├── LICENSE ├── Makefile ├── README.md └── src ├── etc ├── authpf │ ├── authpf.allow │ ├── authpf.conf │ ├── authpf.message │ ├── authpf.problem │ └── authpf.rules ├── changelist.local ├── daily.local ├── dhclient.conf ├── doas.conf ├── hostname.vio0 ├── hosts ├── mail │ ├── secrets │ └── smtpd.conf ├── motd.authpf ├── mtree │ └── special.local ├── mygate ├── myname ├── pdns │ └── pdns.conf ├── pf.conf ├── pf.conf.anchor.block ├── pf.conf.anchor.icmp ├── pf.conf.table.ban ├── pf.conf.table.dns ├── pf.conf.table.martians ├── pf.conf.table.msa ├── rc.conf.local ├── resolv.conf ├── ssh │ ├── sshd_banner │ └── sshd_config ├── sysctl.conf └── weekly.local ├── usr └── local │ ├── bin │ ├── nsec3salt │ ├── pdns-backup │ ├── rmchangelist │ ├── tsig-change │ ├── tsig-fetch │ ├── tsig-secret │ ├── tsig-share │ ├── zoneadd │ └── zonedel │ └── share │ ├── doc │ └── dithematic │ │ ├── disklabel │ │ ├── disklabel.min │ │ ├── dithematic-256x256.png │ │ ├── install.conf │ │ ├── nsd.conf.master.PowerDNS │ │ ├── nsd.conf.slave.1984.is │ │ ├── nsd.conf.slave.FreeDNS.afraid.org │ │ ├── nsd.conf.slave.GratisDNS.com │ │ ├── nsd.conf.slave.HE.net │ │ ├── nsd.conf.slave.PowerDNS │ │ ├── nsd.conf.slave.Puck.nether.net │ │ └── validate.tsig │ └── examples │ └── dithematic │ ├── ddns.example.com.zone │ ├── example.com.zone │ ├── nsd.conf.master.example.com │ ├── nsd.conf.slave.example.com │ └── nsd.conf.zone.example.com └── var ├── cron ├── cron.allow └── tabs │ └── root ├── nsd └── etc │ └── nsd.conf └── unbound └── etc └── unbound.conf /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2018 Horia Racoviceanu 2 | 3 | Permission to use, copy, modify, and distribute this software for any 4 | purpose with or without fee is hereby granted, provided that the above 5 | copyright notice and this permission notice appear in all copies. 6 | 7 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 10 | ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 12 | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 13 | OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # $OpenBSD$ 2 | 3 | # Put overrides in "Makefile.local" 4 | 5 | GH_PROJECT ?= dithematic 6 | PREFIX ?= /usr/local 7 | MANDIR ?= ${PREFIX}/man/man 8 | BINDIR ?= ${PREFIX}/bin 9 | BASESYSCONFDIR ?= /etc 10 | VARBASE ?= /var 11 | DOCDIR ?= ${PREFIX}/share/doc/${GH_PROJECT} 12 | EXAMPLESDIR ?= ${PREFIX}/share/examples/${GH_PROJECT} 13 | 14 | # Server 15 | 16 | EGRESS = vio0 17 | 18 | DOMAIN_NAME = example.com 19 | 20 | MASTER = yes 21 | MASTER_HOST = dot 22 | 23 | IPv4 = 203.0.113.3 24 | IPv6 = 2001:0db8::3 25 | 26 | UPGRADE = yes 27 | 28 | DITHEMATIC = ${SCRIPT} ${SYSCONF} ${PFCONF} ${AUTHPFCONF} ${MAILCONF} \ 29 | ${PDNSCONF} ${SSHCONF} ${MTREECONF} ${NSDCONF} ${UNBOUNDCONF} \ 30 | ${CRONALLOW} ${CRONTAB} ${DOC} ${EXAMPLES} 31 | 32 | # Dithematic 33 | 34 | SCRIPT = ${BINDIR:S|^/||}/pdns-backup \ 35 | ${BINDIR:S|^/||}/rmchangelist \ 36 | ${BINDIR:S|^/||}/nsec3salt \ 37 | ${BINDIR:S|^/||}/tsig-change \ 38 | ${BINDIR:S|^/||}/tsig-fetch \ 39 | ${BINDIR:S|^/||}/tsig-secret \ 40 | ${BINDIR:S|^/||}/tsig-share \ 41 | ${BINDIR:S|^/||}/zoneadd \ 42 | ${BINDIR:S|^/||}/zonedel 43 | 44 | SYSCONF = ${BASESYSCONFDIR:S|^/||}/changelist.local \ 45 | ${BASESYSCONFDIR:S|^/||}/daily.local \ 46 | ${BASESYSCONFDIR:S|^/||}/dhclient.conf \ 47 | ${BASESYSCONFDIR:S|^/||}/doas.conf \ 48 | ${BASESYSCONFDIR:S|^/||}/motd.authpf \ 49 | ${BASESYSCONFDIR:S|^/||}/resolv.conf \ 50 | ${BASESYSCONFDIR:S|^/||}/sysctl.conf 51 | 52 | PFCONF = ${BASESYSCONFDIR:S|^/||}/pf.conf \ 53 | ${BASESYSCONFDIR:S|^/||}/pf.conf.anchor.block \ 54 | ${BASESYSCONFDIR:S|^/||}/pf.conf.anchor.icmp \ 55 | ${BASESYSCONFDIR:S|^/||}/pf.conf.table.ban \ 56 | ${BASESYSCONFDIR:S|^/||}/pf.conf.table.dns \ 57 | ${BASESYSCONFDIR:S|^/||}/pf.conf.table.martians \ 58 | ${BASESYSCONFDIR:S|^/||}/pf.conf.table.msa 59 | 60 | AUTHPFCONF = ${BASESYSCONFDIR:S|^/||}/authpf/authpf.allow \ 61 | ${BASESYSCONFDIR:S|^/||}/authpf/authpf.conf \ 62 | ${BASESYSCONFDIR:S|^/||}/authpf/authpf.message \ 63 | ${BASESYSCONFDIR:S|^/||}/authpf/authpf.problem \ 64 | ${BASESYSCONFDIR:S|^/||}/authpf/authpf.rules 65 | 66 | MAILCONF = ${BASESYSCONFDIR:S|^/||}/mail/smtpd.conf 67 | 68 | PDNSCONF = ${BASESYSCONFDIR:S|^/||}/pdns/pdns.conf 69 | 70 | SSHCONF = ${BASESYSCONFDIR:S|^/||}/ssh/sshd_banner \ 71 | ${BASESYSCONFDIR:S|^/||}/ssh/sshd_config 72 | 73 | MTREECONF = ${BASESYSCONFDIR:S|^/||}/mtree/special.local 74 | 75 | NSDCONF = ${VARBASE:S|^/||}/nsd/etc/nsd.conf 76 | 77 | UNBOUNDCONF = ${VARBASE:S|^/||}/unbound/etc/unbound.conf 78 | 79 | CRONALLOW = ${VARBASE:S|^/||}/cron/cron.allow 80 | CRONTAB = ${VARBASE:S|^/||}/cron/tabs/root 81 | 82 | DOC = ${DOCDIR:S|^/||}/validate.tsig \ 83 | ${DOCDIR:S|^/||}/nsd.conf.master.PowerDNS \ 84 | ${DOCDIR:S|^/||}/nsd.conf.slave.PowerDNS \ 85 | ${DOCDIR:S|^/||}/nsd.conf.slave.1984.is \ 86 | ${DOCDIR:S|^/||}/nsd.conf.slave.FreeDNS.afraid.org \ 87 | ${DOCDIR:S|^/||}/nsd.conf.slave.GratisDNS.com \ 88 | ${DOCDIR:S|^/||}/nsd.conf.slave.HE.net \ 89 | ${DOCDIR:S|^/||}/nsd.conf.slave.Puck.nether.net 90 | 91 | EXAMPLES = ${EXAMPLESDIR:S|^/||}/ddns.example.com.zone \ 92 | ${EXAMPLESDIR:S|^/||}/example.com.zone \ 93 | ${EXAMPLESDIR:S|^/||}/nsd.conf.master.example.com \ 94 | ${EXAMPLESDIR:S|^/||}/nsd.conf.slave.example.com \ 95 | ${EXAMPLESDIR:S|^/||}/nsd.conf.zone.example.com 96 | 97 | PKG = powerdns \ 98 | ldns-utils \ 99 | drill 100 | 101 | HOSTNAME !!= hostname -s 102 | WRKSRC ?= ${HOSTNAME:S|^|${.CURDIR}/|} 103 | RELEASE !!