5 +1,5 @@
|
||||||
# Get the latest Pi-hole version
|
# Get the latest Pi-hole version
|
||||||
FROM pihole/pihole:2022.07.1
|
FROM pihole/pihole:2022.08.3
|
||||||
|
|
||||||
# Install necessary programs
|
# Install necessary programs
|
||||||
RUN apt-get update && \
|
RUN apt-get update && \
|
||||||
|
@ -10,21 +10,24 @@ RUN apt-get update && \
|
||||||
|
|
||||||
# Additional configs
|
# Additional configs
|
||||||
# unbound
|
# unbound
|
||||||
COPY unbound-v1.9_pihole.conf /etc/unbound/unbound.conf.d/pihole.conf
|
COPY unbound-pihole.conf /etc/unbound/unbound.conf.d/pihole.conf
|
||||||
#COPY unbound-v1.13.1_pihole.conf /etc/unbound/unbound.conf.d/pihole.conf
|
|
||||||
|
|
||||||
# Download the DNS-Root-Zone.
|
# Set edns packet limit for dnsmasq
|
||||||
|
COPY 99-edns.conf /etc/dnsmasq.d/99-edns.conf
|
||||||
|
|
||||||
|
# Download DNS-Root-Zone.
|
||||||
# Create the chroot directory and generate root.key.
|
# Create the chroot directory and generate root.key.
|
||||||
# Copy / move files and change owner.
|
# Copy / move files and change owner.
|
||||||
RUN wget -O root.hints https://www.internic.net/domain/named.root && \
|
RUN wget -O root.hints https://www.internic.net/domain/named.root && \
|
||||||
mv root.hints /var/lib/unbound/ && \
|
mv root.hints /var/lib/unbound/ && \
|
||||||
chown -R unbound:unbound /var/lib/unbound/root.hints
|
chown -R unbound:unbound /var/lib/unbound/root.hints
|
||||||
|
|
||||||
# Unbound startup script
|
|
||||||
COPY start_unbound_and_s6_init.sh start_unbound_and_s6_init.sh
|
|
||||||
RUN chmod +x start_unbound_and_s6_init.sh
|
|
||||||
ENTRYPOINT ./start_unbound_and_s6_init.sh
|
|
||||||
|
|
||||||
# Remove unnecessary programs
|
# Remove unnecessary programs
|
||||||
RUN apt-get remove -y \
|
RUN apt-get remove -y \
|
||||||
wget
|
wget
|
||||||
|
|
||||||
|
# Unbound startup script
|
||||||
|
RUN mkdir -p /etc/services.d/unbound
|
||||||
|
COPY unbound-run /etc/services.d/unbound/run
|
||||||
|
|
||||||
|
ENTRYPOINT ./s6-init
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
2022.07.1
|
2022.08.3
|
||||||
|
|
|
@ -31,8 +31,21 @@ server:
