From a1d9781944330decacf55d2e31debe36d5a80da2 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Thu, 3 Sep 2020 05:02:51 +0000 Subject: [PATCH] initial --- .gitignore | 0 docker-compose.yml | 81 ++++++++++ unbound/unbound.conf | 368 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 449 insertions(+) create mode 100644 .gitignore create mode 100644 docker-compose.yml create mode 100644 unbound/unbound.conf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..98d994d --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,81 @@ +version: "3" + +networks: + piguard: + ipam: + driver: default + config: + - subnet: 10.1.0.0/24 +services: + wireguard: + depends_on: [unbound] + privileged: false + image: linuxserver/wireguard + container_name: wireguard + cap_add: + - NET_ADMIN + - SYS_MODULE + environment: + - PUID=1000 + - PGID=1000 + - TZ=America/Los_Angeles + # - SERVERURL=wireguard.domain.com #optional + - SERVERPORT=5555 #optional + - PEERS=1 #optional + - PEERDNS=10.1.0.100 # Set it to point to pihole + - INTERNAL_SUBNET=10.6.0.0 #optional + volumes: + - ./wireguard:/config + - /lib/modules:/lib/modules + ports: + - 5555:51820/udp + sysctls: + - net.ipv4.conf.all.src_valid_mark=1 + restart: unless-stopped + networks: + piguard: + ipv4_address: 10.1.0.3 + + unbound: + container_name: unbound + privileged: false + volumes: + - "./unbound:/opt/unbound/etc/unbound/" + # ports: + # - "53:53/tcp" + # - "53:53/udp" + restart: unless-stopped + image: "mvance/unbound:latest" + networks: + piguard: + ipv4_address: 10.1.0.200 + + pihole: + depends_on: [unbound] + container_name: pihole + image: pihole/pihole:latest + privileged: false + ports: + - "53:53/tcp" + - "53:53/udp" + # - "67:67/udp" # Uncomment for pihole dhcp + - "80:80/tcp" + - "443:443/tcp" + environment: + TZ: "America/Los_Angeles" + WEBPASSWORD: '' + ServerIP: 10.1.0.100 + DNS1: 10.1.0.200 + DNS2: 10.1.0.200 + # Volumes store your data between container upgrades + volumes: + - "./etc-pihole/:/etc/pihole/" + - "./etc-dnsmasq.d/:/etc/dnsmasq.d/" + # Recommended but not required (DHCP needs NET_ADMIN) + # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities + cap_add: + - NET_ADMIN + restart: unless-stopped + networks: + piguard: + ipv4_address: 10.1.0.100 diff --git a/unbound/unbound.conf b/unbound/unbound.conf new file mode 100644 index 0000000..f0bd343 --- /dev/null +++ b/unbound/unbound.conf @@ -0,0 +1,368 @@ +# server: +# ########################################################################### +# # BASIC SETTINGS +# ########################################################################### +# # Time to live maximum for RRsets and messages in the cache. If the maximum +# # kicks in, responses to clients still get decrementing TTLs based on the +# # original (larger) values. When the internal TTL expires, the cache item +# # has expired. Can be set lower to force the resolver to query for data +# # often, and not trust (very large) TTL values. +# cache-max-ttl: 86400 + +# # Time to live minimum for RRsets and messages in the cache. If the minimum +# # kicks in, the data is cached for longer than the domain owner intended, +# # and thus less queries are made to look up the data. Zero makes sure the +# # data in the cache is as the domain owner intended, higher values, +# # especially more than an hour or so, can lead to trouble as the data in +# # the cache does not match up with the actual data any more. +# cache-min-ttl: 300 + +# # Set the working directory for the program. +# directory: "/opt/unbound/etc/unbound" + +# # RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer +# # size. This is the value put into datagrams over UDP towards peers. +# # 4096 is RFC recommended. 