mirror of
https://github.com/tommytran732/Fedora-CoreOS-Ignition
synced 2024-11-09 03:31:34 -05:00
Update unbound configuration
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
c2dc6c9363
commit
73855406f7
File diff suppressed because one or more lines are too long
@ -146,13 +146,27 @@ storage:
|
|||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
- path: /etc/unbound/unbound.conf
|
- path: /etc/unbound/unbound.conf
|
||||||
|
overwrite: true
|
||||||
contents:
|
contents:
|
||||||
inline: |
|
inline: |
|
||||||
server:
|
server:
|
||||||
trust-anchor-file: dnssec-root.key
|
chroot: ""
|
||||||
|
|
||||||
|
auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
||||||
|
trust-anchor-signaling: yes
|
||||||
|
root-key-sentinel: yes
|
||||||
|
|
||||||
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||||||
|
tls-ciphers: "PROFILE=SYSTEM"
|
||||||
|
|
||||||
|
hide-http-user-agent: yes
|
||||||
|
hide-identity: yes
|
||||||
|
hide-trustanchor: yes
|
||||||
|
hide-version: yes
|
||||||
|
|
||||||
aggressive-nsec: yes
|
aggressive-nsec: yes
|
||||||
|
deny-any: yes
|
||||||
|
do-not-query-localhost: yes
|
||||||
harden-algo-downgrade: yes
|
harden-algo-downgrade: yes
|
||||||
harden-below-nxdomain: yes
|
harden-below-nxdomain: yes
|
||||||
harden-dnssec-stripped: yes
|
harden-dnssec-stripped: yes
|
||||||
@ -160,22 +174,20 @@ storage:
|
|||||||
harden-large-queries: yes
|
harden-large-queries: yes
|
||||||
harden-referral-path: yes
|
harden-referral-path: yes
|
||||||
harden-short-bufsize: yes
|
harden-short-bufsize: yes
|
||||||
|
ignore-cd-flag: yes
|
||||||
|
ip-transparent: no
|
||||||
|
max-udp-size: 3072
|
||||||
|
module-config: "validator iterator"
|
||||||
|
minimal-responses: yes
|
||||||
qname-minimisation: yes
|
qname-minimisation: yes
|
||||||
qname-minimisation-strict: yes
|
qname-minimisation-strict: yes
|
||||||
hide-identity: yes
|
|
||||||
hide-version: yes
|
|
||||||
unwanted-reply-threshold: 10000000
|
unwanted-reply-threshold: 10000000
|
||||||
use-caps-for-id: yes
|
use-caps-for-id: yes
|
||||||
minimal-responses: yes
|
|
||||||
val-clean-additional: yes
|
val-clean-additional: yes
|
||||||
rrset-roundrobin: yes
|
zonemd-permissive-mode: no
|
||||||
ignore-cd-flag: yes
|
|
||||||
do-not-query-localhost: yes
|
|
||||||
|
|
||||||
outgoing-port-permit: 1024-65535
|
outgoing-port-permit: 1024-65535
|
||||||
|
|
||||||
so-reuseport: yes
|
|
||||||
|
|
||||||
prefetch: yes
|
prefetch: yes
|
||||||
prefetch-key: yes
|
prefetch-key: yes
|
||||||
|
|
||||||
@ -190,7 +202,6 @@ storage:
|
|||||||
contents:
|
contents:
|
||||||
inline: |
|
inline: |
|
||||||
[Unit]
|
[Unit]
|
||||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
|
|
||||||
MemoryDenyWriteExecute=true
|
MemoryDenyWriteExecute=true
|
||||||
PrivateDevices=true
|
PrivateDevices=true
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
@ -202,7 +213,6 @@ storage:
|
|||||||
# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
|
# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
|
||||||
ProtectKernelTunables=true
|
ProtectKernelTunables=true
|
||||||
ProtectProc=invisible
|
ProtectProc=invisible
|
||||||
ProtectSystem=strict
|
|