= uname -r 104 | 105 | #-8<----------- [ cut here ] --------------------------------------------------^ 106 | 107 | .if exists(Makefile.local) 108 | . include "Makefile.local" 109 | .endif 110 | 111 | .if ${MASTER} == "yes" 112 | SYSCONF += ${BASESYSCONFDIR:S|^/||}/weekly.local 113 | .endif 114 | 115 | # Specifications (target rules) 116 | 117 | .if defined(UPGRADE) && ${UPGRADE} == "yes" 118 | upgrade: config .WAIT ${DITHEMATIC} 119 | @echo Upgrade 120 | .else 121 | upgrade: config 122 | @echo Fresh install 123 | .endif 124 | 125 | config: 126 | mkdir -m750 ${WRKSRC} 127 | (umask 077; cp -R ${.CURDIR}/src/* ${WRKSRC}) 128 | sed -i \ 129 | 's|vio0|${EGRESS}|' \ 130 | ${WRKSRC}/${PFCONF:M*pf.conf} 131 | sed -i \ 132 | 's|example.com|${DOMAIN_NAME}|' \ 133 | ${SYSCONF:M*doas.conf:S|^|${WRKSRC}/|} \ 134 | ${PFCONF:M*pf.conf.table.dns:S|^|${WRKSRC}/|} \ 135 | ${AUTHPFCONF:M*authpf.problem:S|^|${WRKSRC}/|} \ 136 | ${MAILCONF:M*smtpd.conf:S|^|${WRKSRC}/|} \ 137 | ${PDNSCONF:M*pdns.conf:S|^|${WRKSRC}/|} \ 138 | ${SSHCONF:M*sshd_config:S|^|${WRKSRC}/|} \ 139 | ${NSDCONF:M*nsd.conf:S|^|${WRKSRC}/|} \ 140 | ${DOC:M*nsd.conf.*.PowerDNS:S|^|${WRKSRC}/|} 141 | sed -i \ 142 | 's|dot|${MASTER_HOST}|' \ 143 | ${PDNSCONF:M*pdns.conf:S|^|${WRKSRC}/|} 144 | sed -i \ 145 | -e 's|203.0.113.3|${IPv4}|' \ 146 | -e 's|2001:0db8::3|${IPv6}|' \ 147 | ${NSDCONF:M*nsd.conf:S|^|${WRKSRC}/|} 148 | sed -i \ 149 | 's|dot|${HOSTNAME}|' \ 150 | ${MAILCONF:M*smtpd.conf:S|^|${WRKSRC}/|} \ 151 | ${MTREECONF:M*special.local:S|^|${WRKSRC}/|} 152 | .if ${MASTER} == "yes" 153 | sed -i \ 154 | 's|example.com|${DOMAIN_NAME}|' \ 155 | ${SYSCONF:M*weekly.local:S|^|${WRKSRC}/|} 156 | @echo Super-Master 157 | .else 158 | sed -i \ 159 | -e 's|^master=yes|#master=yes|' \ 160 | -e 's|^#slave=yes|slave=yes|' \ 161 | ${PDNSCONF:M*pdns.conf:S|^|${WRKSRC}/|} 162 | @echo Super-Slave 163 | .endif 164 | @echo Configured 165 | 166 | ${DITHEMATIC}: 167 | [[ -r ${DESTDIR}/$@ ]] \ 168 | && (umask 077; diff -u ${DESTDIR}/$@ ${WRKSRC}/$@ >/dev/null \ 169 | || sdiff -as -w $$(tput -T $${TERM:-vt100} cols) \ 170 | -o ${WRKSRC}/$@.merged \ 171 | ${DESTDIR}/$@ \ 172 | ${WRKSRC}/$@) \ 173 | || [[ "$$?" -eq 1 ]] 174 | 175 | clean: 176 | @rm -r ${WRKSRC} 177 | 178 | beforeinstall: upgrade 179 | -rcctl stop nsd pdns_server 180 | .for _PKG in ${PKG} 181 | env PKG_PATH= pkg_info ${_PKG} > /dev/null || pkg_add ${_PKG} 182 | .endfor 183 | .if ${UPGRADE} == "yes" 184 | . for _DITHEMATIC in ${DITHEMATIC} 185 | [[ -r ${_DITHEMATIC:S|^|${WRKSRC}/|:S|$|.merged|} ]] \ 186 | && cp -p ${WRKSRC}/${_DITHEMATIC}.merged ${WRKSRC}/${_DITHEMATIC} \ 187 | || [[ "$$?" -eq 1 ]] 188 | . endfor 189 | .endif 190 | 191 | realinstall: 192 | ${INSTALL} -d -m ${DIRMODE} ${DOCDIR} 193 | ${INSTALL} -d -m ${DIRMODE} ${EXAMPLESDIR} 194 | .for _DITHEMATIC in ${DITHEMATIC:N*cron/tabs*} 195 | ${INSTALL} -S -o ${LOCALEOWN} -g ${LOCALEGRP} -m 440 \ 196 | ${_DITHEMATIC:S|^|${WRKSRC}/|} \ 197 | ${_DITHEMATIC:S|^|${DESTDIR}/|} 198 | .endfor 199 | ${INSTALL} -d -m 750 -o _powerdns ${VARBASE}/pdns 200 | 201 | afterinstall: 202 | .if !empty(CRONTAB) 203 | crontab -u root ${WRKSRC}/${CRONTAB} 204 | .endif 205 | .if !empty(AUTHPFCONF) 206 | group info -e authdns || group add -g 20053 authdns 207 | .endif 208 | [[ -r ${VARBASE}/nsd/etc/nsd_control.pem ]] || nsd-control-setup 209 | [[ -r ${VARBASE}/pdns/pdns.sqlite ]] \ 210 | || sqlite3 ${VARBASE}/pdns/pdns.sqlite \ 211 | -init ${PREFIX}/share/doc/pdns/schema.sqlite3.sql ".exit" 212 | [[ -r ${VARBASE}/pdns/pdnssec.sqlite ]] \ 213 | || sqlite3 ${VARBASE}/pdns/pdnssec.sqlite \ 214 | -init ${PREFIX}/share/doc/pdns/dnssec-3.x_to_3.4.0_schema.sqlite3.sql ".exit" 215 | group info -e tsig || user info -e tsig \ 216 | || { user add -u 25353 -g =uid -c "TSIG Wizard" -s /bin/ksh -m tsig; \ 217 | mkdir -m700 /home/tsig/.key; chown tsig:tsig /home/tsig/.key; } 218 | [[ -r ${BASESYSCONFDIR}/changelist-${RELEASE} ]] \ 219 | || cp ${BASESYSCONFDIR}/changelist ${BASESYSCONFDIR}/changelist-${RELEASE} 220 | sed -i '/changelist.local/,$$d' ${BASESYSCONFDIR}/changelist 221 | cat ${BASESYSCONFDIR}/changelist.local >> ${BASESYSCONFDIR}/changelist 222 | sed -i '/^console/s/ secure//' ${BASESYSCONFDIR}/ttys 223 | mtree -qef ${BASESYSCONFDIR}/mtree/special -p / -U 224 | mtree -qef ${BASESYSCONFDIR}/mtree/special.local -p / -U 225 | [[ -r ${BASESYSCONFDIR}/ssl/dns/private/tsig.${DOMAIN_NAME} ]] \ 226 | || ${PREFIX}/bin/tsig-secret tsig.${DOMAIN_NAME} 227 | [[ -r ${VARBASE}/nsd/etc/tsig.${DOMAIN_NAME} ]] \ 228 | || ${PREFIX}/bin/tsig-change tsig.${DOMAIN_NAME} 229 | pfctl -f /etc/pf.conf 230 | rcctl disable check_quotas sndiod 231 | rcctl enable unbound nsd pdns_server 232 | rcctl restart unbound nsd pdns_server 233 | rcctl reload sshd 234 | 235 | .PHONY: upgrade 236 | .USE: upgrade 237 | 238 | .include 239 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # dithematic (alpha) 2 | 3 | OpenBSD DNS name server 4 | 5 | ![Dithematic Logo](src/usr/local/share/doc/dithematic/dithematic-256x256.png) 6 | 7 | ## About 8 | > autoritative nameserver for domain names 9 | 10 | Dithematic configuration and guide for self-hosting [DNS](https://powerdns.org/dns-camel/) 11 | 12 | ## Features 13 | 14 | [PowerDNS](https://doc.powerdns.com/authoritative/) features on [OpenBSD](https://github.com/openbsd/src/tree/master/usr.sbin/nsd)'s [NSD](https://man.openbsd.org/nsd.conf) shoulders 15 | 16 | ## Getting started 17 | 18 | *Minimum requirements* 19 | - 512MB RAM, [10GB SSD](src/usr/local/share/doc/dithematic/disklabel) 20 | - reverse DNS (record type PTR) for each nameserver IP configured on hosting provider, with the primary DOMAIN_NAME 21 | 22 | Grab a copy of this repository, and put overrides in "[Makefile](Makefile).local" e.g. 23 | ```console 24 | # Makefile.local 25 | 26 | EGRESS = vio0 27 | 28 | DOMAIN_NAME = example.com 29 | 30 | MASTER = yes 31 | MASTER_HOST = dot 32 | 33 | IPv4 = 203.0.113.3 34 | IPv6 = 2001:0db8::3 35 | 36 | UPGRADE = yes 37 | ``` 38 | 39 | *n.b.