|
||||||
use-caps-for-id: no
|
use-caps-for-id: no
|
||||||
|
|
||||||
# Reduce EDNS reassembly buffer size.
|
# Reduce EDNS reassembly buffer size.
|
||||||
# Suggested by the unbound man page to reduce fragmentation reassembly problems
|
# IP fragmentation is unreliable on the Internet today, and can cause
|
||||||
edns-buffer-size: 1472
|
# transmission failures when large DNS messages are sent via UDP. Even
|
||||||
|
# when fragmentation does work, it may not be secure; it is theoretically
|
||||||
|
# possible to spoof parts of a fragmented DNS message, without easy
|
||||||
|
# detection at the receiving end. Recently, there was an excellent study
|
||||||
|
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
|
||||||
|
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
|
||||||
|
# in collaboration with NLnet Labs explored DNS using real world data from the
|
||||||
|
# the RIPE Atlas probes and the researchers suggested different values for
|
||||||
|
# IPv4 and IPv6 and in different scenarios. They advise that servers should
|
||||||
|
# be configured to limit DNS messages sent over UDP to a size that will not
|
||||||
|
# trigger fragmentation on typical network links. DNS servers can switch
|
||||||
|
# from UDP to TCP when a DNS response is too big to fit in this limited
|
||||||
|
# buffer size. This value has also been suggested in DNS Flag Day 2020.
|
||||||
|
edns-buffer-size: 1232
|
||||||
|
|
||||||
# Perform prefetching of close to expired message cache entries
|
# Perform prefetching of close to expired message cache entries
|
||||||
# This only applies to domains that have been frequently queried
|
# This only applies to domains that have been frequently queried
|
24
docker-build/unbound-run
Normal file
24
docker-build/unbound-run
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
#!/command/with-contenv bash
|
||||||
|
|
||||||
|
s6-echo "Starting unbound"
|
||||||
|
|
||||||
|
NAME="unbound"
|
||||||
|
DESC="DNS server"
|
||||||
|
DAEMON="/usr/sbin/unbound"
|
||||||
|
PIDFILE="/run/unbound.pid"
|
||||||
|
|
||||||
|
HELPER="/usr/lib/unbound/package-helper"
|
||||||
|
|
||||||
|
test -x $DAEMON || exit 0
|
||||||
|
|
||||||
|
# Override this variable by editing or creating /etc/default/unbound.
|
||||||
|
DAEMON_OPTS=""
|
||||||
|
|
||||||
|
if [ -f /etc/default/unbound ]; then
|
||||||
|
. /etc/default/unbound
|
||||||
|
fi
|
||||||
|
|
||||||
|
$HELPER chroot_setup
|
||||||
|
$HELPER root_trust_anchor_update 2>&1 | logger -p daemon.info -t unbound-anchor
|
||||||
|
|
||||||
|
$DAEMON -d $DAEMON_OPTS
|
|
@ -1,232 +0,0 @@
|
||||||
server:
|
|
||||||
###########################################################################
|
|
||||||
# BASIC SETTINGS
|
|
||||||
###########################################################################
|
|
||||||
|
|
||||||
# Listen to for queries from clients and answer from this network interface
|
|
||||||
# and port.
|
|
||||||
interface: 127.0.0.1
|
|
||||||
port: 5335
|
|
||||||
do-ip4: yes
|
|
||||||
do-udp: yes
|
|
||||||
do-tcp: yes
|
|
||||||
|
|
||||||
# Maybe set to yes if you have IPv6 connectivity
|
|
||||||
do-ip6: no
|
|
||||||
# and for *native* IPv6
|
|
||||||
prefer-ip6: no
|
|
||||||
|
|
||||||
# Enable DNSSEC
|
|
||||||
# Enabled with root-auto-trust-anchor-file.conf
|
|
||||||
#auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
|
||||||
|
|
||||||
# where to find root server data
|
|
||||||
root-hints: "/var/lib/unbound/root.hints"
|
|
||||||
|
|
||||||
# Reduce EDNS reassembly buffer size.
|
|
||||||
# Suggested by the unbound man page to reduce fragmentation reassembly problems
|
|
||||||
edns-buffer-size: 1472
|
|
||||||
|
|
||||||
# Rotates RRSet order in response (the pseudo-random number is taken from
|
|
||||||
# the query ID, for speed and thread safety).
|
|
||||||
rrset-roundrobin: yes
|
|
||||||
|
|
||||||
# Drop privileges after binding the port.
|
|
||||||
username: "unbound"
|
|
||||||
|
|
||||||
###########################################################################
|
|
||||||
# LOGGING
|
|
||||||
###########################################################################
|
|
||||||
|
|
||||||
# If no logfile is specified, syslog is used
|
|
||||||
#logfile: "/var/log/unbound/unbound.log"