1472 has a reasonable chance to fit within a +# # single Ethernet frame, thus lessing the chance of fragmentation +# # reassembly problems (usually seen as timeouts). Setting to 512 bypasses +# # even the most stringent path MTU problems, but is not recommended since +# # the amount of TCP fallback generated is excessive. +# edns-buffer-size: 1472 + +# # Listen to for queries from clients and answer from this network interface +# # and port. +# interface: 0.0.0.0@53 + +# # Rotates RRSet order in response (the pseudo-random number is taken from +# # the query ID, for speed and thread safety). +# rrset-roundrobin: yes + +# # Drop user privileges after binding the port. +# username: "_unbound" + +# ########################################################################### +# # LOGGING +# ########################################################################### + +# # Do not print log lines to inform about local zone actions +# log-local-actions: no + +# # Do not print one line per query to the log +# log-queries: no + +# # Do not print one line per reply to the log +# log-replies: no + +# # Do not print log lines that say why queries return SERVFAIL to clients +# log-servfail: no + +# # Further limit logging +# logfile: /dev/null + +# # Only log errors +# verbosity: 5 + +# ########################################################################### +# # PRIVACY SETTINGS +# ########################################################################### + +# # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other +# # denials, using information from previous NXDO-MAINs answers. In other +# # words, use cached NSEC records to generate negative answers within a +# # range and positive answers from wildcards. This increases performance, +# # decreases latency and resource utilization on both authoritative and +# # recursive servers, and increases privacy. Also, it may help increase +# # resilience to certain DoS attacks in some circumstances. +# aggressive-nsec: yes + +# # Extra delay for timeouted UDP ports before they are closed, in msec. +# # This prevents very delayed answer packets from the upstream (recursive) +# # servers from bouncing against closed ports and setting off all sort of +# # close-port counters, with eg. 1500 msec. When timeouts happen you need +# # extra sockets, it checks the ID and remote IP of packets, and unwanted +# # packets are added to the unwanted packet counter. +# delay-close: 10000 + +# # Prevent the unbound server from forking into the background as a daemon +# do-daemonize: no + +# # Add localhost to the do-not-query-address list. +# do-not-query-localhost: no + +# # Number of bytes size of the aggressive negative cache. +# neg-cache-size: 4M + +# # Send minimum amount of information to upstream servers to enhance +# # privacy (best privacy). +# qname-minimisation: yes + +# ########################################################################### +# # SECURITY SETTINGS +# ########################################################################### +# # Only give access to recursion clients from LAN IPs +# access-control: 127.0.0.1/32 allow +# access-control: 192.168.0.0/16 allow +# access-control: 172.16.0.0/12 allow +# access-control: 10.0.0.0/8 allow +# # access-control: fc00::/7 allow +# # access-control: ::1/128 allow + +# # File with trust anchor for one zone, which is tracked with RFC5011 +# # probes. +# auto-trust-anchor-file: "var/root.key" + +# # Enable chroot (i.e, change apparent root directory for the current +# # running process and its children) +# chroot: "/opt/unbound/etc/unbound" + +# # Deny queries of type ANY with an empty response. +# deny-any: yes + +# # Harden against algorithm downgrade when multiple algorithms are +# # advertised in the DS record. +# harden-algo-downgrade: yes + +# # RFC 8020. returns nxdomain to queries for a name below another name that +# # is already known to be nxdomain. +# harden-below-nxdomain: yes + +# # Require DNSSEC data for trust-anchored zones, if such data is absent, the +# # zone becomes bogus. If turned off you run the risk of a downgrade attack +# # that disables security for a zone. +# harden-dnssec-stripped: yes + +# # Only trust glue if it is within the servers authority. +# harden-glue: yes + +# # Ignore very large queries. +# harden-large-queries: yes + +# # Perform additional queries for infrastructure data to harden the referral +# # path. Validates the replies if trust anchors are configured and the zones +# # are signed. This enforces DNSSEC validation on nameserver NS sets and the +# # nameserver addresses that are encountered on the referral path to the +# # answer. Experimental option. +# harden-referral-path: no + +# # Ignore very