Adding configuration file of unbound, dnsdist and chrony

2025-07-06 18:25:50 +02:00
parent 6cecd5c93e
commit 8f01162aef
3 changed files with 241 additions and 0 deletions
--- a/etc/chrony/chrony.conf
+++ b/etc/chrony/chrony.conf
@@ -0,0 +1,54 @@
+# /etc/chrony/chrony.conf : chrony conf. file for cantal
+#
+# Last edition : 2025-07-06
+# Last editor : @Campanu
+#
+
+# General
+bindaddress 0.0.0.0
+bindaddress 2a01:e0a:4d5:3c20::101b
+allow 0/0
+allow ::/0
+
+local stratum 2
+makestep 1.0 3
+#leapsectz right/UTC
+
+cmdport 0
+
+# Paths
+leapseclist /usr/share/zoneinfo/leap-seconds.list
+driftfile /var/lib/chrony/chrony.drift
+
+# Logs
+logdir /var/log/chrony
+log tracking measurements statistics
+clientloglimit 1048576
+
+## Client logging activated for tests
+#noclientlog
+
+# Rate limits
+ratelimit interval 2 burst 4 leak 2 
+ntsratelimit interval 2 burst 4 leak 2
+
+# NTS
+ntsntpserver ntp2.luc-geo.fr
+ntsserverkey /path/to/privkey.pem
+ntsservercert /path/to/fullchain.crt
+ntsdumpdir /var/lib/chrony
+
+# Synchronization servers
+
+## Stratum 1
+server ntp0.fau.de nts iburst
+server ntp0.ipv6.fau.de nts iburst prefer
+server ntp3.fau.de nts iburst
+server ntp3.ipv6.fau.de nts iburst prefer
+server ptbtime1.ptb.de nts iburst
+server ptbtime2.ptb.de nts iburst
+server ptbtime3.ptb.de nts iburst
+server ptbtime4.ptb.de nts iburst
+
+## Stratum 3 (fallback)
+server time.cloudflare.com nts iburst
--- a/etc/dnsdist/dnsdist.conf
+++ b/etc/dnsdist/dnsdist.conf
@@ -0,0 +1,88 @@
+-- /etc/dnsdist/dnsdist.conf: dndist conf. file for cantal
+-- 
+-- Last edition : 2025-07-06
+-- Last editor : @Campanu
+-- 
+
+-- ACL
+setACL("0.0.0.0/0")
+addACL("[::]/0")
+
+-- Request rate limite
+addAction(MaxQPSIPRule(100), DropAction()) 
+
+-- Backend servers
+setServerPolicy(firstAvailable)
+newServer({address = "[::1]:53", useClientSubnet = false, name = "cantal-unbound"})
+
+-- Cache
+pc = newPacketCache(100000)
+getPool(""):setCache(pc)
+
+-- Tweaks
+setMaxUDPOutstanding(65535)
+setMaxTCPClientThreads(30)
+setMaxTCPConnectionDuration(1800)
+setMaxTCPQueriesPerConnection(300)
+setMaxTCPConnectionsPerClient(10)
+
+-- DoT
+addTLSLocal(
+    "[2a01:e0a:4d5:3c20::101a]:853",
+    "/path/to/fullchain.pem",
+    "/path/to/privkey.key",
+    {
+        provider = "openssl",
+        minTLSVersion = "tls1.2",
+        ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384",
+        ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384",
+        tcpFastOpenQueueSize = 256,
+        maxInFlight = 300
+    }
+)
+
+-- DoH
+addDOHLocal(
+    "[2a01:e0a:4d5:3c20::101a]:443",
+    "/path/to/fullchain.pem",
+    "/path/to/privkey.key",
+    {
+        "/dns-query",
+        "/",
+        "/help",
+        "/about",
+        "/policy",
+        "/rfc"
+    },
+    {
+        minTLSVersion = "tls1.2",
+        ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384",
+        ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384",
