mirror of
https://github.com/tommytran732/Fedora-CoreOS-Ignition
synced 2024-12-22 14:42:16 -05:00
Update unbound configuration
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
c2dc6c9363
commit
73855406f7
File diff suppressed because one or more lines are too long
@ -146,13 +146,27 @@ storage:
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
- path: /etc/unbound/unbound.conf
|
||||
overwrite: true
|
||||
contents:
|
||||
inline: |
|
||||
server:
|
||||
trust-anchor-file: dnssec-root.key
|
||||
chroot: ""
|
||||
|
||||
auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
||||
trust-anchor-signaling: yes
|
||||
root-key-sentinel: yes
|
||||
|
||||
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||||
tls-ciphers: "PROFILE=SYSTEM"
|
||||
|
||||
hide-http-user-agent: yes
|
||||
hide-identity: yes
|
||||
hide-trustanchor: yes
|
||||
hide-version: yes
|
||||
|
||||
aggressive-nsec: yes
|
||||
deny-any: yes
|
||||
do-not-query-localhost: yes
|
||||
harden-algo-downgrade: yes
|
||||
harden-below-nxdomain: yes
|
||||
harden-dnssec-stripped: yes
|
||||
@ -160,22 +174,20 @@ storage:
|
||||
harden-large-queries: yes
|
||||
harden-referral-path: yes
|
||||
harden-short-bufsize: yes
|
||||
ignore-cd-flag: yes
|
||||
ip-transparent: no
|
||||
max-udp-size: 3072
|
||||
module-config: "validator iterator"
|
||||
minimal-responses: yes
|
||||
qname-minimisation: yes
|
||||
qname-minimisation-strict: yes
|
||||
hide-identity: yes
|
||||
hide-version: yes
|
||||
unwanted-reply-threshold: 10000000
|
||||
use-caps-for-id: yes
|
||||
minimal-responses: yes
|
||||
val-clean-additional: yes
|
||||
rrset-roundrobin: yes
|
||||
ignore-cd-flag: yes
|
||||
do-not-query-localhost: yes
|
||||
zonemd-permissive-mode: no
|
||||
|
||||
outgoing-port-permit: 1024-65535
|
||||
|
||||
so-reuseport: yes
|
||||
|
||||
prefetch: yes
|
||||
prefetch-key: yes
|
||||
|
||||
@ -190,7 +202,6 @@ storage:
|
||||
contents:
|
||||
inline: |
|
||||
[Unit]
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
|
||||
MemoryDenyWriteExecute=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
@ -202,7 +213,6 @@ storage:
|
||||
# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
|
||||
ProtectKernelTunables=true
|
||||
ProtectProc=invisible
|
||||
ProtectSystem=strict
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||||
RestrictRealtime=true
|
||||
SystemCallArchitectures=native
|
||||
|
File diff suppressed because one or more lines are too long
31
Generic.yml
31
Generic.yml
@ -148,10 +148,23 @@ storage:
|
||||
contents:
|
||||
inline: |
|
||||
server:
|
||||
trust-anchor-file: dnssec-root.key
|
||||
chroot: ""
|
||||
|
||||
auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
||||
trust-anchor-signaling: yes
|
||||
root-key-sentinel: yes
|
||||
|
||||
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||||
tls-ciphers: "PROFILE=SYSTEM"
|
||||
|
||||
hide-http-user-agent: yes
|
||||
hide-identity: yes
|
||||
hide-trustanchor: yes
|
||||
hide-version: yes
|
||||
|
||||
aggressive-nsec: yes
|
||||
deny-any: yes
|
||||
do-not-query-localhost: yes
|
||||
harden-algo-downgrade: yes
|
||||
harden-below-nxdomain: yes
|
||||
harden-dnssec-stripped: yes
|
||||
@ -159,22 +172,20 @@ storage:
|
||||
harden-large-queries: yes
|
||||
harden-referral-path: yes
|
||||
harden-short-bufsize: yes
|
||||
ignore-cd-flag: yes
|
||||
ip-transparent: no
|
||||
max-udp-size: 3072
|
||||
module-config: "validator iterator"
|
||||
minimal-responses: yes
|
||||
qname-minimisation: yes
|
||||
qname-minimisation-strict: yes
|
||||
hide-identity: yes
|
||||
hide-version: yes
|
||||
unwanted-reply-threshold: 10000000
|
||||
use-caps-for-id: yes
|
||||
minimal-responses: yes
|
||||
val-clean-additional: yes
|
||||
rrset-roundrobin: yes
|
||||
ignore-cd-flag: yes
|
||||
do-not-query-localhost: yes
|
||||
zonemd-permissive-mode: no
|
||||
|
||||
outgoing-port-permit: 1024-65535
|
||||
|
||||
so-reuseport: yes
|
||||
|
||||
prefetch: yes
|
||||
prefetch-key: yes
|
||||
|
||||
@ -189,7 +200,6 @@ storage:
|
||||
contents:
|
||||
inline: |
|
||||
[Unit]
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
|
||||
MemoryDenyWriteExecute=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
@ -201,7 +211,6 @@ storage:
|
||||
# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
|
||||
ProtectKernelTunables=true
|
||||
ProtectProc=invisible
|
||||
ProtectSystem=strict
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||||
RestrictRealtime=true
|
||||
SystemCallArchitectures=native
|
||||
|
Loading…
Reference in New Issue
Block a user