* UPGRADE uses [`sdiff`](https://man.openbsd.org/sdiff) side-by-side diff (with *new* on the right side) 40 | 41 | Test 42 | ```sh 43 | make beforeinstall 44 | ``` 45 | 46 | Install 47 | ```sh 48 | make install 49 | ``` 50 | 51 | Edit [`zoneadd`](src/usr/local/bin/zoneadd) to match (or use `env`) 52 | ```console 53 | # Dithematic IP 54 | MASTER_IP="${MASTER_IP:-\ 55 | 203.0.113.3 \ 56 | 2001:0db8::3 \ 57 | }" 58 | SLAVE_IP="${SLAVE_IP:-\ 59 | 203.0.113.4 \ 60 | 2001:0db8::4 \ 61 | }" # empty to disable 62 | 63 | # Vendor 64 | FREE_SLAVE="${FREE_SLAVE:-\ 65 | 1984.is \ 66 | FreeDNS.afraid.org \ 67 | GratisDNS.com \ 68 | HE.net \ 69 | Puck.nether.net \ 70 | }" # empty to disable 71 | ``` 72 | 73 | *n.b.* rename and place [zone templates](https://github.com/vedetta-com/dithematic/tree/master/src/usr/local/share/examples/dithematic) in `/var/nsd/zones/master` (or start with a blank slate.) 74 | 75 | Install DNS zone(s), e.g. on master: `example.com` and `ddns.example.com` 76 | ```sh 77 | zoneadd example.com 78 | env DDNS=true zoneadd ddns.example.com 79 | ``` 80 | 81 | Edit a zone 82 | ```sh 83 | env EDITOR="${EDITOR:-vi}" pdnsutil edit-zone example.com 84 | ``` 85 | 86 | *n.b.* place existing TSIG key as `tsig.example.com`, CSK (or ZSK) as `example.com.CSK` in `/etc/ssl/dns/private` (or let [`zoneadd`](src/usr/local/bin/zoneadd) generate new keys.) 87 | 88 | Setup the [TSIG](https://tools.ietf.org/html/rfc2845) user on all dithematic nameservers, i.e. `tsig` 89 | ```sh 90 | su - tsig 91 | ssh-keygen -t ed25519 -C tsig@example.com 92 | exit 93 | ``` 94 | 95 | Share TSIG user's public key with all dithematic slave nameservers, and update "known_hosts" 96 | ```sh 97 | ssh -4 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit" 98 | ssh -6 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit" 99 | ``` 100 | 101 | Edit [`tsig-share`](src/usr/local/bin/tsig-share) on master to add slave nameserver names 102 | ```console 103 | NS="${NS:-dig.example.com}" # (space-separated) domain name(s), or IP(s) 104 | ``` 105 | 106 | Share master TSIG secret with slave nameservers, e.g.: `dig.example.com` 107 | ```sh 108 | env NS="dig.example.com" tsig-share tsig.example.com 109 | ``` 110 | 111 | [DNS UPDATE](https://tools.ietf.org/html/rfc2136) allowed IPs are managed with authpf(8) i.e. user "puffy" first needs to SSH login on the master name server host to authenticate the IP from which they will next update ddns.example.com zone using e.g. nsupdate (`pkg_add isc-bind`) or dnspython (`pkg_add py-dnspython`) on their device (skip if not using dynamic DNS) 112 | ```sh 113 | user add -L authpf -G authdns -c "DDNS user" -s /sbin/nologin -m puffy 114 | ``` 115 | 116 | Edit ["smtpd.conf"](src/etc/mail/smtpd.conf) and "secrets" 117 | 118 | Edit pf table ["msa"](src/etc/pf.conf.table.msa) to add Message Submission Agent IP(s) 119 | 120 | Enjoy 121 | ```sh 122 | dig example.com any 123 | ``` 124 | 125 | ## Support 126 | [Issues](https://github.com/vedetta-com/dithematic/issues) 127 | 128 | ## Contribute 129 | Contributions welcome, [fork](https://github.com/vedetta-com/dithematic/fork) 130 | 131 | -------------------------------------------------------------------------------- /src/etc/authpf/authpf.allow: -------------------------------------------------------------------------------- 1 | @authpf 2 | -------------------------------------------------------------------------------- /src/etc/authpf/authpf.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vedetta-com/dithematic/04d260c2fe3942c4431a1ecfcb2f0df82ae0ded1/src/etc/authpf/authpf.conf -------------------------------------------------------------------------------- /src/etc/authpf/authpf.message: -------------------------------------------------------------------------------- 1 | 2 | (*) Domain Name System (DNS) Dynamic Update 3 | 4 | -------------------------------------------------------------------------------- /src/etc/authpf/authpf.problem: -------------------------------------------------------------------------------- 1 | Account problems can be addressed to hostmaster@example.com 2 | -------------------------------------------------------------------------------- /src/etc/authpf/authpf.rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vedetta-com/dithematic/04d260c2fe3942c4431a1ecfcb2f0df82ae0ded1/src/etc/authpf/authpf.rules -------------------------------------------------------------------------------- /src/etc/changelist.local: -------------------------------------------------------------------------------- 1 | # changelist.local 2 | # 3 | # Backup: `cp -p /etc/changelist /etc/changelist-6.4` 4 | # Install: `cat /etc/changelist.local >> /etc/changelist` 5 | # Uninstall: `sed -i '/changelist.local/,$d' /etc/changelist` 6 | # Remove: `/usr/local/bin/rmchangelist` 7 | 8 | /etc/changelist.local 9 | +/etc/mail/secrets 10 | /etc/pf.conf.anchor.block 11 | /etc/pf.conf.anchor.icmp 12 | /etc/pf.conf.table.ban 13 | /etc/pf.conf.table.dns 14 | /etc/pf.conf.table.martians 15 | /etc/pf.conf.table.msa 16 | /etc/motd.authpf 17 | /etc/authpf/authpf.* 18 | /etc/pdns/pdns.conf 19 | /etc/ssl/dns/*.DNSKEY 20 | +/etc/ssl/dns/private/*.*SK 21 | +/etc/ssl/dns/private/tsig.* 22 | /etc/ssh/sshd_banner 23 | +/var/unbound/db/root.key 24 | +/var/unbound/db/root.zone 25 | /usr/local/bin/nsec3salt 26 | /usr/local/bin/pdns-backup 27 | /usr/local/bin/rmchangelist 28 | /usr/local/bin/tsig-change 29 | /usr/local/bin/tsig-fetch 30 | /usr/local/bin/tsig-secret 31 | /usr/local/bin/tsig-share 32 | /usr/local/bin/zoneadd 33 | /usr/local/bin/zonedel 34 | +/var/nsd/etc/nsd.conf.