From 79506679335ef1e02a960ccc7cfeda19348f5619 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 10 Nov 2023 12:58:31 +0100
Subject: [PATCH] Customize unbound.conf for Fedora defaults
Set some Fedora/RHEL specific changes to example configuration file. By
patching upstream provided config file we would not need to manually
update external copy in source RPM.
---
unbound-1.20.0/doc/example.conf.in | 194 ++++++++++++++++++-----------
1 file changed, 124 insertions(+), 70 deletions(-)
diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in
index 0368c8d..9ece701 100644
--- a/unbound-1.20.0/doc/example.conf.in
+++ b/unbound-1.20.0/doc/example.conf.in
@@ -17,11 +17,12 @@ server:
# whitespace is not necessary, but looks cleaner.
# verbosity number, 0 is least verbose. 1 is default.
- # verbosity: 1
+ verbosity: 1
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
- # statistics-interval: 0
+ # Needs to be disabled for munin plugin
+ statistics-interval: 0
# enable shm for stats, default no. if you enable also enable
# statistics-interval, every time it also writes stats to the
@@ -32,11 +33,13 @@ server:
# shm-key: 11777
# enable cumulative statistics, without clearing them after printing.
- # statistics-cumulative: no
+ # Needs to be disabled for munin plugin
+ statistics-cumulative: no
# enable extended statistics (query types, answer codes, status)
- # printed from unbound-control. Default off, because of speed.
- # extended-statistics: no
+ # printed from unbound-control. default off, because of speed.
+ # Needs to be enabled for munin plugin
+ extended-statistics: yes
# Inhibits selected extended statistics (qtype, qclass, qopcode, rcode,
# rpz-actions) from printing if their value is 0.
@@ -44,22 +47,35 @@ server:
# statistics-inhibit-zero: yes
# number of threads to create. 1 disables threading.
- # num-threads: 1
+ num-threads: 4
# specify the interfaces to answer queries from by ip-address.
# The default is to listen to localhost (127.0.0.1 and ::1).
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface[@port] on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
+ # interface: 0.0.0.0
+ # interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 192.0.2.154@5003
# interface: 2001:DB8::5
# interface: eth0@5003
+ #
+ # for dns over tls and raw dns over port 80
+ # interface: 0.0.0.0@443
+ # interface: ::0@443
+ # interface: 0.0.0.0@80
+ # interface: ::0@80
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
- # interface-automatic: no
+ # interface-automatic: yes
+ #
+ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
+ # NOTE: Disabled per Fedora policy not to listen to * on default install
+ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
+ interface-automatic: no
# instead of the default port, open additional ports separated by
# spaces when interface-automatic is enabled, by listing them here.
@@ -94,7 +110,8 @@ server:
# permit Unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
- # outgoing-port-permit: 32768
+ # Only ephemeral ports are allowed by SElinux
+ outgoing-port-permit: 32768-60999
# deny Unbound the use this of port number or port range for
# making outgoing queries, using an outgoing interface.
@@ -103,7 +120,9 @@ server:
# IANA-assigned port numbers.
# If multiple outgoing-port-permit and outgoing-port-avoid options
# are present, they are processed in order.
- # outgoing-port-avoid: "3200-3208"
+ # Our SElinux policy does not allow non-ephemeral ports to be used
+ outgoing-port-avoid: 0-32767
+ outgoing-port-avoid: 61000-65535
# number of outgoing simultaneous tcp buffers to hold per thread.
# outgoing-num-tcp: 10
@@ -121,12 +140,12 @@ server:
# use SO_REUSEPORT to distribute queries over threads.
# at extreme load it could be better to turn it off to distribute even.
- # so-reuseport: yes
+ so-reuseport: yes
# use IP_TRANSPARENT so the interface: addresses can be non-local
# and you can config non-existing IPs that are going to work later on
# (uses IP_BINDANY on FreeBSD).
- # ip-transparent: no
+ ip-transparent: yes
# use IP_FREEBIND so the interface: addresses can be non-local
# and you can bind to nonexisting IPs and interfaces that are down.
@@ -276,6 +295,8 @@ server:
# nat64-prefix: 64:ff9b::0/96
# Enable UDP, "yes" or "no".
+ # NOTE: if setting up an Unbound on tls443 for public use, you might want to
+ # disable UDP to avoid being used in DNS amplification attacks.
# do-udp: yes
# Enable TCP, "yes" or "no".
@@ -301,7 +322,7 @@ server:
# tcp-idle-timeout: 30000
# Enable EDNS TCP keepalive option.
- # edns-tcp-keepalive: no
+ edns-tcp-keepalive: yes
# Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout
# if edns-tcp-keepalive is set.
@@ -311,6 +332,9 @@ server:
# can be dropped. Default is 0, disabled. In seconds, such as 3.
# sock-queue-timeout: 0
+ # Fedora note: do not activate this - not compiled in because
+ # it causes frequent unbound crashes. Also, socket activation
+ # is bad when you have things like dnsmasq also running with libvirt.
# Use systemd socket activation for UDP, TCP, and control sockets.
# use-systemd: no
@@ -424,6 +448,7 @@ server:
#
# If you give "" no chroot is performed. The path must not end in a /.
# chroot: "@UNBOUND_CHROOT_DIR@"
+ chroot: ""
# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is user "unbound".
@@ -435,7 +460,7 @@ server:
# is not changed.
# If you give a server: directory: dir before include: file statements
# then those includes can be relative to the working directory.
- # directory: "@UNBOUND_RUN_DIR@"
+ directory: "/etc/unbound"
# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
@@ -450,7 +475,7 @@ server:
# log-identity: ""
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
- # log-time-ascii: no
+ log-time-ascii: yes
# print one line with time, IP, name, type, class for every query.
# log-queries: no
@@ -522,22 +547,22 @@ server:
# harden-large-queries: no
# Harden against out of zone rrsets, to avoid spoofing attempts.
- # harden-glue: yes
+ harden-glue: yes
# Harden against receiving dnssec-stripped data. If you turn it
# off, failing to validate dnskey data for a trustanchor will
# trigger insecure mode for that zone (like without a trustanchor).
# Default on, which insists on dnssec data for trust-anchored zones.
- # harden-dnssec-stripped: yes
+ harden-dnssec-stripped: yes
# Harden against queries that fall under dnssec-signed nxdomain names.
- # harden-below-nxdomain: yes
+ harden-below-nxdomain: yes
# Harden the referral path by performing additional queries for
# infrastructure data. Validates the replies (if possible).
# Default off, because the lookups burden the server. Experimental
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
- # harden-referral-path: no
+ harden-referral-path: yes
# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record. If no, allows the weakest algorithm
@@ -551,7 +576,7 @@ server:
# Sent minimum amount of information to upstream servers to enhance
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
# to A when possible.
- # qname-minimisation: yes
+ qname-minimisation: yes
# QNAME minimisation in strict mode. Do not fall-back to sending full
# QNAME to potentially broken nameservers. A lot of domains will not be
@@ -561,7 +586,7 @@ server:
# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
# and other denials, using information from previous NXDOMAINs answers.
- # aggressive-nsec: yes
+ aggressive-nsec: yes
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
@@ -594,7 +619,7 @@ server:
# threshold, a warning is printed and a defensive action is taken,
# the cache is cleared to flush potential poison out of it.
# A suggested value is 10000000, the default is 0 (turned off).
- # unwanted-reply-threshold: 0
+ unwanted-reply-threshold: 10000000
# Do not query the following addresses. No DNS queries are sent there.
# List one address per entry. List classless netblocks with /size,
@@ -606,20 +631,20 @@ server:
# do-not-query-localhost: yes
# if yes, perform prefetching of almost expired message cache entries.
- # prefetch: no
+ prefetch: yes
# if yes, perform key lookups adjacent to normal lookups.
- # prefetch-key: no
+ prefetch-key: yes
# deny queries of type ANY with an empty response.
- # deny-any: no
+ deny-any: yes
# if yes, Unbound rotates RRSet order in response.
- # rrset-roundrobin: yes
+ rrset-roundrobin: yes
# if yes, Unbound doesn't insert authority/additional sections
# into response messages when those sections are not required.
- # minimal-responses: yes
+ minimal-responses: yes
# true to disable DNSSEC lameness check in iterator.
# disable-dnssec-lame-check: no
@@ -629,7 +654,9 @@ server:
# most modules have to be listed at the beginning of the line,
# except cachedb(just before iterator), and python (at the beginning,
# or, just before the iterator).
- # module-config: "validator iterator"
+ # For redis cachedb use:
+ # "ipsecmod validator cachedb iterator"
+ module-config: "ipsecmod validator iterator"
# File with trusted keys, kept uptodate using RFC5011 probes,
# initial file like trust-anchor-file, then it stores metadata.
@@ -643,10 +670,10 @@ server:
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
# trust anchor signaling sends a RFC8145 key tag query after priming.
- # trust-anchor-signaling: yes
+ trust-anchor-signaling: yes
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
- # root-key-sentinel: yes
+ root-key-sentinel: yes
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
@@ -667,6 +694,9 @@ server:
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# you need external update procedures to track changes in keys.
