Adding configuration file of unbound, dnsdist and chrony

2025-07-06 18:25:50 +02:00
parent 6cecd5c93e
commit 8f01162aef
3 changed files with 241 additions and 0 deletions
--- a/etc/dnsdist/dnsdist.conf
+++ b/etc/dnsdist/dnsdist.conf
@@ -0,0 +1,88 @@
+-- /etc/dnsdist/dnsdist.conf: dndist conf. file for cantal
+-- 
+-- Last edition : 2025-07-06
+-- Last editor : @Campanu
+-- 
+
+-- ACL
+setACL("0.0.0.0/0")
+addACL("[::]/0")
+
+-- Request rate limite
+addAction(MaxQPSIPRule(100), DropAction()) 
+
+-- Backend servers
+setServerPolicy(firstAvailable)
+newServer({address = "[::1]:53", useClientSubnet = false, name = "cantal-unbound"})
+
+-- Cache
+pc = newPacketCache(100000)
+getPool(""):setCache(pc)
+
+-- Tweaks
+setMaxUDPOutstanding(65535)
+setMaxTCPClientThreads(30)
+setMaxTCPConnectionDuration(1800)
+setMaxTCPQueriesPerConnection(300)
+setMaxTCPConnectionsPerClient(10)
+
+-- DoT
+addTLSLocal(
+    "[2a01:e0a:4d5:3c20::101a]:853",
+    "/path/to/fullchain.pem",
+    "/path/to/privkey.key",
+    {
+        provider = "openssl",
+        minTLSVersion = "tls1.2",
+        ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384",
+        ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384",
+        tcpFastOpenQueueSize = 256,
+        maxInFlight = 300
+    }
+)
+
+-- DoH
+addDOHLocal(
+    "[2a01:e0a:4d5:3c20::101a]:443",
+    "/path/to/fullchain.pem",
+    "/path/to/privkey.key",
+    {
+        "/dns-query",
+        "/",
+        "/help",
+        "/about",
+        "/policy",
+        "/rfc"
+    },
+    {
+        minTLSVersion = "tls1.2",
+        ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384",
+        ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384",
+        customResponseHeaders={["link"]="<https://cantal.luc-geo.fr/#dns> rel=\"service-meta\";type=\"text/html\""}
+    }
+)
+
+supportpagemap = {
+    newDOHResponseMapEntry("^/$", 200, "Welcome on cantal, a DoH / DoT resolver (and more) open-source and privacy friendly. For more informations, see <https://cantal.luc-geo.fr>."),
+    newDOHResponseMapEntry("^/help$", 200, "For the server policy, see <https://cantal.luc-geo.fr/#policy>."),
+    newDOHResponseMapEntry("^/about$", 307, "https://cantal.luc-geo.fr/#dns"),
+    newDOHResponseMapEntry("^/policy$", 307, "https://cantal.luc-geo.fr/#policy"),
+    newDOHResponseMapEntry("^/rfc$", 307, "https://datatracker.ietf.org/doc/html/rfc8484")
+}
+
+dohFE6 = getDOHFrontend(0)
+dohFE6:setResponsesMap(supportpagemap)
+
+-- Webserver
+webserver("192.168.X.X:X")
+setWebserverConfig(
+    {
+        password = hashPassword("<password>"),
+        apiKey = hashPassword("<api-key>"),
+        acl = ""
+    }
+)
+
+-- Console
+controlSocket('[::1]:5199')
+setKey("<key>")