* 35 | /var/nsd/zones/master/*.zone 36 | +/var/pdns/*.backup 37 | /var/pdns/*.dump 38 | -------------------------------------------------------------------------------- /src/etc/daily.local: -------------------------------------------------------------------------------- 1 | next_part "Checking local special files and directories:" 2 | if [ -O /etc/mtree/special.local -a \ 3 | -G /etc/mtree/special.local -a \ 4 | ! -L /etc/mtree/special.local -a \ 5 | -r /etc/mtree/special.local -a \ 6 | -w /etc/mtree/special.local -a \ 7 | ! -x /etc/mtree/special.local ]; then 8 | echo "\tcriteria (shouldbe, reallyis)" 9 | mtree -e -p / -f /etc/mtree/special.local 10 | fi 11 | 12 | next_part "Checking packages:" 13 | pkg_add -su 14 | 15 | next_part "DNS statistics:" 16 | unbound-control stats 17 | -------------------------------------------------------------------------------- /src/etc/dhclient.conf: -------------------------------------------------------------------------------- 1 | # $OpenBSD: dhclient.conf,v 1.2 2017/10/16 23:43:41 krw Exp $ 2 | # 3 | # DHCP Client Configuration 4 | # 5 | # See dhclient.conf(5) for possible contents of this file. 6 | 7 | # rebound for unbound 8 | ignore domain-name; 9 | ignore domain-name-servers; 10 | # A ServerID is required by RFC2131 11 | require dhcp-server-identifier; 12 | 13 | -------------------------------------------------------------------------------- /src/etc/doas.conf: -------------------------------------------------------------------------------- 1 | # $OpenBSD: doas.conf,v 1.1 2016/09/03 11:58:32 pirofti Exp $ 2 | # Configuration sample file for doas(1). 3 | # See doas.conf(5) for syntax and examples. 4 | 5 | # Non-exhaustive list of variables needed to build release(8) and ports(7) 6 | #permit nopass setenv { \ 7 | # FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \ 8 | # DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \ 9 | # MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \ 10 | # PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \ 11 | # SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc 12 | 13 | # Allow wheel by default 14 | permit keepenv :wheel 15 | 16 | # Allow wheel to backup: ssh dot "doas tar -czv -f - -I -" > dot.tar.gz < dot.list 17 | permit nopass :wheel as root cmd tar args -czv -f - -I - 18 | 19 | # Allow TSIG sharing 20 | permit nopass tsig as root cmd cp args /home/tsig/.key/tsig.example.com /etc/ssl/dns/private/ 21 | permit nopass tsig as root cmd tsig-change args tsig.example.com 22 | 23 | -------------------------------------------------------------------------------- /src/etc/hostname.vio0: -------------------------------------------------------------------------------- 1 | # https://man.openbsd.org/hostname.if 2 | # reset interface to its default state 3 | -inet 4 | -inet6 5 | dhcp 6 | inet6 -autoconfprivacy 7 | inet6 -soii 8 | inet6 autoconf 9 | # change prefixlen e.g. 56 for gateways on different network 10 | #inet6 alias 2001:0db8::3 64 11 | -------------------------------------------------------------------------------- /src/etc/hosts: -------------------------------------------------------------------------------- 1 | 127.0.0.1 localhost 2 | ::1 localhost 3 | -------------------------------------------------------------------------------- /src/etc/mail/secrets: -------------------------------------------------------------------------------- 1 | # https://man.openbsd.org/table.5#Credentials_tables 2 | dot dot@example.com:password 3 | -------------------------------------------------------------------------------- /src/etc/mail/smtpd.conf: -------------------------------------------------------------------------------- 1 | # $OpenBSD: smtpd.conf,v 1.11 2018/06/04 21:10:58 jmc Exp $ 2 | 3 | # This is the smtpd server system-wide configuration file. 4 | # See smtpd.conf(5) for more information. 5 | 6 | table aliases file:/etc/mail/aliases 7 | table secrets file:/etc/mail/secrets 8 | 9 | listen on socket 10 | 11 | action "local" mbox alias 12 | action "relay" \ 13 | relay host smtps://dot@mercury.example.com:465 auth 14 | 15 | match for local action "local" 16 | match from local for domain "example.com" action "relay" 17 | 18 | -------------------------------------------------------------------------------- /src/etc/motd.authpf: -------------------------------------------------------------------------------- 1 | 2 | (!) Terminate the shell and all other 3 | sessions to this node with CTRL-C 4 | -------------------------------------------------------------------------------- /src/etc/mtree/special.local: -------------------------------------------------------------------------------- 1 | # special.local 2 | # 3 | # user: puffy 4 | # machine: dot.example.com 5 | # tree: / 6 | # date: Tue Jul 24 15:36:42 2018 7 | 8 | # . 9 | /set type=file uname=root gname=wheel mode=0644 10 | . type=dir mode=0755 11 | 12 | 13 | # ./etc 14 | etc type=dir mode=0755 15 | pf.conf.anchor.block \ 16 | mode=0600 17 | pf.conf.anchor.icmp \ 18 | mode=0600 19 | pf.conf.table.ban \ 20 | mode=0600 21 | pf.conf.table.martians \ 22 | mode=0600 23 | pf.conf.table.msa \ 24 | mode=0600 25 | pf.conf.table.dns \ 26 | mode=0600 27 | motd.authpf optional 28 | 29 | 30 | # ./etc/authpf 31 | authpf type=dir mode=0755 32 | authpf.allow 33 | authpf.conf 34 | authpf.message 35 | authpf.problem 36 | authpf.rules 37 | # ./etc/authpf 38 | .. 39 | 40 | 41 | # ./etc/pdns 42 | pdns type=dir mode=0755 43 | pdns.conf 44 | # ./etc/pdns 45 | .. 46 | 47 | 48 | # ./etc/mtree 49 | /set type=file gname=wheel mode=0644 50 | mtree type=dir mode=0755 51 | special.local \ 52 | mode=0600 optional 53 | # ./etc/mtree 54 | .. 55 | 56 | 57 | # ./etc/ssh 58 | ssh type=dir mode=0755 59 | sshd_banner optional 60 | # ./etc/ssh 61 | .. 