||||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||||||
RestrictRealtime=true
|
RestrictRealtime=true
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
File diff suppressed because one or more lines are too long
31
Generic.yml
31
Generic.yml
@ -148,10 +148,23 @@ storage:
|
|||||||
contents:
|
contents:
|
||||||
inline: |
|
inline: |
|
||||||
server:
|
server:
|
||||||
trust-anchor-file: dnssec-root.key
|
chroot: ""
|
||||||
|
|
||||||
|
auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
||||||
|
trust-anchor-signaling: yes
|
||||||
|
root-key-sentinel: yes
|
||||||
|
|
||||||
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||||||
|
tls-ciphers: "PROFILE=SYSTEM"
|
||||||
|
|
||||||
|
hide-http-user-agent: yes
|
||||||
|
hide-identity: yes
|
||||||
|
hide-trustanchor: yes
|
||||||
|
hide-version: yes
|
||||||
|
|
||||||
aggressive-nsec: yes
|
aggressive-nsec: yes
|
||||||
|
deny-any: yes
|
||||||
|
do-not-query-localhost: yes
|
||||||
harden-algo-downgrade: yes
|
harden-algo-downgrade: yes
|
||||||
harden-below-nxdomain: yes
|
harden-below-nxdomain: yes
|
||||||
harden-dnssec-stripped: yes
|
harden-dnssec-stripped: yes
|
||||||
@ -159,22 +172,20 @@ storage:
|
|||||||
harden-large-queries: yes
|
harden-large-queries: yes
|
||||||
harden-referral-path: yes
|
harden-referral-path: yes
|
||||||
harden-short-bufsize: yes
|
harden-short-bufsize: yes
|
||||||
|
ignore-cd-flag: yes
|
||||||
|
ip-transparent: no
|
||||||
|
max-udp-size: 3072
|
||||||
|
module-config: "validator iterator"
|
||||||
|
minimal-responses: yes
|
||||||
qname-minimisation: yes
|
qname-minimisation: yes
|
||||||
qname-minimisation-strict: yes
|
qname-minimisation-strict: yes
|
||||||
hide-identity: yes
|
|
||||||
hide-version: yes
|
|
||||||
unwanted-reply-threshold: 10000000
|
unwanted-reply-threshold: 10000000
|
||||||
use-caps-for-id: yes
|
use-caps-for-id: yes
|
||||||
minimal-responses: yes
|
|
||||||
val-clean-additional: yes
|
val-clean-additional: yes
|
||||||
rrset-roundrobin: yes
|
zonemd-permissive-mode: no
|
||||||
ignore-cd-flag: yes
|
|
||||||
do-not-query-localhost: yes
|
|
||||||
|
|
||||||
outgoing-port-permit: 1024-65535
|
outgoing-port-permit: 1024-65535
|
||||||
|
|
||||||
so-reuseport: yes
|
|
||||||
|
|
||||||
prefetch: yes
|
prefetch: yes
|
||||||
prefetch-key: yes
|
prefetch-key: yes
|
||||||
|
|
||||||
@ -189,7 +200,6 @@ storage:
|
|||||||
contents:
|
contents:
|
||||||
inline: |
|
inline: |
|
||||||
[Unit]
|
[Unit]
|
||||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
|
|
||||||
MemoryDenyWriteExecute=true
|
MemoryDenyWriteExecute=true
|
||||||
PrivateDevices=true
|
PrivateDevices=true
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
@ -201,7 +211,6 @@ storage:
|
|||||||
# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
|
# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
|
||||||
ProtectKernelTunables=true
|
ProtectKernelTunables=true
|
||||||
ProtectProc=invisible
|
ProtectProc=invisible
|
||||||
ProtectSystem=strict
|
|
||||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||||||
RestrictRealtime=true
|
RestrictRealtime=true
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
Loading…
Reference in New Issue
Block a user