|
|
||||||
log-time-ascii: yes
|
|
||||||
|
|
||||||
# The verbosity number,
|
|
||||||
# level 0 means no verbosity, only errors.
|
|
||||||
# level 1 gives operational information.
|
|
||||||
verbosity: 0
|
|
||||||
|
|
||||||
# Do not print log lines to inform about local zone actions
|
|
||||||
log-local-actions: no
|
|
||||||
|
|
||||||
# Do not print one line per query to the log
|
|
||||||
log-queries: no
|
|
||||||
|
|
||||||
# Do not print one line per reply to the log
|
|
||||||
log-replies: no
|
|
||||||
|
|
||||||
# Do not print log lines that say why queries return SERVFAIL to clients
|
|
||||||
log-servfail: no
|
|
||||||
|
|
||||||
# Further limit logging
|
|
||||||
logfile: /dev/null
|
|
||||||
|
|
||||||
###########################################################################
|
|
||||||
# PRIVACY SETTINGS
|
|
||||||
###########################################################################
|
|
||||||
|
|
||||||
# RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
|
|
||||||
# denials, using information from previous NXDO-MAINs answers. In other
|
|
||||||
# words, use cached NSEC records to generate negative answers within a
|
|
||||||
# range and positive answers from wildcards. This increases performance,
|
|
||||||
# decreases latency and resource utilization on both authoritative and
|
|
||||||
# recursive servers, and increases privacy. Also, it may help increase
|
|
||||||
# resilience to certain DoS attacks in some circumstances.
|
|
||||||
aggressive-nsec: yes
|
|
||||||
|
|
||||||
# Extra delay for timeouted UDP ports before they are closed, in msec.
|
|
||||||
# This prevents very delayed answer packets from the upstream (recursive)
|
|
||||||
# servers from bouncing against closed ports and setting off all sort of
|
|
||||||
# close-port counters, with eg. 1500 msec. When timeouts happen you need
|
|
||||||
# extra sockets, it checks the ID and remote IP of packets, and unwanted
|
|
||||||
# packets are added to the unwanted packet counter.
|
|
||||||
delay-close: 10000
|
|
||||||
|
|
||||||
# Prevent the unbound server from forking into the background as a daemon
|
|
||||||
do-daemonize: no
|
|
||||||
|
|
||||||
# Add localhost to the do-not-query-address list.
|
|
||||||
do-not-query-localhost: no
|
|
||||||
|
|
||||||
# Number of bytes size of the aggressive negative cache.
|
|
||||||
neg-cache-size: 4M
|
|
||||||
|
|
||||||
# Send minimum amount of information to upstream servers to enhance
|
|
||||||
# privacy (best privacy).
|
|
||||||
qname-minimisation: yes
|
|
||||||
|
|
||||||
###########################################################################
|
|
||||||
# SECURITY SETTINGS
|
|
||||||
###########################################################################
|
|
||||||
|
|
||||||
# Only give access to recursion clients from LAN IPs
|
|
||||||
access-control: 127.0.0.1/32 allow
|
|
||||||
access-control: 192.168.0.0/16 allow
|
|
||||||
access-control: 172.16.0.0/12 allow
|
|
||||||
access-control: 10.0.0.0/8 allow
|
|
||||||
|
|
||||||
# Enable chroot (i.e, change apparent root directory for the current
|
|
||||||
# running process and its children)
|
|
||||||
#chroot: "/usr/local/etc/unbound"