62 | 63 | 64 | # ./etc/ssl 65 | ssl type=dir mode=0755 66 | 67 | # ./etc/ssl/dns 68 | dns type=dir mode=0755 69 | *.DNSKEY mode=0644 70 | 71 | # ./etc/ssl/dns/private 72 | private type=dir mode=0700 73 | *.*SK mode=0600 74 | tsig.* mode=0600 75 | # ./etc/ssl/dns/private 76 | .. 77 | 78 | # ./etc/ssl/dns 79 | .. 80 | 81 | # ./etc/ssl 82 | .. 83 | 84 | # ./etc 85 | .. 86 | 87 | 88 | # ./usr 89 | usr type=dir mode=0755 90 | 91 | 92 | # ./usr/local 93 | local type=dir mode=0755 94 | 95 | 96 | # ./usr/local/bin 97 | bin type=dir mode=0755 98 | nsec3salt gname=bin mode=0500 99 | pdns-backup gname=bin mode=0500 100 | rmchangelist \ 101 | gname=bin mode=0500 102 | tsig-change gname=bin mode=0500 103 | tsig-fetch gname=bin mode=0555 104 | tsig-secret gname=bin mode=0500 105 | tsig-share gname=bin mode=0500 106 | zoneadd gname=bin mode=0500 107 | zonedel gname=bin mode=0500 108 | # ./usr/local/bin 109 | .. 110 | 111 | 112 | # ./usr/local/share 113 | share type=dir mode=0755 114 | 115 | # ./usr/local/share/doc 116 | doc type=dir mode=0755 117 | 118 | # ./usr/local/share/doc/dithematic 119 | dithematic type=dir mode=0755 120 | nsd.conf.* mode=0644 121 | validate.tsig \ 122 | mode=0644 123 | # ./usr/local/share/doc/dithematic 124 | .. 125 | 126 | # ./usr/local/share/doc 127 | .. 128 | 129 | 130 | # ./usr/local/share/examples 131 | examples type=dir mode=0755 132 | 133 | # ./usr/local/share/examples/dithematic 134 | dithematic type=dir mode=0755 135 | *example.com.zone \ 136 | mode=0644 137 | nsd.conf.*.example.com \ 138 | mode=0644 139 | # ./usr/local/share/examples/dithematic 140 | .. 141 | 142 | # ./usr/local/share/examples 143 | .. 144 | 145 | # ./usr/local/share 146 | .. 147 | 148 | # ./usr/local 149 | .. 150 | 151 | # ./usr 152 | .. 153 | 154 | 155 | # ./var 156 | var type=dir mode=0755 157 | 158 | 159 | # ./var/pdns 160 | pdns type=dir uname=_powerdns mode=0750 161 | *.sqlite uname=_powerdns mode=0640 162 | *.sqlite.backup \ 163 | uname=root mode=0600 optional 164 | *.sqlite.dump \ 165 | uname=root mode=0600 optional 166 | # ./var/pdns 167 | .. 168 | 169 | 170 | # ./var/nsd 171 | nsd type=dir mode=0755 172 | 173 | 174 | # ./var/nsd/db 175 | db type=dir gname=_nsd mode=0775 176 | # ./var/nsd/db 177 | .. 178 | 179 | 180 | # ./var/nsd/etc 181 | etc type=dir gname=_nsd mode=0750 182 | nsd.conf* gname=_nsd mode=0640 183 | # ./var/nsd/etc 184 | .. 185 | 186 | 187 | # ./var/nsd/zones 188 | zones type=dir mode=0755 189 | 190 | 191 | # ./var/nsd/zones/master 192 | master type=dir mode=0755 193 | *.zone mode=0600 optional 194 | # ./var/nsd/zones/master 195 | .. 196 | 197 | 198 | # ./var/nsd/zones/slave 199 | slave type=dir gname=_nsd mode=0775 200 | # ./var/nsd/zones/slave 201 | .. 202 | 203 | # ./var/nsd/zones 204 | .. 205 | 206 | # ./var/nsd 207 | .. 208 | 209 | 210 | # ./var/unbound 211 | unbound type=dir mode=0755 212 | 213 | 214 | # ./var/unbound/db 215 | /set type=file mode=0644 216 | db type=dir uname=root gname=_unbound mode=0775 217 | root.key uname=_unbound gname=_unbound optional 218 | root.zone uname=_unbound gname=_unbound optional 219 | # ./var/unbound/db 220 | .. 221 | 222 | # ./var/unbound 223 | .. 224 | 225 | # ./var 226 | .. 227 | 228 | .. 229 | 230 | -------------------------------------------------------------------------------- /src/etc/mygate: -------------------------------------------------------------------------------- 1 | 203.0.113.254 2 | 2001:0db8::0254 3 | -------------------------------------------------------------------------------- /src/etc/myname: -------------------------------------------------------------------------------- 1 | dot.dithematic.com 2 | -------------------------------------------------------------------------------- /src/etc/pdns/pdns.conf: -------------------------------------------------------------------------------- 1 | ## OpenBSD package configuration sample for various backends. 2 | ## See /usr/local/share/doc/pdns for database schemas. 3 | 4 | setuid=_powerdns 5 | 6 | # MySQL 7 | #launch=gmysql 8 | #gmysql-host=127.0.0.1 9 | #gmysql-dbname=pdns 10 | #gmysql-user=pdns 11 | #gmysql-password=pdns 12 | 13 | # PostgreSQL 14 | #launch=gpgsql 15 | #gpgsql-host=127.0.0.1 16 | #gpgsql-dbname=pdns 17 | #gpgsql-user=pdns 18 | #gpgsql-password=pdns 19 | 20 | # SQLite 3 21 | launch=gsqlite3 22 | gsqlite3-database=/var/pdns/pdns.sqlite 23 | gsqlite3-dnssec=/var/pdns/pdnssec.sqlite 24 | 25 | # BIND zone files 26 | #launch=bind 27 | #bind-config=/var/named/etc/named.conf 28 | 29 | 30 | ## Upstream's standard configuration sample: 31 | 32 | # Autogenerated configuration file template 33 | ################################# 34 | # 8bit-dns Allow 8bit dns queries 35 | # 36 | # 8bit-dns=no 37 | 38 | ################################# 39 | # allow-axfr-ips Allow zonetransfers only to these subnets 40 | # 41 | # allow-axfr-ips=127.0.0.0/8,::1 42 | # disallow all IPs, except those explicitly allowed by domainmetadata records 43 | # https://doc.powerdns.com/authoritative/domainmetadata.html#allow-axfr-from 44 | 45 | ################################# 46 | # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. 