Unbound for Ubuntu

GCP-Debian-11.sh

@@ -15,8 +15,10 @@ sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw
 sudo ufw enable
 sudo ufw allow 22/tcp
 
+#Setup tuned
 sudo tuned-adm profile virtual-guest
 
+#Setup unbound
 echo 'server:
   trust-anchor-file: "/var/lib/unbound/root.key
   trust-anchor-signaling: yes

Ubuntu-22.04-Server.sh

@@ -7,6 +7,91 @@ sudo ua enable usg
 sudo apt install -y usg
 sudo usg fix cis_level2_server
 
+#Install packages
+sudo apt update -y
+sudo apt full-upgrade -y
+sudo apt install -y curl fwupd resolveconf tuned unbound
+
+#Setup tuned
+sudo tuned-adm profile virtual-guest
+
+#Setup unbound
+echo 'server:
+  trust-anchor-file: "/var/lib/unbound/root.key
+  trust-anchor-signaling: yes
+  root-key-sentinel: yes
+  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+
+  hide-identity: yes
+  hide-trustanchor: yes
+  hide-version: yes
+  deny-any: yes
+  harden-algo-downgrade: yes
+  harden-large-queries: yes
+  harden-referral-path: yes
+  ignore-cd-flag: yes
+  max-udp-size: 3072
+  module-config: "validator iterator"
+  qname-minimisation-strict: yes
+  unwanted-reply-threshold: 10000000
+  use-caps-for-id: yes
+
+  outgoing-port-permit: 1024-65535
+
+  prefetch: yes
+  prefetch-key: yes
+
+
+forward-zone:
+  name: "."
+  forward-tls-upstream: yes
+  forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
+  forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
+  forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
+  forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com' | sudo tee /etc/unbound/unbound.conf.d/custom.conf
+
+sudo mv /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf  /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf.bk
+
+mkdir -p /etc/systemd/system/unbound.service.d
+echo $'[Service]
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+# This breaks using socket options like \'so-rcvbuf\'. Explicitly disable for visibility.
+ProtectKernelTunables=false
+ProtectProc=invisible
+ProtectSystem=strict
+RuntimeDirectory=unbound
+ConfigurationDirectory=unbound
+StateDirectory=unbound
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictSUIDSGID=yes
+ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
+
+# Below rules are needed when chroot is enabled (usually it\'s enabled by default).
+# If chroot is disabled like chroot: "" then they may be safely removed.
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
+BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
+BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
+BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log' | sudo tee /etc/systemd/system/unbound.service.d/override.conf
+
+sudo systemctl daemon-reload
+sudo systemctl restart unbound
+sudo systemctl disable --now systemd-resolved
+
 #Security kernel settings
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
@@ -38,11 +123,6 @@ sudo systemctl stop whoopsie.service
 sudo systemctl disable whoopsie.service
 sudo systemctl mask whoopsie.service
 
-#Update packages and firmware
-sudo apt update -y
-sudo apt full-upgrade -y
-sudo apt install fwupd
-
 mkdir -p /etc/systemd/system/fwupd-refresh.service.d
 echo '[Service]
 ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf