From 8f01162aefc10fc09683850aa64198157a2573e4 Mon Sep 17 00:00:00 2001 From: Lucas MATHIEU Date: Sun, 6 Jul 2025 18:25:50 +0200 Subject: [PATCH] Adding configuration file of unbound, dnsdist and chrony --- etc/chrony/chrony.conf | 54 ++++++++++++++++++++++ etc/dnsdist/dnsdist.conf | 88 +++++++++++++++++++++++++++++++++++ etc/unbound/unbound.conf | 99 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 241 insertions(+) create mode 100644 etc/chrony/chrony.conf create mode 100644 etc/dnsdist/dnsdist.conf create mode 100644 etc/unbound/unbound.conf diff --git a/etc/chrony/chrony.conf b/etc/chrony/chrony.conf new file mode 100644 index 0000000..e06e276 --- /dev/null +++ b/etc/chrony/chrony.conf @@ -0,0 +1,54 @@ +# /etc/chrony/chrony.conf : chrony conf. file for cantal +# +# Last edition : 2025-07-06 +# Last editor : @Campanu +# + +# General +bindaddress 0.0.0.0 +bindaddress 2a01:e0a:4d5:3c20::101b +allow 0/0 +allow ::/0 + +local stratum 2 +makestep 1.0 3 +#leapsectz right/UTC + +cmdport 0 + +# Paths +leapseclist /usr/share/zoneinfo/leap-seconds.list +driftfile /var/lib/chrony/chrony.drift + +# Logs +logdir /var/log/chrony +log tracking measurements statistics +clientloglimit 1048576 + +## Client logging activated for tests +#noclientlog + +# Rate limits +ratelimit interval 2 burst 4 leak 2 +ntsratelimit interval 2 burst 4 leak 2 + +# NTS +ntsntpserver ntp2.luc-geo.fr +ntsserverkey /path/to/privkey.pem +ntsservercert /path/to/fullchain.crt +ntsdumpdir /var/lib/chrony + +# Synchronization servers + +## Stratum 1 +server ntp0.fau.de nts iburst +server ntp0.ipv6.fau.de nts iburst prefer +server ntp3.fau.de nts iburst +server ntp3.ipv6.fau.de nts iburst prefer +server ptbtime1.ptb.de nts iburst +server ptbtime2.ptb.de nts iburst +server ptbtime3.ptb.de nts iburst +server ptbtime4.ptb.de nts iburst + +## Stratum 3 (fallback) +server time.cloudflare.com nts iburst diff --git a/etc/dnsdist/dnsdist.conf b/etc/dnsdist/dnsdist.conf new file mode 100644 index 0000000..194a43a --- /dev/null +++ b/etc/dnsdist/dnsdist.conf @@ -0,0 +1,88 @@ +-- /etc/dnsdist/dnsdist.conf: dndist conf. file for cantal +-- +-- Last edition : 2025-07-06 +-- Last editor : @Campanu +-- + +-- ACL +setACL("0.0.0.0/0") +addACL("[::]/0") + +-- Request rate limite +addAction(MaxQPSIPRule(100), DropAction()) + +-- Backend servers +setServerPolicy(firstAvailable) +newServer({address = "[::1]:53", useClientSubnet = false, name = "cantal-unbound"}) + +-- Cache +pc = newPacketCache(100000) +getPool(""):setCache(pc) + +-- Tweaks +setMaxUDPOutstanding(65535) +setMaxTCPClientThreads(30) +setMaxTCPConnectionDuration(1800) +setMaxTCPQueriesPerConnection(300) +setMaxTCPConnectionsPerClient(10) + +-- DoT +addTLSLocal( + "[2a01:e0a:4d5:3c20::101a]:853", + "/path/to/fullchain.pem", + "/path/to/privkey.key", + { + provider = "openssl", + minTLSVersion = "tls1.2", + ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384", + ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384", + tcpFastOpenQueueSize = 256, + maxInFlight = 300 + } +) + +-- DoH +addDOHLocal( + "[2a01:e0a:4d5:3c20::101a]:443", + "/path/to/fullchain.pem", + "/path/to/privkey.key", + { + "/dns-query", + "/", + "/help", + "/about", + "/policy", + "/rfc" + }, + { + minTLSVersion = "tls1.2", + ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384", + ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384", + customResponseHeaders={["link"]=" rel=\"service-meta\";type=\"text/html\""} + } +) + +supportpagemap = { + newDOHResponseMapEntry("^/$", 200, "Welcome on cantal, a DoH / DoT resolver (and more) open-source and privacy friendly. For more informations, see ."), + newDOHResponseMapEntry("^/help$", 200, "For the server policy, see ."), + newDOHResponseMapEntry("^/about$", 307, "https://cantal.luc-geo.fr/#dns"), + newDOHResponseMapEntry("^/policy$", 307, "https://cantal.luc-geo.fr/#policy"), + newDOHResponseMapEntry("^/rfc$", 307, "https://datatracker.ietf.org/doc/html/rfc8484") +} + +dohFE6 = getDOHFrontend(0) +dohFE6:setResponsesMap(supportpagemap) + +-- Webserver +webserver("192.168.X.X:X") +setWebserverConfig( + { + password = hashPassword(""), + apiKey = hashPassword(""), + acl = "" + } +) + +-- Console +controlSocket('[::1]:5199') +setKey("") diff --git a/etc/unbound/unbound.conf b/etc/unbound/unbound.conf new file mode 100644 index 0000000..15c9e44 --- /dev/null +++ b/etc/unbound/unbound.conf @@ -0,0 +1,99 @@ +# /etc/unbound/unbound.conf : unbound conf. file for cantal +# +# Last edition : 2025-07-06 +# Last editor : @Campanu +# + +server: + # Modules + module-config: "validator iterator" + + # General + ## Run as daemon + do-daemonize: yes + + ## Listening interfaces + interface: 127.0.0.1 + interface: ::1 + port: 53 + + ## ACLs + access-control: 127.0.0.0/8 allow + access-control: ::1/128 allow + + ## Network protocols + do-ip4: yes + do-ip6: yes + do-udp: yes + do-tcp: yes + prefer-ip6: yes + edns-tcp-keepalive: yes + + ## Root hints file + root-hints: "/etc/unbound/root.hints" + + # Security & privacy + harden-algo-downgrade: yes + harden-glue: yes + hide-identity: yes + hide-version: yes + qname-minimisation: yes + val-clean-additional: yes + + # DNSSEC + harden-below-nxdomain: yes + harden-dnssec-stripped: yes + + auto-trust-anchor-file: "/etc/unbound/dnssec/root.key" + + ## Disabling capitalization randomization to avoid DNSSEC issues + use-caps-for-id: no + + ## RFC 8198: Aggressive Use of DNSSEC-Validated Cache + aggressive-nsec: yes + + # Tweaks + num-threads: 2 + so-reuseport: yes + + prefetch: yes + prefetch-key: yes + + unwanted-reply-threshold: 10000 + + # Cache & memory + msg-cache-slabs: 2 + rrset-cache-slabs: 2 + infra-cache-slabs: 2 + key-cache-slabs: 2 + + neg-cache-size: 4m + key-cache-size: 16m + msg-cache-size: 128m + rrset-cache-size: 256m + + infra-cache-numhosts: 100000 + + ## TTL + cache-min-ttl: 60 + cache-max-ttl: 86400 + + # RFC 8914: Extended DNS Errors + ede: yes + ede-serve-expired: yes + + # RFC 8767: Serving Stale Data + serve-expired: yes + serve-expired-ttl: 86400 + serve-expired-ttl-reset: no + serve-expired-reply-ttl: 30 + serve-expired-client-timeout: 1800 + + # Logging + use-syslog: no + logfile: "/var/log/unbound.log" + verbosity: 1 + log-time-ascii: yes + +remote-control: + control-enable: no