47 | # 48 | # allow-dnsupdate-from=127.0.0.0/8,::1 49 | allow-dnsupdate-from= 50 | 51 | ################################# 52 | # allow-notify-from Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies. 53 | # 54 | # allow-notify-from=0.0.0.0/0,::/0 55 | allow-notify-from=127.0.0.0/8,::1 56 | 57 | ################################# 58 | # allow-unsigned-notify Allow unsigned notifications for TSIG secured domains 59 | # 60 | # allow-unsigned-notify=yes 61 | allow-unsigned-notify=no 62 | 63 | ################################# 64 | # allow-unsigned-supermaster Allow supermasters to create zones without TSIG signed NOTIFY 65 | # 66 | # allow-unsigned-supermaster=yes 67 | allow-unsigned-supermaster=no 68 | 69 | ################################# 70 | # also-notify When notifying a domain, also notify these nameservers 71 | # 72 | # also-notify= 73 | also-notify=127.0.0.1:10053, [::1]:10053 74 | 75 | ################################# 76 | # any-to-tcp Answer ANY queries with tc=1, shunting to TCP 77 | # 78 | # any-to-tcp=yes 79 | 80 | ################################# 81 | # api Enable/disable the REST API (including HTTP listener) 82 | # 83 | # api=no 84 | 85 | ################################# 86 | # api-key Static pre-shared authentication key for access to the REST API 87 | # 88 | # api-key= 89 | 90 | ################################# 91 | # api-logfile Location of the server logfile (used by the REST API) 92 | # 93 | # api-logfile=/var/log/pdns.log 94 | 95 | ################################# 96 | # api-readonly Disallow data modification through the REST API when set 97 | # 98 | # api-readonly=no 99 | 100 | ################################# 101 | # axfr-lower-serial Also AXFR a zone from a master with a lower serial 102 | # 103 | # axfr-lower-serial=no 104 | 105 | ################################# 106 | # cache-ttl Seconds to store packets in the PacketCache 107 | # 108 | # cache-ttl=20 109 | 110 | ################################# 111 | # carbon-interval Number of seconds between carbon (graphite) updates 112 | # 113 | # carbon-interval=30 114 | 115 | ################################# 116 | # carbon-ourname If set, overrides our reported hostname for carbon stats 117 | # 118 | # carbon-ourname= 119 | 120 | ################################# 121 | # carbon-server If set, send metrics in carbon (graphite) format to this server IP address 122 | # 123 | # carbon-server= 124 | 125 | ################################# 126 | # chroot If set, chroot to this directory for more security 127 | # 128 | # chroot= 129 | 130 | ################################# 131 | # config-dir Location of configuration directory (pdns.conf) 132 | # 133 | # config-dir=/etc/pdns 134 | 135 | ################################# 136 | # config-name Name of this virtual configuration - will rename the binary image 137 | # 138 | # config-name= 139 | 140 | ################################# 141 | # control-console Debugging switch - don't use 142 | # 143 | # control-console=no 144 | 145 | ################################# 146 | # daemon Operate as a daemon 147 | # 148 | # daemon=no 149 | 150 | ################################# 151 | # default-ksk-algorithm Default KSK algorithm 152 | # 153 | # default-ksk-algorithm=ecdsa256 154 | 155 | ################################# 156 | # default-ksk-size Default KSK size (0 means default) 157 | # 158 | # default-ksk-size=0 159 | 160 | ################################# 161 | # default-soa-edit Default SOA-EDIT value 162 | # 163 | # default-soa-edit= 164 | default-soa-edit=INCREMENT-WEEKS 165 | 166 | ################################# 167 | # default-soa-edit-signed Default SOA-EDIT value for signed zones 168 | # 169 | # default-soa-edit-signed= 170 | default-soa-edit-signed=INCREMENT-WEEKS 171 | 172 | ################################# 173 | # default-soa-mail mail address to insert in the SOA record if none set in the backend 174 | # 175 | # default-soa-mail= 176 | default-soa-mail=hostmaster@example.com 177 | 178 | ################################# 179 | # default-soa-name name to insert in the SOA record if none set in the backend 180 | # 181 | # default-soa-name=a.misconfigured.powerdns.server 182 | default-soa-name=dot.example.com 183 | 184 | ################################# 185 | # default-ttl Seconds a result is valid if not set otherwise 186 | # 187 | # default-ttl=3600 188 | default-ttl=86400 189 | 190 | ################################# 191 | # default-zsk-algorithm Default ZSK algorithm 192 | # 193 | # default-zsk-algorithm= 194 | 195 | ################################# 196 | # default-zsk-size Default ZSK size (0 means default) 197 | # 198 | # default-zsk-size=0 199 | 200 | ################################# 201 | # direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis 202 | # 203 | # direct-dnskey=no 204 | 205 | ################################# 206 | # disable-axfr Disable zonetransfers but do allow TCP queries 207 | # 208 | # disable-axfr=no 209 | 210 | ################################# 211 | # disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing. 212 | # 213 | # disable-axfr-rectify=no 214 | 215 | ################################# 216 | # disable-syslog Disable logging to syslog, useful when running inside a supervisor that logs stdout 217 | # 218 | # disable-syslog=no 219 | 220 | ################################# 221 | # disable-tcp Do not listen to TCP queries 222 | # 223 | # disable-tcp=no 224 | 225 | ################################# 226 | # distributor-threads Default number of Distributor (backend) threads to start 227 | # 228 | # distributor-threads=3 229 | 230 | ################################# 231 | # dname-processing If we should support DNAME records 232 | # 233 | # dname-processing=no 234 | 235 | ################################# 236 | # dnssec-key-cache-ttl Seconds to cache DNSSEC keys from the database 237 | # 238 | # dnssec-key-cache-ttl=30 239 | 240 | ################################# 241 | # dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no. 242 | # 243 | # dnsupdate=no 244 | dnsupdate=yes 245 | 246 | ################################# 247 | # do-ipv6-additional-processing Do AAAA additional processing 248 | # 249 | # do-ipv6-additional-processing=yes 250 | 251 | ################################# 252 | # domain-metadata-cache-ttl Seconds to cache domain metadata from the database 253 | # 254 | # domain-metadata-cache-ttl=60 255 | 256 | ################################# 257 | # edns-subnet-processing If we should act on EDNS Subnet options 258 | # 259 | # edns-subnet-processing=no 260 | 261 | ################################# 262 | # entropy-source If set, read entropy from this file 263 | # 264 | # entropy-source=/dev/urandom 265 | 266 | ################################# 267 | # expand-alias Expand ALIAS records 268 | # 269 | # expand-alias=no 270 | 271 | ################################# 272 | # forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master. 