|
|
||||||
|
|
||||||
# Deny queries of type ANY with an empty response.
|
|
||||||
deny-any: yes
|
|
||||||
|
|
||||||
# Harden against algorithm downgrade when multiple algorithms are
|
|
||||||
# advertised in the DS record.
|
|
||||||
harden-algo-downgrade: yes
|
|
||||||
|
|
||||||
# RFC 8020. returns nxdomain to queries for a name below another name that
|
|
||||||
# is already known to be nxdomain.
|
|
||||||
harden-below-nxdomain: yes
|
|
||||||
|
|
||||||
# Require DNSSEC data for trust-anchored zones, if such data is absent, the
|
|
||||||
# zone becomes bogus. If turned off you run the risk of a downgrade attack
|
|
||||||
# that disables security for a zone.
|
|
||||||
harden-dnssec-stripped: yes
|
|
||||||
|
|
||||||
# Trust glue only if it is within the server's authority
|
|
||||||
harden-glue: yes
|
|
||||||
|
|
||||||
# Ignore very large queries.
|
|
||||||
harden-large-queries: yes
|
|
||||||
|
|
||||||
# Perform additional queries for infrastructure data to harden the referral
|
|
||||||
# path. Validates the replies if trust anchors are configured and the zones
|
|
||||||
# are signed. This enforces DNSSEC validation on nameserver NS sets and the
|
|
||||||
# nameserver addresses that are encountered on the referral path to the
|
|
||||||
# answer. Experimental option.
|
|
||||||
harden-referral-path: no
|
|
||||||
|
|
||||||
# Ignore very small EDNS buffer sizes from queries.
|
|
||||||
harden-short-bufsize: yes
|
|
||||||
|
|
||||||
# Refuse id.server and hostname.bind queries
|
|
||||||
hide-identity: yes
|
|
||||||
|
|
||||||
# Refuse version.server and version.bind queries
|
|
||||||
hide-version: yes
|
|
||||||
|
|
||||||
# Set the HTTP User-Agent header for outgoing HTTP requests. If
|
|
||||||
# set to "", the default, then the package name and version are
|
|
||||||
# used.
|
|
||||||
#http-user-agent: "DNS"
|
|
||||||
|
|
||||||
# Report this identity rather than the hostname of the server.
|
|
||||||
identity: "DNS"
|
|
||||||
|
|
||||||
# These private network addresses are not allowed to be returned for public
|
|
||||||
# internet names. Any occurrence of such addresses are removed from DNS
|
|
||||||
# answers. Additionally, the DNSSEC validator may mark the answers bogus.
|
|
||||||
# This protects against DNS Rebinding
|
|
||||||
private-address: 10.0.0.0/8
|
|
||||||
private-address: 172.16.0.0/12
|
|
||||||
private-address: 169.254.0.0/16
|
|
||||||
private-address: 192.168.0.0/16
|
|
||||||
private-address: fd00::/8
|
|
||||||
private-address: fe80::/10
|
|
||||||
|
|
||||||
# Enable ratelimiting of queries (per second) sent to nameserver for
|
|
||||||
# performing recursion. More queries are turned away with an error
|
|
||||||
# (servfail). This stops recursive floods (e.g., random query names), but
|
|
||||||
# not spoofed reflection floods. Cached responses are not rate limited by
|
|
||||||
# this setting. Experimental option.
|
|
||||||
ratelimit: 1000
|
|
||||||
|
|
||||||
# Set the total number of unwanted replies to eep track of in every thread.
|
|
||||||
# When it reaches the threshold, a defensive action of clearing the rrset
|
|
||||||
# and message caches is taken, hopefully flushing away any poison.
|
|
||||||
# Unbound suggests a value of 10 million.
|
|
||||||
unwanted-reply-threshold: 10000
|
|
||||||
|
|
||||||
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
|
|
||||||
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
|
|
||||||
# !! Änderung gegenüber Pi-hole. Wenn es Fehler gibt, hier no statt yes probieren. !!
|
|
||||||
use-caps-for-id: yes
|
|
||||||
|
|
||||||
# Help protect users that rely on this validator for authentication from
|
|
||||||
# potentially bad data in the additional section. Instruct the validator to
|
|
||||||
# remove data from the additional section of secure messages that are not
|
|
||||||
# signed properly. Messages that are insecure, bogus, indeterminate or
|
|
||||||
# unchecked are not affected.
|
|
||||||
val-clean-additional: yes
|
|
||||||
|
|
||||||
###########################################################################
|
|
||||||
# PERFORMANCE SETTINGS
|
|
||||||
###########################################################################
|
|
||||||
# https://nlnetlabs.nl/documentation/unbound/howto-optimise/
|
|
||||||
# https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/
|
|
||||||
|
|
||||||
# Perform prefetching of close to expired message cache entries
|
|
||||||
# This only applies to domains that have been frequently queried
|
|
||||||
prefetch: yes
|
|
||||||
|
|
||||||
# fetch DS records earlier (DNSSEC): more cpu usage, less latency
|
|
||||||
prefetch-key: yes
|
|
||||||
|
|
||||||
# One thread should be sufficient, can be increased on beefy machines
|
|
||||||
num-threads: 1
|
|
||||||
|
|
||||||
# increase cache size to utilize more RAM, rrset=msg*2
|
|
||||||
msg-cache-size: 64m
|
|
||||||
rrset-cache-size: 128m
|
|
||||||
|
|
||||||
|
|
||||||
remote-control:
|
|
||||||
control-enable: no
|
|
||||||
|
|
||||||
# get data for all TLDs by IXFR (or AXFR) from root servers
|
|
||||||
# these are the only servers that answer an IXFR query
|
|
||||||
auth-zone:
|
|
||||||
name: "."
|
|
||||||
primary: 199.9.14.201 # b.root-servers.net
|
|
||||||
primary: 192.33.4.12 # c.root-servers.net
|
|
||||||
primary: 192.112.36.4 # g.root-servers.net
|
|
||||||
primary: 2001:500:200::b # b.root-servers.net
|
|
||||||
primary: 2001:500:2::c # c.root-servers.net
|
|
||||||
primary: 2001:500:12::d0d # g.root-servers.net
|
|
||||||
fallback-enabled: yes
|
|
||||||
for-downstream: no
|
|
||||||
for-upstream: yes
|
|
||||||
zonefile: /var/lib/unbound/root.zone
|
|
Loading…
Add table
Add a link
Reference in a new issue