Skip to content
This repository has been archived by the owner on Jun 4, 2021. It is now read-only.

Unbound DNS playbook to help prevent client data leakage #1465

Closed
cyrus104 opened this issue Oct 17, 2018 · 1 comment
Closed

Unbound DNS playbook to help prevent client data leakage #1465

cyrus104 opened this issue Oct 17, 2018 · 1 comment
Labels
kind/feature kind/question

Comments

@cyrus104
Copy link

Would it be possible to have a playbook and make the following optional?

Disable systemd-resover
Install and enable unbound dns resolver
Configure unbound.conf similar to this config:

server:

  num-threads: 4

  #Enable logs
  verbosity: 1

  #list of Root DNS Server
  root-hints: "/var/lib/unbound/root.hints"

  #Use the root servers key for DNSSEC
  auto-trust-anchor-file: "/var/lib/unbound/root.key"

  #Respond to DNS requests on all interfaces
  interface: 0.0.0.0
  max-udp-size: 3072

  #Authorized IPs to access the DNS Server
  access-control: 0.0.0.0/0                 refuse
  access-control: 127.0.0.1                 allow
  access-control: 10.200.200.0/24         allow

  #not allowed to be returned for public internet  names
  private-address: 10.200.200.0/24

  # Hide DNS Server info
  hide-identity: yes
  hide-version: yes

  #Limit DNS Fraud and use DNSSEC
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes

  #Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
  unwanted-reply-threshold: 10000000

  #Have the validator print validation failures to the log.
  val-log-level: 1

  #Minimum lifetime of cache entries in seconds
  cache-min-ttl: 1800 

  #Maximum lifetime of cached entries
  cache-max-ttl: 14400
  prefetch: yes
  prefetch-key: yes

and

curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

Thanks
@cpu
Copy link
Collaborator

cpu commented Oct 20, 2018

Hi @cyrus104

Would it be possible to have a playbook and make the following optional?

Are you offering to write a pull request or asking for someone else to? :-) If its the former: maybe! The project maintainers would need to discuss the proposal a bit more. If it's the latter: probably not anytime soon.

There are a handful of open issues regarding changes to Streisand's recursive DNS server:

I recommend that you add your thoughts to the above issues. I don't think any of the maintainers have strong objections to the idea of improving Streisand's DNS but its a lot of work and would need to be carefully planned & tested.

Disable systemd-resover

Streisand currently targets 16.04 - I don't believe systemd-resolver is included in that configuration, but is in 18.04. We haven't crossed this bridge yet but you might be interested in looking at some in-progress work (#1453)

I'm going to close this issue since feature requests and general discussion are better suited to the discussions repository.

Thanks!

@cpu cpu closed this as completed Oct 20, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/feature kind/question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cpu @cyrus104