273 | # 274 | # forward-dnsupdate=yes 275 | 276 | ################################# 277 | # forward-notify IP addresses to forward received notifications to regardless of master or slave settings 278 | # 279 | # forward-notify= 280 | 281 | ################################# 282 | # guardian Run within a guardian process 283 | # 284 | # guardian=no 285 | 286 | ################################# 287 | # include-dir Include *.conf files from this directory 288 | # 289 | # include-dir= 290 | 291 | ################################# 292 | # launch Which backends to launch and order to query them in 293 | # 294 | # launch= 295 | 296 | ################################# 297 | # load-modules Load this module - supply absolute or relative path 298 | # 299 | # load-modules= 300 | 301 | ################################# 302 | # local-address Local IP addresses to which we bind 303 | # 304 | # local-address=0.0.0.0 305 | local-address=127.0.0.1 306 | 307 | ################################# 308 | # local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server 309 | # 310 | # local-address-nonexist-fail=yes 311 | 312 | ################################# 313 | # local-ipv6 Local IP address to which we bind 314 | # 315 | # local-ipv6=:: 316 | local-ipv6=::1 317 | 318 | ################################# 319 | # local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server 320 | # 321 | # local-ipv6-nonexist-fail=yes 322 | 323 | ################################# 324 | # local-port The port on which we listen 325 | # 326 | # local-port=53 327 | local-port=20053 328 | 329 | ################################# 330 | # log-dns-details If PDNS should log DNS non-erroneous details 331 | # 332 | # log-dns-details=no 333 | log-dns-details=yes 334 | 335 | ################################# 336 | # log-dns-queries If PDNS should log all incoming DNS queries 337 | # 338 | # log-dns-queries=no 339 | log-dns-queries=yes 340 | 341 | ################################# 342 | # log-timestamp Print timestamps in log lines 343 | # 344 | # log-timestamp=yes 345 | 346 | ################################# 347 | # logging-facility Log under a specific facility 348 | # 349 | # logging-facility= 350 | 351 | ################################# 352 | # loglevel Amount of logging. Higher is more. Do not set below 3 353 | # 354 | # loglevel=4 355 | 356 | ################################# 357 | # lua-axfr-script Script to be used to edit incoming AXFRs 358 | # 359 | # lua-axfr-script= 360 | 361 | ################################# 362 | # lua-dnsupdate-policy-script Lua script with DNS update policy handler 363 | # 364 | # lua-dnsupdate-policy-script= 365 | 366 | ################################# 367 | # lua-prequery-script Lua script with prequery handler (DO NOT USE) 368 | # 369 | # lua-prequery-script= 370 | 371 | ################################# 372 | # master Act as a master 373 | # 374 | # master=no 375 | master=yes 376 | 377 | ################################# 378 | # max-cache-entries Maximum number of entries in the query cache 379 | # 380 | # max-cache-entries=1000000 381 | 382 | ################################# 383 | # max-ent-entries Maximum number of empty non-terminals in a zone 384 | # 385 | # max-ent-entries=100000 386 | 387 | ################################# 388 | # max-nsec3-iterations Limit the number of NSEC3 hash iterations 389 | # 390 | # max-nsec3-iterations=500 391 | 392 | ################################# 393 | # max-packet-cache-entries Maximum number of entries in the packet cache 394 | # 395 | # max-packet-cache-entries=1000000 396 | 397 | ################################# 398 | # max-queue-length Maximum queuelength before considering situation lost 399 | # 400 | # max-queue-length=5000 401 | 402 | ################################# 403 | # max-signature-cache-entries Maximum number of signatures cache entries 404 | # 405 | # max-signature-cache-entries= 406 | 407 | ################################# 408 | # max-tcp-connection-duration Maximum time in seconds that a TCP DNS connection is allowed to stay open. 409 | # 410 | # max-tcp-connection-duration=0 411 | 412 | ################################# 413 | # max-tcp-connections Maximum number of TCP connections 414 | # 415 | # max-tcp-connections=20 416 | 417 | ################################# 418 | # max-tcp-connections-per-client Maximum number of simultaneous TCP connections per client 419 | # 420 | # max-tcp-connections-per-client=0 421 | 422 | ################################# 423 | # max-tcp-transactions-per-conn Maximum number of subsequent queries per TCP connection 424 | # 425 | # max-tcp-transactions-per-conn=0 426 | 427 | ################################# 428 | # module-dir Default directory for modules 429 | # 430 | # module-dir=/usr/local/lib/pdns 431 | 432 | ################################# 433 | # negquery-cache-ttl Seconds to store negative query results in the QueryCache 434 | # 435 | # negquery-cache-ttl=60 436 | 437 | ################################# 438 | # no-shuffle Set this to prevent random shuffling of