1
0
mirror of https://github.com/tommytran732/Fedora-CoreOS-Ignition synced 2024-11-09 03:31:34 -05:00

Update unbound configuration

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2023-01-24 07:50:03 -05:00
parent c2dc6c9363
commit 73855406f7
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2
4 changed files with 43 additions and 24 deletions

File diff suppressed because one or more lines are too long

View File

@ -146,13 +146,27 @@ storage:
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
- path: /etc/unbound/unbound.conf - path: /etc/unbound/unbound.conf
overwrite: true
contents: contents:
inline: | inline: |
server: server:
trust-anchor-file: dnssec-root.key chroot: ""
auto-trust-anchor-file: "/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
tls-ciphers: "PROFILE=SYSTEM"
hide-http-user-agent: yes
hide-identity: yes
hide-trustanchor: yes
hide-version: yes
aggressive-nsec: yes aggressive-nsec: yes
deny-any: yes
do-not-query-localhost: yes
harden-algo-downgrade: yes harden-algo-downgrade: yes
harden-below-nxdomain: yes harden-below-nxdomain: yes
harden-dnssec-stripped: yes harden-dnssec-stripped: yes
@ -160,22 +174,20 @@ storage:
harden-large-queries: yes harden-large-queries: yes
harden-referral-path: yes harden-referral-path: yes
harden-short-bufsize: yes harden-short-bufsize: yes
ignore-cd-flag: yes
ip-transparent: no
max-udp-size: 3072
module-config: "validator iterator"
minimal-responses: yes
qname-minimisation: yes qname-minimisation: yes
qname-minimisation-strict: yes qname-minimisation-strict: yes
hide-identity: yes
hide-version: yes
unwanted-reply-threshold: 10000000 unwanted-reply-threshold: 10000000
use-caps-for-id: yes use-caps-for-id: yes
minimal-responses: yes
val-clean-additional: yes val-clean-additional: yes
rrset-roundrobin: yes zonemd-permissive-mode: no
ignore-cd-flag: yes
do-not-query-localhost: yes
outgoing-port-permit: 1024-65535 outgoing-port-permit: 1024-65535
so-reuseport: yes
prefetch: yes prefetch: yes
prefetch-key: yes prefetch-key: yes
@ -190,7 +202,6 @@ storage:
contents: contents:
inline: | inline: |
[Unit] [Unit]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
MemoryDenyWriteExecute=true MemoryDenyWriteExecute=true
PrivateDevices=true PrivateDevices=true
PrivateTmp=true PrivateTmp=true
@ -202,7 +213,6 @@ storage:
# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility. # This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
ProtectKernelTunables=true ProtectKernelTunables=true
ProtectProc=invisible ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictRealtime=true RestrictRealtime=true
SystemCallArchitectures=native SystemCallArchitectures=native

File diff suppressed because one or more lines are too long

View File

@ -148,10 +148,23 @@ storage:
contents: contents:
inline: | inline: |
server: server:
trust-anchor-file: dnssec-root.key chroot: ""
auto-trust-anchor-file: "/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
tls-ciphers: "PROFILE=SYSTEM"
hide-http-user-agent: yes
hide-identity: yes
hide-trustanchor: yes
hide-version: yes
aggressive-nsec: yes aggressive-nsec: yes
deny-any: yes
do-not-query-localhost: yes
harden-algo-downgrade: yes harden-algo-downgrade: yes
harden-below-nxdomain: yes harden-below-nxdomain: yes
harden-dnssec-stripped: yes harden-dnssec-stripped: yes
@ -159,22 +172,20 @@ storage:
harden-large-queries: yes harden-large-queries: yes
harden-referral-path: yes harden-referral-path: yes
harden-short-bufsize: yes harden-short-bufsize: yes
ignore-cd-flag: yes
ip-transparent: no
max-udp-size: 3072
module-config: "validator iterator"
minimal-responses: yes
qname-minimisation: yes qname-minimisation: yes
qname-minimisation-strict: yes qname-minimisation-strict: yes
hide-identity: yes
hide-version: yes
unwanted-reply-threshold: 10000000 unwanted-reply-threshold: 10000000
use-caps-for-id: yes use-caps-for-id: yes
minimal-responses: yes
val-clean-additional: yes val-clean-additional: yes
rrset-roundrobin: yes zonemd-permissive-mode: no
ignore-cd-flag: yes
do-not-query-localhost: yes
outgoing-port-permit: 1024-65535 outgoing-port-permit: 1024-65535
so-reuseport: yes
prefetch: yes prefetch: yes
prefetch-key: yes prefetch-key: yes
@ -189,7 +200,6 @@ storage:
contents: contents:
inline: | inline: |
[Unit] [Unit]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
MemoryDenyWriteExecute=true MemoryDenyWriteExecute=true
PrivateDevices=true PrivateDevices=true
PrivateTmp=true PrivateTmp=true
@ -201,7 +211,6 @@ storage:
# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility. # This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
ProtectKernelTunables=true ProtectKernelTunables=true
ProtectProc=invisible ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictRealtime=true RestrictRealtime=true
SystemCallArchitectures=native SystemCallArchitectures=native