changed edns settings, added s6-ovleray for unbound, update to V2022.08.3

2025-07-10 13:55:12 +02:00 · 2023-05-04 01:33:02 +02:00 · 2023-05-04 01:33:02 +02:00 · 5fcd8dd67e
commit 5fcd8dd67e
parent fbab33d71c
6 changed files with 54 additions and 244 deletions
--- a/docker-build/99-edns.conf
+++ b/docker-build/99-edns.conf
@ -0,0 +1,2 @@
 # signal FTL to adhere to this limit
 edns-packet-max=1232
--- a/docker-build/Dockerfile
+++ b/docker-build/Dockerfile
@ -1,5 +1,5 @@
 # Get the latest Pi-hole version
-FROM pihole/pihole:2022.07.1
+FROM pihole/pihole:2022.08.3
 # Install necessary programs
 RUN apt-get update && \
@ -10,21 +10,24 @@ RUN apt-get update && \
 # Additional configs
 # unbound
-COPY unbound-v1.9_pihole.conf  /etc/unbound/unbound.conf.d/pihole.conf
+COPY unbound-pihole.conf  /etc/unbound/unbound.conf.d/pihole.conf
 #COPY unbound-v1.13.1_pihole.conf  /etc/unbound/unbound.conf.d/pihole.conf
-# Download the DNS-Root-Zone. 
+# Set edns packet limit for dnsmasq
 COPY 99-edns.conf /etc/dnsmasq.d/99-edns.conf
 # Download DNS-Root-Zone. 
 # Create the chroot directory and generate root.key.
 # Copy / move files and change owner.
 RUN wget -O root.hints https://www.internic.net/domain/named.root && \
    mv root.hints /var/lib/unbound/ && \
    chown -R unbound:unbound /var/lib/unbound/root.hints
 # Unbound startup script
 COPY start_unbound_and_s6_init.sh start_unbound_and_s6_init.sh
 RUN chmod +x start_unbound_and_s6_init.sh
 ENTRYPOINT ./start_unbound_and_s6_init.sh
 # Remove unnecessary programs
 RUN apt-get remove -y \
    wget
 # Unbound startup script
 RUN mkdir -p /etc/services.d/unbound
 COPY unbound-run /etc/services.d/unbound/run
 ENTRYPOINT ./s6-init
--- a/docker-build/VERSION
+++ b/docker-build/VERSION
@ -1 +1 @@
-2022.07.1
+2022.08.3
--- a/docker-build/unbound-v1.9_pihole.conf
+++ b/docker-build/unbound-v1.9_pihole.conf
@ -31,8 +31,21 @@ server:
    use-caps-for-id: no
    # Reduce EDNS reassembly buffer size.
-    # Suggested by the unbound man page to reduce fragmentation reassembly problems
+    # IP fragmentation is unreliable on the Internet today, and can cause
-    edns-buffer-size: 1472
+    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232
    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
--- a/docker-build/unbound-run
+++ b/docker-build/unbound-run
@ -0,0 +1,24 @@
 #!/command/with-contenv bash
 s6-echo "Starting unbound"
 NAME="unbound"
 DESC="DNS server"
 DAEMON="/usr/sbin/unbound"
 PIDFILE="/run/unbound.pid"
 HELPER="/usr/lib/unbound/package-helper"
 test -x $DAEMON || exit 0
 # Override this variable by editing or creating /etc/default/unbound.
 DAEMON_OPTS=""
 if [ -f /etc/default/unbound ]; then
    . /etc/default/unbound
 fi
 $HELPER chroot_setup
 $HELPER root_trust_anchor_update 2>&1 | logger -p daemon.info -t unbound-anchor
 $DAEMON -d $DAEMON_OPTS
--- a/docker-build/unbound-v1.13.1_pihole.conf
+++ b/docker-build/unbound-v1.13.1_pihole.conf
@ -1,232 +0,0 @@
 server:
    ###########################################################################
    # BASIC SETTINGS
    ###########################################################################   
    # Listen to for queries from clients and answer from this network interface
    # and port.
    interface: 127.0.0.1	
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    # Maybe set to yes if you have IPv6 connectivity
    do-ip6: no
    # and for *native* IPv6
    prefer-ip6: no
    # Enable DNSSEC
    # Enabled with root-auto-trust-anchor-file.conf
    #auto-trust-anchor-file: "/var/lib/unbound/root.key"
    # where to find root server data
    root-hints: "/var/lib/unbound/root.hints"
    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472
    # Rotates RRSet order in response (the pseudo-random number is taken from
    # the query ID, for speed and thread safety).
    rrset-roundrobin: yes
    # Drop privileges after  binding the port.
    username: "unbound"
    ###########################################################################
    # LOGGING
    ###########################################################################
    # If no logfile is specified, syslog is used
    #logfile: "/var/log/unbound/unbound.log"    
