mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-22 09:31:34 -05:00
Comment out unbound section
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
3a26940fb6
commit
3cbb95a403
@ -132,94 +132,94 @@ if [ "$virtualization" = 'none' ]; then
|
|||||||
sudo systemctl enable --now fwupd-refresh.timer
|
sudo systemctl enable --now fwupd-refresh.timer
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup unbound
|
# # Setup unbound
|
||||||
|
|
||||||
sudo apt install -y unbound unbound-anchor
|
# sudo apt install -y unbound unbound-anchor
|
||||||
sudo mkdir -p /usr/share/dns
|
# sudo mkdir -p /usr/share/dns
|
||||||
sudo chmod 755 /usr/share/dns
|
# sudo chmod 755 /usr/share/dns
|
||||||
sudo chown unbound:unbound /usr/share/dns
|
# sudo chown unbound:unbound /usr/share/dns
|
||||||
sudo unbound-anchor
|
# sudo unbound-anchor
|
||||||
sudo chmod 644 /usr/share/dns/root.key
|
# sudo chmod 644 /usr/share/dns/root.key
|
||||||
|
|
||||||
echo 'server:
|
# echo 'server:
|
||||||
trust-anchor-signaling: yes
|
# trust-anchor-signaling: yes
|
||||||
root-key-sentinel: yes
|
# root-key-sentinel: yes
|
||||||
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
# tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||||||
|
|
||||||
hide-identity: yes
|
# hide-identity: yes
|
||||||
hide-trustanchor: yes
|
# hide-trustanchor: yes
|
||||||
hide-version: yes
|
# hide-version: yes
|
||||||
deny-any: yes
|
# deny-any: yes
|
||||||
harden-algo-downgrade: yes
|
# harden-algo-downgrade: yes
|
||||||
harden-large-queries: yes
|
# harden-large-queries: yes
|
||||||
harden-referral-path: yes
|
# harden-referral-path: yes
|
||||||
ignore-cd-flag: yes
|
# ignore-cd-flag: yes
|
||||||
max-udp-size: 3072
|
# max-udp-size: 3072
|
||||||
module-config: "validator iterator"
|
# module-config: "validator iterator"
|
||||||
qname-minimisation-strict: yes
|
# qname-minimisation-strict: yes
|
||||||
unwanted-reply-threshold: 10000000
|
# unwanted-reply-threshold: 10000000
|
||||||
use-caps-for-id: yes
|
# use-caps-for-id: yes
|
||||||
|
|
||||||
outgoing-port-permit: 1024-65535
|
# outgoing-port-permit: 1024-65535
|
||||||
|
|
||||||
prefetch: yes
|
# prefetch: yes
|
||||||
prefetch-key: yes
|
# prefetch-key: yes
|
||||||
|
|
||||||
# ip-transparent: yes
|
# # ip-transparent: yes
|
||||||
# interface: 127.0.0.1
|
# # interface: 127.0.0.1
|
||||||
# interface: ::1
|
# # interface: ::1
|
||||||
# interface: 242.242.0.1
|
# # interface: 242.242.0.1
|
||||||
# access-control: 242.242.0.0/16 allow
|
# # access-control: 242.242.0.0/16 allow
|
||||||
|
|
||||||
forward-zone:
|
# forward-zone:
|
||||||
name: "."
|
# name: "."
|
||||||
forward-tls-upstream: yes
|
# forward-tls-upstream: yes
|
||||||
forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
|
# forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
|
||||||
forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
|
# forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
|
||||||
forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
|
# forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
|
||||||
forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com' | sudo tee /etc/unbound/unbound.conf.d/custom.conf
|
# forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com' | sudo tee /etc/unbound/unbound.conf.d/custom.conf
|
||||||
|
|
||||||
sudo chmod 644 /etc/unbound/unbound.conf.d/custom.conf
|
# sudo chmod 644 /etc/unbound/unbound.conf.d/custom.conf
|
||||||
|
|
||||||
sudo sed -i 's#/var/lib/unbound#/usr/share/dns#g' /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
|
# sudo sed -i 's#/var/lib/unbound#/usr/share/dns#g' /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
|
||||||
|
|
||||||
mkdir -p /etc/systemd/system/unbound.service.d
|
# mkdir -p /etc/systemd/system/unbound.service.d
|
||||||
echo $'[Service]
|
# echo $'[Service]
|
||||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
|
# CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
|
||||||
MemoryDenyWriteExecute=true
|
# MemoryDenyWriteExecute=true
|
||||||
NoNewPrivileges=true
|
# NoNewPrivileges=true
|
||||||
PrivateDevices=true
|
# PrivateDevices=true
|
||||||
PrivateTmp=true
|
# PrivateTmp=true
|
||||||
ProtectHome=true
|
# ProtectHome=true
|
||||||
ProtectClock=true
|
# ProtectClock=true
|
||||||
ProtectControlGroups=true
|
# ProtectControlGroups=true
|
||||||
ProtectKernelLogs=true
|
# ProtectKernelLogs=true
|
||||||
ProtectKernelModules=true
|
# ProtectKernelModules=true
|
||||||
# This breaks using socket options like \'so-rcvbuf\'. Explicitly disable for visibility.
|
# # This breaks using socket options like \'so-rcvbuf\'. Explicitly disable for visibility.
|
||||||
ProtectKernelTunables=false
|
# ProtectKernelTunables=false
|
||||||
ProtectProc=invisible
|
# ProtectProc=invisible
|
||||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
# RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||||||
RestrictRealtime=true
|
# RestrictRealtime=true
|
||||||
SystemCallArchitectures=native
|
# SystemCallArchitectures=native
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
|
# SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
|
||||||
RestrictNamespaces=yes
|
# RestrictNamespaces=yes
|
||||||
LockPersonality=yes
|
# LockPersonality=yes
|
||||||
RestrictSUIDSGID=yes
|
# RestrictSUIDSGID=yes
|
||||||
ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
|
# ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
|
||||||
|
|
||||||
# Below rules are needed when chroot is enabled (usually it\'s enabled by default).
|
# # Below rules are needed when chroot is enabled (usually it\'s enabled by default).
|
||||||
# If chroot is disabled like chroot: "" then they may be safely removed.
|
# # If chroot is disabled like chroot: "" then they may be safely removed.
|
||||||
TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
|
# TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
|
||||||
TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
|
# TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
|
||||||
BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
|
# BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
|
||||||
BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
|
# BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
|
||||||
BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log' | sudo tee /etc/systemd/system/unbound.service.d/override.conf
|
# BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log' | sudo tee /etc/systemd/system/unbound.service.d/override.conf
|
||||||
|
|
||||||
sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf
|
# sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf
|
||||||
|
|
||||||
sudo systemctl daemon-reload
|
# sudo systemctl daemon-reload
|
||||||
sudo systemctl restart unbound
|
# sudo systemctl restart unbound
|
||||||
sudo systemctl disable systemd-resolved
|
# sudo systemctl disable systemd-resolved
|
||||||
|
|
||||||
# Setup networking
|
# Setup networking
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user