# trusted-keys-file: ""
+ #
+ trusted-keys-file: /etc/unbound/keys.d/*.key
+ auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Ignore chain of trust. Domain is treated as insecure.
# domain-insecure: "example.com"
@@ -694,14 +724,15 @@ server:
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
# in the additional section is removed from secure messages.
- # val-clean-additional: yes
+ val-clean-additional: yes
# Turn permissive mode on to permit bogus messages. Thus, messages
# for which security checks failed will be returned to clients,
# instead of SERVFAIL. It still performs the security checks, which
# result in interesting log files and possibly the AD bit in
# replies if the message is found secure. The default is off.
- # val-permissive-mode: no
+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
+ val-permissive-mode: no
# Ignore the CD flag in incoming queries and refuse them bogus data.
# Enable it if the only clients of Unbound are legacy servers (w2008)
@@ -715,11 +746,11 @@ server:
# Serve expired responses from cache, with serve-expired-reply-ttl in
# the response, and then attempt to fetch the data afresh.
- # serve-expired: no
+ serve-expired: yes
#
# Limit serving of expired responses to configured seconds after
# expiration. 0 disables the limit.
- # serve-expired-ttl: 0
+ serve-expired-ttl: 14400
#
# Set the TTL of expired records to the serve-expired-ttl value after a
# failed attempt to retrieve the record from upstream. This makes sure
@@ -746,7 +777,7 @@ server:
# Have the validator log failed validations for your diagnosis.
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
- # val-log-level: 0
+ val-log-level: 1
# It is possible to configure NSEC3 maximum iteration counts per
# keysize. Keep this table very short, as linear search is done.
@@ -890,6 +921,8 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
+ include: /etc/unbound/local.d/*.conf
+
# tag a localzone with a list of tag names (in "" with spaces between)
# local-zone-tag: "example.com" "tag2 tag3"
@@ -900,8 +933,8 @@ server:
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
# Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
- # tls-service-key: "path/to/privatekeyfile.key"
- # tls-service-pem: "path/to/publiccertfile.pem"
+ # tls-service-key: "/etc/unbound/unbound_server.key"
+ # tls-service-pem: "/etc/unbound/unbound_server.pem"
# tls-port: 853
# https-port: 443
@@ -909,6 +942,8 @@ server:
# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
# cipher setting for TLSv1.3
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+ # Fedora/RHEL: use system-wide crypto policies
+ tls-ciphers: "PROFILE=SYSTEM"
# Pad responses to padded queries received over TLS
# pad-responses: yes
@@ -1045,12 +1080,12 @@ server:
# cookie-secret: <128 bit random hex string>
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
- # ede: no
+ ede: yes
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
# Answer as EDNS0 option to expired responses.
# Note that the ede option above needs to be enabled for this to work.
- # ede-serve-expired: no
+ ede-serve-expired: yes
# Specific options for ipsecmod. Unbound needs to be configured with
# --enable-ipsecmod for these to take effect.
@@ -1058,12 +1093,14 @@ server:
# Enable or disable ipsecmod (it still needs to be defined in
# module-config above). Can be used when ipsecmod needs to be
# enabled/disabled via remote-control(below).
- # ipsecmod-enabled: yes
- #
+ # Fedora: module will be enabled on-demand by libreswan
+ ipsecmod-enabled: no
+
# Path to executable external hook. It must be defined when ipsecmod is
# listed in module-config (above).
# ipsecmod-hook: "./my_executable"
- #
+ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
+
# When enabled Unbound will reply with SERVFAIL if the return value of
# the ipsecmod-hook is not 0.
# ipsecmod-strict: no
@@ -1096,7 +1133,7 @@ server:
# o and give a python-script to run.
python:
# Script file to load
- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
+ # python-script: "/etc/unbound/ubmodule-tst.py"
# Dynamic library config section. To enable:
# o use --with-dynlibmodule to configure before compiling.
@@ -1107,13 +1144,14 @@ python:
# the module-config then you need one dynlib-file per instance.
dynlib:
# Script file to load
- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so"
+ # dynlib-file: "/etc/unbound/dynlib.so"
# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
- # control-enable: no
+ # Note: required for unbound-munin package
+ control-enable: yes
# what interfaces are listened to for remote control.
# give 0.0.0.0 and ::0 to listen to all interfaces.
@@ -1121,6 +1159,7 @@ remote-control:
# are not used for that, so key and cert files need not be present.
# control-interface: 127.0.0.1
# control-interface: ::1
+ # moved to /etc/unbound/conf.d/remote-control.conf
# port number for remote control operations.
# control-port: 8953
@@ -1130,16 +1169,19 @@ remote-control:
# control-use-cert: "yes"
# Unbound server key file.
- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
+ server-key-file: "/etc/unbound/unbound_server.key"
# Unbound server certificate file.
- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
+ server-cert-file: "/etc/unbound/unbound_server.pem"
# unbound-control key file.
- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"
+ control-key-file: "/etc/unbound/unbound_control.key"
# unbound-control certificate file.
- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
+ control-cert-file: "/etc/unbound/unbound_control.pem"
+
+# Stub and Forward zones
+include: /etc/unbound/conf.d/*.conf
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
@@ -1161,6 +1203,10 @@ remote-control:
# name: "example.org"
# stub-host: ns.example.com.
+# You can now also dynamically create and delete stub-zone's using
+# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
+
# Forward zones
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of servers. These servers have to handle
@@ -1178,6 +1224,10 @@ remote-control:
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
+#
+# You can now also dynamically create and delete forward-zone's using
+# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
# Authority zones
# The data for these zones is kept locally, from a file or downloaded.
@@ -1188,27 +1238,28 @@ remote-control:
# download it), primary: fetches with AXFR and IXFR, or url to zonefile.
# With allow-notify: you can give additional (apart from primaries and urls)
# sources of notifies.
-# auth-zone:
-# name: "."
-# primary: 170.247.170.2 # b.root-servers.net
-# primary: 192.33.4.12 # c.root-servers.net
-# primary: 199.7.91.13 # d.root-servers.net
-# primary: 192.5.5.241 # f.root-servers.net
-# primary: 192.112.36.4 # g.root-servers.net
-# primary: 193.0.14.129 # k.root-servers.net
-# primary: 192.0.47.132 # xfr.cjr.dns.icann.org
-# primary: 192.0.32.132 # xfr.lax.dns.icann.org
-# primary: 2801:1b8:10::b # b.root-servers.net
-# primary: 2001:500:2::c # c.root-servers.net
-# primary: 2001:500:2d::d # d.root-servers.net
-# primary: 2001:500:2f::f # f.root-servers.net
-# primary: 2001:500:12::d0d # g.root-servers.net
-# primary: 2001:7fd::1 # k.root-servers.net
-# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
-# fallback-enabled: yes
-# for-downstream: no
-# for-upstream: yes
+ auth-zone:
+ name: "."
+ primary: 170.247.170.2 # b.root-servers.net
+ primary: 192.33.4.12 # c.root-servers.net
+ primary: 199.7.91.13 # d.root-servers.net
+ primary: 192.5.5.241 # f.root-servers.net
+ primary: 192.112.36.4 # g.root-servers.net
+ primary: 193.0.14.129 # k.root-servers.net
+ primary: 192.0.47.132 # xfr.cjr.dns.icann.org
+ primary: 192.0.32.132 # xfr.lax.dns.icann.org
+ primary: 2801:1b8:10::b # b.root-servers.net
+ primary: 2001:500:2::c # c.root-servers.net
+ primary: 2001:500:2d::d # d.root-servers.net
+ primary: 2001:500:2f::f # f.root-servers.net
+ primary: 2001:500:12::d0d # g.root-servers.net
+ primary: 2001:7fd::1 # k.root-servers.net
+ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
+ fallback-enabled: yes
+ for-downstream: no
+ for-upstream: yes
+
# auth-zone:
# name: "example.org"
# for-downstream: yes
@@ -1234,6 +1285,9 @@ remote-control:
# name: "anotherview"
# local-zone: "example.com" refuse
+# Fedora: DNSCrypt support not enabled since it requires linking to
+# another crypto library
+#
# DNSCrypt
# To enable, use --enable-dnscrypt to configure before compiling.
# Caveats:
@@ -1309,7 +1363,7 @@ remote-control:
# dnstap-enable: no
# # if set to yes frame streams will be used in bidirectional mode
# dnstap-bidirectional: yes
-# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
+# dnstap-socket-path: "/etc/unbound/dnstap.sock"
# # if "" use the unix socket in dnstap-socket-path, otherwise,
# # set it to "IPaddress[@port]" of the destination.
# dnstap-ip: ""
--
2.44.0