+        customResponseHeaders={["link"]="<https://cantal.luc-geo.fr/#dns> rel=\"service-meta\";type=\"text/html\""}
+    }
+)
+
+supportpagemap = {
+    newDOHResponseMapEntry("^/$", 200, "Welcome on cantal, a DoH / DoT resolver (and more) open-source and privacy friendly. For more informations, see <https://cantal.luc-geo.fr>."),
+    newDOHResponseMapEntry("^/help$", 200, "For the server policy, see <https://cantal.luc-geo.fr/#policy>."),
+    newDOHResponseMapEntry("^/about$", 307, "https://cantal.luc-geo.fr/#dns"),
+    newDOHResponseMapEntry("^/policy$", 307, "https://cantal.luc-geo.fr/#policy"),
+    newDOHResponseMapEntry("^/rfc$", 307, "https://datatracker.ietf.org/doc/html/rfc8484")
+}
+
+dohFE6 = getDOHFrontend(0)
+dohFE6:setResponsesMap(supportpagemap)
+
+-- Webserver
+webserver("192.168.X.X:X")
+setWebserverConfig(
+    {
+        password = hashPassword("<password>"),
+        apiKey = hashPassword("<api-key>"),
+        acl = ""
+    }
+)
+
+-- Console
+controlSocket('[::1]:5199')
+setKey("<key>")
--- a/etc/unbound/unbound.conf
+++ b/etc/unbound/unbound.conf
@@ -0,0 +1,99 @@
+# /etc/unbound/unbound.conf : unbound conf. file for cantal
+#
+# Last edition : 2025-07-06
+# Last editor : @Campanu
+#
+
+server:
+	# Modules
+	module-config: "validator iterator"
+	
+	# General
+	## Run as daemon
+	do-daemonize: yes
+	
+	## Listening interfaces
+	interface: 127.0.0.1
+	interface: ::1
+	port: 53
+	
+	## ACLs
+	access-control: 127.0.0.0/8 allow
+	access-control: ::1/128 allow
+	
+	## Network protocols
+	do-ip4: yes
+	do-ip6: yes
+	do-udp: yes
+	do-tcp: yes
+	prefer-ip6: yes
+	edns-tcp-keepalive: yes
+	
+	## Root hints file
+	root-hints: "/etc/unbound/root.hints"
+
+	# Security & privacy
+	harden-algo-downgrade: yes 
+	harden-glue: yes
+	hide-identity: yes
+	hide-version: yes
+	qname-minimisation: yes
+	val-clean-additional: yes
+
+	# DNSSEC
+	harden-below-nxdomain: yes
+	harden-dnssec-stripped: yes
+	
+	auto-trust-anchor-file: "/etc/unbound/dnssec/root.key"
+
+	## Disabling capitalization randomization to avoid DNSSEC issues
+	use-caps-for-id: no
+
+	## RFC 8198: Aggressive Use of DNSSEC-Validated Cache
+	aggressive-nsec: yes
+
+	# Tweaks
+	num-threads: 2
+	so-reuseport: yes
+	
+	prefetch: yes
+	prefetch-key: yes
+	
+	unwanted-reply-threshold: 10000
+	
+	# Cache & memory
+	msg-cache-slabs: 2
+	rrset-cache-slabs: 2
+	infra-cache-slabs: 2
+	key-cache-slabs: 2
+
+	neg-cache-size: 4m
+	key-cache-size: 16m
+	msg-cache-size: 128m
+	rrset-cache-size: 256m
+
+	infra-cache-numhosts: 100000
+
+	## TTL
+	cache-min-ttl: 60
+	cache-max-ttl: 86400
+
+	# RFC 8914: Extended DNS Errors
+	ede: yes
+	ede-serve-expired: yes
+
+    # RFC 8767: Serving Stale Data
+    serve-expired: yes
+	serve-expired-ttl: 86400
+	serve-expired-ttl-reset: no
+	serve-expired-reply-ttl: 30
+	serve-expired-client-timeout: 1800
+
+	# Logging
+	use-syslog: no
+	logfile: "/var/log/unbound.log"
+	verbosity: 1
+	log-time-ascii: yes
+
+remote-control:
+	control-enable: no