    log-time-ascii: yes
    # The verbosity number, 
    # level 0 means no verbosity, only errors.
    # level 1 gives operational information.
    verbosity: 0
    # Do not print log lines to inform about local zone actions
    log-local-actions: no
    # Do not print one line per query to the log
    log-queries: no
    # Do not print one line per reply to the log
    log-replies: no
    # Do not print log lines that say why queries return SERVFAIL to clients
    log-servfail: no
    # Further limit logging
    logfile: /dev/null
    ###########################################################################
    # PRIVACY SETTINGS
    ###########################################################################
    # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
    # denials, using information from previous NXDO-MAINs answers. In other
    # words, use cached NSEC records to generate negative answers within a
    # range and positive answers from wildcards. This increases performance,
    # decreases latency and resource utilization on both authoritative and
    # recursive servers, and increases privacy. Also, it may help increase
    # resilience to certain DoS attacks in some circumstances.
    aggressive-nsec: yes
    # Extra delay for timeouted UDP ports before they are closed, in msec.
    # This prevents very delayed answer packets from the upstream (recursive)
    # servers from bouncing against closed ports and setting off all sort of
    # close-port counters, with eg. 1500 msec. When timeouts happen you need
    # extra sockets, it checks the ID and remote IP of packets, and unwanted
    # packets are added to the unwanted packet counter.
    delay-close: 10000
    # Prevent the unbound server from forking into the background as a daemon
    do-daemonize: no
    # Add localhost to the do-not-query-address list.
    do-not-query-localhost: no
    # Number  of  bytes size of the aggressive negative cache.
    neg-cache-size: 4M
    # Send minimum amount of information to upstream servers to enhance
    # privacy (best privacy).
    qname-minimisation: yes
    ###########################################################################
    # SECURITY SETTINGS
    ###########################################################################
    # Only give access to recursion clients from LAN IPs
    access-control: 127.0.0.1/32 allow
    access-control: 192.168.0.0/16 allow
    access-control: 172.16.0.0/12 allow
    access-control: 10.0.0.0/8 allow
    # Enable chroot (i.e, change apparent root directory for the current
    # running process and its children)
    #chroot: "/usr/local/etc/unbound"
    # Deny queries of type ANY with an empty response.
    deny-any: yes
    # Harden against algorithm downgrade when multiple algorithms are
    # advertised in the DS record.
    harden-algo-downgrade: yes
    # RFC 8020. returns nxdomain to queries for a name below another name that
    # is already known to be nxdomain.
    harden-below-nxdomain: yes
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the
    # zone becomes bogus. If turned off you run the risk of a downgrade attack
    # that disables security for a zone.
    harden-dnssec-stripped: yes
    # Trust glue only if it is within the server's authority
    harden-glue: yes
    # Ignore very large queries.
    harden-large-queries: yes
    # Perform additional queries for infrastructure data to harden the referral
    # path. Validates the replies if trust anchors are configured and the zones
    # are signed. This enforces DNSSEC validation on nameserver NS sets and the
    # nameserver addresses that are encountered on the referral path to the
    # answer. Experimental option.
    harden-referral-path: no
    # Ignore very small EDNS buffer sizes from queries.
    harden-short-bufsize: yes
    # Refuse id.server and hostname.bind queries
    hide-identity: yes
    # Refuse version.server and version.bind queries
    hide-version: yes
    # Set the HTTP User-Agent header for outgoing HTTP requests. If
    # set to "", the default, then the package name and version are
    # used.
    #http-user-agent: "DNS"
    # Report this identity rather than the hostname of the server.
    identity: "DNS"
    # These private network addresses are not allowed to be returned for public
    # internet names. Any  occurrence of such addresses are removed from DNS
    # answers. Additionally, the DNSSEC validator may mark the  answers  bogus.
    # This  protects  against DNS  Rebinding
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 169.254.0.0/16
    private-address: 192.168.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10
    # Enable ratelimiting of queries (per second) sent to nameserver for
    # performing recursion. More queries are turned away with an error
    # (servfail). This stops recursive floods (e.g., random query names), but
    # not spoofed reflection floods. Cached responses are not rate limited by
    # this setting. Experimental option.
    ratelimit: 1000
    # Set the total number of unwanted replies to eep track of in every thread.
    # When it reaches the threshold, a defensive action of clearing the rrset
    # and message caches is taken, hopefully flushing away any poison.
    # Unbound suggests a value of 10 million.
    unwanted-reply-threshold: 10000
    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    # !! Änderung gegenüber Pi-hole. Wenn es Fehler gibt, hier no statt yes probieren. !!
    use-caps-for-id: yes
    # Help protect users that rely on this validator for authentication from
    # potentially bad data in the additional section. Instruct the validator to
    # remove data from the additional section of secure messages that are not
    # signed properly. Messages that are insecure, bogus, indeterminate or
    # unchecked are not affected.
    val-clean-additional: yes
    ###########################################################################
    # PERFORMANCE SETTINGS
    ###########################################################################
    # https://nlnetlabs.nl/documentation/unbound/howto-optimise/
    # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/
    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes
    # fetch DS records earlier (DNSSEC): more cpu usage, less latency
    prefetch-key: yes
    # One thread should be sufficient, can be increased on beefy machines
    num-threads: 1
    # increase cache size to utilize more RAM, rrset=msg*2
    msg-cache-size: 64m
    rrset-cache-size: 128m
 remote-control:
 	control-enable: no
 # get data for all TLDs by IXFR (or AXFR) from root servers
 # these are the only servers that answer an IXFR query
 auth-zone:
 	name: "."
 	primary: 199.9.14.201       # b.root-servers.net
 	primary: 192.33.4.12        # c.root-servers.net
 	primary: 192.112.36.4       # g.root-servers.net
 	primary: 2001:500:200::b    # b.root-servers.net
 	primary: 2001:500:2::c      # c.root-servers.net
 	primary: 2001:500:12::d0d   # g.root-servers.net
 	fallback-enabled: yes
 	for-downstream: no
 	for-upstream: yes
 	zonefile: /var/lib/unbound/root.zone
		`@ -0,0 +1,2 @@`
							`# signal FTL to adhere to this limit`
							`edns-packet-max=1232`