1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-24 18:21:34 -05:00

Fix Unbound for Ubuntu

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2024-06-24 22:07:02 -07:00
parent 6486ea474a
commit 80641009b9
Signed by: Tomster
GPG Key ID: 555C902A34EC968F

View File

@ -132,94 +132,87 @@ if [ "$virtualization" = 'none' ]; then
sudo systemctl enable --now fwupd-refresh.timer sudo systemctl enable --now fwupd-refresh.timer
fi fi
# # Setup unbound # Setup unbound
# sudo apt install -y unbound unbound-anchor sudo apt install -y unbound dns-root-data
# sudo mkdir -p /usr/share/dns
# sudo chmod 755 /usr/share/dns
# sudo chown unbound:unbound /usr/share/dns
# sudo unbound-anchor
# sudo chmod 644 /usr/share/dns/root.key
# echo 'server: echo 'server:
# trust-anchor-signaling: yes trust-anchor-signaling: yes
# root-key-sentinel: yes root-key-sentinel: yes
# tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
# hide-identity: yes hide-identity: yes
# hide-trustanchor: yes hide-trustanchor: yes
# hide-version: yes hide-version: yes
# deny-any: yes deny-any: yes
# harden-algo-downgrade: yes harden-algo-downgrade: yes
# harden-large-queries: yes harden-large-queries: yes
# harden-referral-path: yes harden-referral-path: yes
# ignore-cd-flag: yes ignore-cd-flag: yes
# max-udp-size: 3072 max-udp-size: 3072
# module-config: "validator iterator" module-config: "validator iterator"
# qname-minimisation-strict: yes qname-minimisation-strict: yes
# unwanted-reply-threshold: 10000000 unwanted-reply-threshold: 10000000
# use-caps-for-id: yes use-caps-for-id: yes
# outgoing-port-permit: 1024-65535 outgoing-port-permit: 1024-65535
# prefetch: yes prefetch: yes
# prefetch-key: yes prefetch-key: yes
# # ip-transparent: yes # ip-transparent: yes
# # interface: 127.0.0.1 # interface: 127.0.0.1
# # interface: ::1 # interface: ::1
# # interface: 242.242.0.1 # interface: 242.242.0.1
# # access-control: 242.242.0.0/16 allow # access-control: 242.242.0.0/16 allow
# forward-zone: forward-zone:
# name: "." name: "."
# forward-tls-upstream: yes forward-tls-upstream: yes
# forward-addr: 1.1.1.2@853#security.cloudflare-dns.com forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
# forward-addr: 1.0.0.2@853#security.cloudflare-dns.com forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
# forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
# forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com' | sudo tee /etc/unbound/unbound.conf.d/custom.conf forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com' | sudo tee /etc/unbound/unbound.conf.d/custom.conf
# sudo chmod 644 /etc/unbound/unbound.conf.d/custom.conf sudo chmod 644 /etc/unbound/unbound.conf.d/custom.conf
# sudo sed -i 's#/var/lib/unbound#/usr/share/dns#g' /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf mkdir -p /etc/systemd/system/unbound.service.d
echo $'[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
# This breaks using socket options like \'so-rcvbuf\'. Explicitly disable for visibility.
ProtectKernelTunables=false
ProtectProc=invisible
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
RestrictNamespaces=yes
LockPersonality=yes
RestrictSUIDSGID=yes
ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
# mkdir -p /etc/systemd/system/unbound.service.d # Below rules are needed when chroot is enabled (usually it\'s enabled by default).
# echo $'[Service] # If chroot is disabled like chroot: "" then they may be safely removed.
# CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
# MemoryDenyWriteExecute=true TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
# NoNewPrivileges=true BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
# PrivateDevices=true BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
# PrivateTmp=true BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log' | sudo tee /etc/systemd/system/unbound.service.d/override.conf
# ProtectHome=true
# ProtectClock=true
# ProtectControlGroups=true
# ProtectKernelLogs=true
# ProtectKernelModules=true
# # This breaks using socket options like \'so-rcvbuf\'. Explicitly disable for visibility.
# ProtectKernelTunables=false
# ProtectProc=invisible
# RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
# RestrictRealtime=true
# SystemCallArchitectures=native
# SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
# RestrictNamespaces=yes
# LockPersonality=yes
# RestrictSUIDSGID=yes
# ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
# # Below rules are needed when chroot is enabled (usually it\'s enabled by default). sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf
# # If chroot is disabled like chroot: "" then they may be safely removed.
# TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
# TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
# BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
# BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
# BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log' | sudo tee /etc/systemd/system/unbound.service.d/override.conf
# sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf sudo systemctl daemon-reload
sudo systemctl restart unbound
# sudo systemctl daemon-reload sudo systemctl disable systemd-resolved
# sudo systemctl restart unbound
# sudo systemctl disable systemd-resolved
# Setup networking # Setup networking