Etherarp
Etherarp

Networking, Security, Linux

Share


Unbound

server: port:53 Run in a chroot chroot: "/etc/unbound" Run as unbound user username:unbound Address/interface to listen on Use 0.0.0.0 to listen on a…

Rohan MolloyRohan Molloy
server:
port:53

Run in a chroot

chroot: "/etc/unbound"

Run as unbound user

 username:unbound

Address/interface to listen on

Use 0.0.0.0 to listen on all

interface: 127.0.0.1
# interface: 192.168.1.1

Egress interface

We also have the option of specifying the outgoing interface
This is applicable if you have multiple links to the internet
and wish to restrict vpn traffic to a particular one

outgoing-interface: 192.0.2.69

Protocols to use

do-ip6: no
do-ip4: yes
do-udp: yes
do-tcp: yes

Access control

Specify the CIDR blocks to allow or deny
On an internet reachable host, use iptables too

access-control: 127.0.0.0/8     allow
access-control: 10.0.0.0/8      allow
access-control: 192.168.0.0/16  allow
access-control: 172.16.0.0/12   allow
access-control: 0.0.0.0/0       refuse

Root hints:

Next, we manually download the root hints
"wget -qO root.hints https://www.internic.net/domain/named.cache"

root-hints: "/etc/unbound/root.hints"

Trust anchors:

File containing trust anchors. A trust anchor specifies the key used to sign the DNS root and forms the foundation for chains of trust

auto-trust-anchor-file: "/etc/unbound/root.key"

Do not provide version.bind and hostname.bind

hide-identity:  yes
hide-version :  yes

Will trust glue only if it is within the servers authority.

Suppose I want to set ns.etherarp.net as the NS for etherarp.net,
then I need to set recotd 'ns' as a glue record

harden-glue:yes

When sending a query to the authority NS,

use a mix of uppercase and lowercase
Best to leave this set to "no" (default) as it can cause unreliability

use-caps-for-id:no

Performance and computational options.

If you don't have a multicore/hyperthreaded machine (e.g. running on embedded router) then set num-threads to 1 (disable multithreading )

The slabs must take a value approximately double the number of threads
this value must be a power of 2

num-threads:        4
msg-cache-slabs:    2        
rrset-cache-slabs:  2  
key-cache-slabs:    2
infra-cache-slabs:  2

RRset size
The RRset cache record values like A,NS
These values are appropriate for a desktop or server
On a small embedded device like a router, use values like 2m

rrset-cache-size:256m

Message cache size.
Msg cache contains metadata, things like AD bit etc
This should be 1/2 the size of the rrset-cache

msg-cache-size:128m

**>Prefetch the message cache
**>When popular entries are about to expire, we
refresh

prefetch: yes

Override records with short TTL (time to live)

we do --not-- update records below this time
Don't make it longer than ~300s, you may get stale records

cache-min-ttl:300

Override records with long TTL
Don't keep cached records for longer than 30h (10800)

cache-max-ttl:10800  

Custom records

Forward zone

Suppose you have a special dns provider for accessing US netflix
You can set a forward zone here so that queries to netflix are selectively forwarded to that server

forward-zone:
    name:           "netflix.com"
    forward-addr:   198.51.100.0/24

Stub zones

There is also a type of zone known as a stub zone.
In contrast to a forward zone, a stub zone does not perform recursion,
and so the stub server must be authoritative

stub-zone:
    name: "2.4.10.in-addr.arpa."
    stub-addr: "10.4.0.53"

Internal records

local-data:      "gateway IN A 192.168.1.1"
local-data:      "foo-pc  IN A 192.168.1.2"
local-data:      "bar-pc  IN A 192.168.1.3"
local-data-ptr:  "gateway IN A 192.168.1.1"

We can split our config into multiple files.

Let's add a file containing local records to block ad domains

include: /etc/unbound/ads.conf

Forward to an external resolver

Delegate roo

forward-zone:                  
        name:          "."             
        forward-addr:  8.8.8.8       
        forward-addr:  8.8.4.4