small EDNS buffer sizes from queries. +# harden-short-bufsize: yes + +# # Refuse id.server and hostname.bind queries +# hide-identity: yes + +# # Refuse version.server and version.bind queries +# hide-version: yes + +# # Report this identity rather than the hostname of the server. +# identity: "DNS" + +# # These private network addresses are not allowed to be returned for public +# # internet names. Any occurrence of such addresses are removed from DNS +# # answers. Additionally, the DNSSEC validator may mark the answers bogus. +# # This protects against DNS Rebinding +# private-address: 10.0.0.0/8 +# private-address: 172.16.0.0/12 +# private-address: 192.168.0.0/16 +# private-address: 169.254.0.0/16 +# # private-address: fd00::/8 +# # private-address: fe80::/10 +# # private-address: ::ffff:0:0/96 + +# # Enable ratelimiting of queries (per second) sent to nameserver for +# # performing recursion. More queries are turned away with an error +# # (servfail). This stops recursive floods (e.g., random query names), but +# # not spoofed reflection floods. Cached responses are not rate limited by +# # this setting. Experimental option. +# ratelimit: 1000 + +# # Use this certificate bundle for authenticating connections made to +# # outside peers (e.g., auth-zone urls, DNS over TLS connections). +# tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + +# # Set the total number of unwanted replies to eep track of in every thread. +# # When it reaches the threshold, a defensive action of clearing the rrset +# # and message caches is taken, hopefully flushing away any poison. +# # Unbound suggests a value of 10 million. +# unwanted-reply-threshold: 10000 + +# # Use 0x20-encoded random bits in the query to foil spoof attempts. This +# # perturbs the lowercase and uppercase of query names sent to authority +# # servers and checks if the reply still has the correct casing. +# # This feature is an experimental implementation of draft dns-0x20. +# # Experimental option. +# use-caps-for-id: yes + +# # Help protect users that rely on this validator for authentication from +# # potentially bad data in the additional section. Instruct the validator to +# # remove data from the additional section of secure messages that are not +# # signed properly. Messages that are insecure, bogus, indeterminate or +# # unchecked are not affected. +# val-clean-additional: yes + +# ########################################################################### +# # PERFORMANCE SETTINGS +# ########################################################################### +# # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ +# # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/ + +# # Number of slabs in the infrastructure cache. Slabs reduce lock contention +# # by threads. Must be set to a power of 2. +# infra-cache-slabs: 4 + +# # Number of incoming TCP buffers to allocate per thread. Default +# # is 10. If set to 0, or if do-tcp is "no", no TCP queries from +# # clients are accepted. For larger installations increasing this +# # value is a good idea. +# incoming-num-tcp: 10 + +# # Number of slabs in the key cache. Slabs reduce lock contention by +# # threads. Must be set to a power of 2. Setting (close) to the number +# # of cpus is a reasonable guess. +# key-cache-slabs: 4 + +# # Number of bytes size of the message cache. +# # Unbound recommendation is to Use roughly twice as much rrset cache memory +# # as you use msg cache memory. +# msg-cache-size: 855658496 + +# # Number of slabs in the message cache. Slabs reduce lock contention by +# # threads. Must be set to a power of 2. Setting (close) to the number of +# # cpus is a reasonable guess. +# msg-cache-slabs: 4 + +# # The number of queries that every thread will service simultaneously. If +# # more queries arrive that need servicing, and no queries can be jostled +# # out (see jostle-timeout), then the queries are dropped. +# # This is best set at half the number of the outgoing-range. +# # This Unbound instance was compiled with libevent so it can efficiently +# # use more than 1024 file descriptors. +# num-queries-per-thread: 4096 + +# # The number of threads to create to serve clients. +# # This is set dynamically at