Tomster/Fedora-CoreOS-Ignition
1
0
Fork 0
mirror of https://github.com/tommytran732/Fedora-CoreOS-Ignition synced 2024-11-22 09:21:32 -05:00
Code

Update unbound configuration

Browse Source 
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2023-01-24 07:50:03 -05:00
parent c2dc6c9363
commit 73855406f7
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2
4 changed files with 43 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Docker-Compose.ign
View File

File diff suppressed because one or more lines are too long

32
Docker-Compose.yml
View File

@ -146,13 +146,27 @@ storage:
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
- path: /etc/unbound/unbound.conf - path: /etc/unbound/unbound.conf
overwrite: true
contents: contents:
inline: | inline: |
server: server:
trust-anchor-file: dnssec-root.key chroot: ""
auto-trust-anchor-file: "/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
tls-ciphers: "PROFILE=SYSTEM"
hide-http-user-agent: yes
hide-identity: yes
hide-trustanchor: yes
hide-version: yes
aggressive-nsec: yes aggressive-nsec: yes
deny-any: yes
do-not-query-localhost: yes
harden-algo-downgrade: yes harden-algo-downgrade: yes
harden-below-nxdomain: yes harden-below-nxdomain: yes
harden-dnssec-stripped: yes harden-dnssec-stripped: yes
@ -160,22 +174,20 @@ storage:
harden-large-queries: yes harden-large-queries: yes
harden-referral-path: yes harden-referral-path: yes
harden-short-bufsize: yes harden-short-bufsize: yes
ignore-cd-flag: yes
ip-transparent: no
max-udp-size: 3072
module-config: "validator iterator"
minimal-responses: yes
qname-minimisation: yes qname-minimisation: yes
qname-minimisation-strict: yes qname-minimisation-strict: yes
hide-identity: yes
hide-version: yes
unwanted-reply-threshold: 10000000 unwanted-reply-threshold: 10000000
use-caps-for-id: yes use-caps-for-id: yes
minimal-responses: yes
val-clean-additional: yes val-clean-additional: yes
rrset-roundrobin: yes zonemd-permissive-mode: no
ignore-cd-flag: yes
do-not-query-localhost: yes
outgoing-port-permit: 1024-65535 outgoing-port-permit: 1024-65535
so-reuseport: yes
prefetch: yes prefetch: yes
prefetch-key: yes prefetch-key: yes
@ -190,7 +202,6 @@ storage:
contents: contents:
inline: | inline: |
[Unit] [Unit]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
MemoryDenyWriteExecute=true MemoryDenyWriteExecute=true
PrivateDevices=true PrivateDevices=true
PrivateTmp=true PrivateTmp=true
@ -202,7 +213,6 @@ storage:
# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility. # This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
ProtectKernelTunables=true ProtectKernelTunables=true
ProtectProc=invisible ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictRealtime=true RestrictRealtime=true
SystemCallArchitectures=native SystemCallArchitectures=native

2
Generic.ign
View File

File diff suppressed because one or more lines are too long

31
Generic.yml
View File

@ -148,10 +148,23 @@ storage:
contents: contents:
inline: | inline: |
server: server:
trust-anchor-file: dnssec-root.key chroot: ""
auto-trust-anchor-file: "/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
tls-ciphers: "PROFILE=SYSTEM"
hide-http-user-agent: yes
hide-identity: yes
hide-trustanchor: yes
hide-version: yes
aggressive-nsec: yes aggressive-nsec: yes
deny-any: yes
do-not-query-localhost: yes
harden-algo-downgrade: yes harden-algo-downgrade: yes
harden-below-nxdomain: yes harden-below-nxdomain: yes
harden-dnssec-stripped: yes harden-dnssec-stripped: yes
@ -159,22 +172,20 @@ storage:
harden-large-queries: yes harden-large-queries: yes
harden-referral-path: yes harden-referral-path: yes
harden-short-bufsize: yes harden-short-bufsize: yes
ignore-cd-flag: yes
ip-transparent: no
max-udp-size: 3072
module-config: "validator iterator"
minimal-responses: yes
qname-minimisation: yes qname-minimisation: yes
qname-minimisation-strict: yes qname-minimisation-strict: yes
hide-identity: yes
hide-version: yes
unwanted-reply-threshold: 10000000 unwanted-reply-threshold: 10000000
use-caps-for-id: yes use-caps-for-id: yes
minimal-responses: yes
val-clean-additional: yes val-clean-additional: yes
rrset-roundrobin: yes zonemd-permissive-mode: no
ignore-cd-flag: yes
do-not-query-localhost: yes
outgoing-port-permit: 1024-65535 outgoing-port-permit: 1024-65535
so-reuseport: yes
prefetch: yes prefetch: yes
prefetch-key: yes prefetch-key: yes
@ -189,7 +200,6 @@ storage:
contents: contents:
inline: | inline: |
[Unit] [Unit]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
MemoryDenyWriteExecute=true MemoryDenyWriteExecute=true
PrivateDevices=true PrivateDevices=true
PrivateTmp=true PrivateTmp=true
@ -201,7 +211,6 @@ storage:
# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility. # This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
ProtectKernelTunables=true ProtectKernelTunables=true
ProtectProc=invisible ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictRealtime=true RestrictRealtime=true
SystemCallArchitectures=native SystemCallArchitectures=native