commit 7a539b2b527e5e02017f76865430372b130bc841 Author: Daniel Ziltener Date: Fri Jul 19 15:51:17 2024 +0200 In the beginning there was darkness diff --git a/Bastillefile b/Bastillefile new file mode 100644 index 0000000..4f441fc --- /dev/null +++ b/Bastillefile @@ -0,0 +1,7 @@ +PKG unbound ca_root_nss +CMD mkdir /usr/local/etc/unbound/conf.d +CMD fetch https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts -o - | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" redirect\nlocal-data: \""$2" A 0.0.0.0\"\n"}' > /usr/local/etc/unbound/conf.d/ads.conf +SYSRC unbound_enable=YES +SERVICE unbound start +RDR TCP 53 53 +RDR UDP 53 53 diff --git a/usr/local/etc/unbound/etc/root.hints b/usr/local/etc/unbound/etc/root.hints new file mode 100644 index 0000000..8b8a3b1 --- /dev/null +++ b/usr/local/etc/unbound/etc/root.hints @@ -0,0 +1,92 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: December 20, 2023 +; related version of root zone: 2023122001 +; +; FORMERLY NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 170.247.170.2 +B.ROOT-SERVERS.NET. 3600000 AAAA 2801:1b8:10::b +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of file \ No newline at end of file diff --git a/usr/local/etc/unbound/root.key b/usr/local/etc/unbound/root.key new file mode 100644 index 0000000..e292b5a --- /dev/null +++ b/usr/local/etc/unbound/root.key @@ -0,0 +1 @@ +. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D diff --git a/usr/local/etc/unbound/unbound.conf b/usr/local/etc/unbound/unbound.conf new file mode 100644 index 0000000..cbcf04d --- /dev/null +++ b/usr/local/etc/unbound/unbound.conf @@ -0,0 +1,50 @@ +## Simple recursive caching DNS, UDP port 53 +## unbound.conf -- https://calomel.org +# +server: + access-control: 10.0.0.0/8 allow + access-control: 127.0.0.0/8 allow + access-control: 192.168.0.0/16 allow + access-control: 0.0.0.0/0 allow + #aggressive-nsec: yes + cache-max-ttl: 14400 + cache-min-ttl: 1200 + do-ip4: yes + do-ip6: yes + do-udp: yes + do-tcp: yes + hide-identity: yes + hide-version: yes + interface-automatic: yes + prefetch: yes + root-hints: "etc/root.hints" + rrset-roundrobin: yes + so-reuseport: yes + tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt" + use-caps-for-id: yes + verbosity: 0 + include: "/etc/unbound/conf.d/ads.conf" + + # Unbound from pkg built with libevent; increase threads and slabs to the + # number of real cpu cores to reduce lock contention. Increase cache size to + # store more records and allow each thread to serve an increased number of + # concurrent client requests. +# num-threads: 4 +# msg-cache-slabs: 4 +# rrset-cache-slabs: 4 +# infra-cache-slabs: 4 +# key-cache-slabs: 4 +# msg-cache-size: 256M +# rrset-cache-size: 512M +# outgoing-range: 8192 +# num-queries-per-thread: 4096 + +forward-zone: + name: "." + forward-tls-upstream: yes + forward-addr: 1.0.0.1@853#one.one.one.one + forward-addr: 1.1.1.1@853#one.one.one.one + forward-addr: 8.8.4.4@853#dns.google + forward-addr: 8.8.8.8@853#dns.google + forward-addr: 9.9.9.9@853#dns.quad9.net + forward-addr: 149.112.112.112@853#dns.quad9.net