run time to effectively use available CPUs +# # resources +# num-threads: 2 + +# # Number of ports to open. This number of file descriptors can be opened +# # per thread. +# # This Unbound instance was compiled with libevent so it can efficiently +# # use more than 1024 file descriptors. +# outgoing-range: 8192 + +# # Number of bytes size of the RRset cache. +# # Use roughly twice as much rrset cache memory as msg cache memory +# rrset-cache-size: 1711316992 + +# # Number of slabs in the RRset cache. Slabs reduce lock contention by +# # threads. Must be set to a power of 2. +# rrset-cache-slabs: 4 + +# # Do no insert authority/additional sections into response messages when +# # those sections are not required. This reduces response size +# # significantly, and may avoid TCP fallback for some responses. This may +# # cause a slight speedup. +# minimal-responses: yes + +# # # Fetch the DNSKEYs earlier in the validation process, when a DS record +# # is encountered. This lowers the latency of requests at the expense of +# # little more CPU usage. +# prefetch: yes + +# # Fetch the DNSKEYs earlier in the validation process, when a DS record is +# # encountered. This lowers the latency of requests at the expense of little +# # more CPU usage. +# prefetch-key: yes + +# # Have unbound attempt to serve old responses from cache with a TTL of 0 in +# # the response without waiting for the actual resolution to finish. The +# # actual resolution answer ends up in the cache later on. +# serve-expired: yes + +# # Open dedicated listening sockets for incoming queries for each thread and +# # try to set the SO_REUSEPORT socket option on each socket. May distribute +# # incoming queries to threads more evenly. +# so-reuseport: yes + +# ########################################################################### +# # LOCAL ZONE +# ########################################################################### + +# # # Include file for local-data and local-data-ptr +# # include: /opt/unbound/etc/unbound/a-records.conf +# # include: /opt/unbound/etc/unbound/srv-records.conf + +# # ########################################################################### +# # # FORWARD ZONE +# # ########################################################################### + +# # include: /opt/unbound/etc/unbound/forward-records.conf + + +# remote-control: +# control-enable: no + +server: + verbosity: 1 + num-threads: 3 + interface: 0.0.0.0@53 + so-reuseport: yes + edns-buffer-size: 1472 + delay-close: 10000 + cache-min-ttl: 60 + cache-max-ttl: 86400 + do-daemonize: no + username: "_unbound" + log-queries: no + hide-version: yes + hide-identity: yes + identity: "DNS" + harden-algo-downgrade: yes + harden-short-bufsize: yes + harden-large-queries: yes + harden-glue: yes + harden-dnssec-stripped: yes + harden-below-nxdomain: yes + harden-referral-path: no + do-not-query-localhost: no + prefetch: yes + prefetch-key: yes + qname-minimisation: yes + aggressive-nsec: yes + ratelimit: 1000 + rrset-roundrobin: yes + minimal-responses: yes + chroot: "/opt/unbound/etc/unbound" + directory: "/opt/unbound/etc/unbound" + auto-trust-anchor-file: "var/root.key" + num-queries-per-thread: 4096 + outgoing-range: 8192 + msg-cache-size: 260991658 + rrset-cache-size: 260991658 + neg-cache-size: 4M + serve-expired: yes + unwanted-reply-threshold: 10000 + use-caps-for-id: yes + val-clean-additional: yes + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + private-address: 10.0.0.0/8 + private-address: 172.16.0.0/12 + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: fd00::/8 + private-address: fe80::/10 + private-address: ::ffff:0:0/96 + access-control: 127.0.0.1/32 allow + access-control: 192.168.1.1/24 allow + access-control: 172.16.0.0/12 allow + access-control: 10.0.0.0/8 allow + logfile: /var/log/unbound.log + #include: /opt/unbound/etc/unbound/a-records.conf + forward-zone: + name: "." + forward-addr: 1.1.1.1@853#cloudflare-dns.com + forward-addr: 1.0.0.1@853#cloudflare-dns.com + forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com + forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com + forward-tls-upstream: yes + remote-control: + control-enable: no \ No newline at end of file