answers - for regression testing 439 | # 440 | # no-shuffle=off 441 | 442 | ################################# 443 | # non-local-bind Enable binding to non-local addresses by using FREEBIND / BINDANY socket options 444 | # 445 | # non-local-bind=no 446 | 447 | ################################# 448 | # only-notify Only send AXFR NOTIFY to these IP addresses or netmasks 449 | # 450 | # only-notify=0.0.0.0/0,::/0 451 | # disable default notifications: only-notify=0.0.0.0/32,::/128 452 | only-notify= 453 | 454 | ################################# 455 | # out-of-zone-additional-processing Do out of zone additional processing 456 | # 457 | # out-of-zone-additional-processing=yes 458 | 459 | ################################# 460 | # outgoing-axfr-expand-alias Expand ALIAS records during outgoing AXFR 461 | # 462 | # outgoing-axfr-expand-alias=no 463 | outgoing-axfr-expand-alias=yes 464 | 465 | ################################# 466 | # overload-queue-length Maximum queuelength moving to packetcache only 467 | # 468 | # overload-queue-length=0 469 | 470 | ################################# 471 | # prevent-self-notification Don't send notifications to what we think is ourself 472 | # 473 | # prevent-self-notification=yes 474 | 475 | ################################# 476 | # query-cache-ttl Seconds to store query results in the QueryCache 477 | # 478 | # query-cache-ttl=20 479 | 480 | ################################# 481 | # query-local-address Source IP address for sending queries 482 | # 483 | # query-local-address=0.0.0.0 484 | 485 | ################################# 486 | # query-local-address6 Source IPv6 address for sending queries 487 | # 488 | # query-local-address6=:: 489 | 490 | ################################# 491 | # query-logging Hint backends that queries should be logged 492 | # 493 | # query-logging=no 494 | 495 | ################################# 496 | # queue-limit Maximum number of milliseconds to queue a query 497 | # 498 | # queue-limit=1500 499 | 500 | ################################# 501 | # receiver-threads Default number of receiver threads to start 502 | # 503 | # receiver-threads=1 504 | 505 | ################################# 506 | # resolver Use this resolver for ALIAS and the internal stub resolver 507 | # 508 | # resolver=no 509 | resolver=[::1]:53 510 | 511 | ################################# 512 | # retrieval-threads Number of AXFR-retrieval threads for slave operation 513 | # 514 | # retrieval-threads=2 515 | 516 | ################################# 517 | # reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket 518 | # 519 | # reuseport=no 520 | 521 | ################################# 522 | # security-poll-suffix Domain name from which to query security update notifications 523 | # 524 | # security-poll-suffix=secpoll.powerdns.com. 525 | security-poll-suffix= 526 | 527 | ################################# 528 | # server-id Returned when queried for 'id.server' TXT or NSID, defaults to hostname - disabled or custom 529 | # 530 | # server-id= 531 | 532 | ################################# 533 | # setgid If set, change group id to this gid for more security 534 | # 535 | # setgid= 536 | 537 | ################################# 538 | # setuid If set, change user id to this uid for more security 539 | # 540 | # setuid= 541 | 542 | ################################# 543 | # signing-threads Default number of signer threads to start 544 | # 545 | # signing-threads=3 546 | 547 | ################################# 548 | # slave Act as a slave 549 | # 550 | # slave=no 551 | #slave=yes 552 | 553 | ################################# 554 | # slave-cycle-interval Schedule slave freshness checks once every .. seconds 555 | # 556 | # slave-cycle-interval=60 557 | 558 | ################################# 559 | # slave-renotify If we should send out notifications for slaved updates 560 | # 561 | # slave-renotify=no 562 | 563 | ################################# 564 | # soa-expire-default Default SOA expire 565 | # 566 | # soa-expire-default=604800 567 | 568 | ################################# 569 | # soa-minimum-ttl Default SOA minimum ttl 570 | # 571 | # soa-minimum-ttl=3600 572 | soa-minimum-ttl=86400 573 | 574 | ################################# 575 | # soa-refresh-default Default SOA refresh 576 | # 577 | # soa-refresh-default=10800 578 | soa-refresh-default=28800 579 | 580 | ################################# 581 | # soa-retry-default Default SOA retry 582 | # 583 | # soa-retry-default=3600 584 | soa-retry-default=7200 585 | 586 | ################################# 587 | # socket-dir Where the controlsocket will live, /var/run when unset and not chrooted 588 | # 589 | # socket-dir= 590 | 591 | ################################# 592 | # superslave Act as a superslave 593 | # 594 | # superslave=yes 595 | 596 | ################################# 597 | # tcp-control-address If set, PowerDNS can be controlled over TCP on this address 598 | # 599 | # tcp-control-address= 600 | 601 | ################################# 602 | # tcp-control-port If set, PowerDNS can be controlled over TCP on this address 603 | # 604 | # tcp-control-port=53000 605 | 606 | ################################# 607 | # tcp-control-range If set, remote control of PowerDNS is possible over these networks only 608 | # 609 | # tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 610 | 611 | ################################# 612 | # tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret 613 | # 614 | # tcp-control-secret= 615 | 616 | ################################# 617 | # tcp-fast-open Enable TCP Fast Open support on the listening sockets, using the supplied numerical value as the queue size 618 | # 619 | # tcp-fast-open=0 620 | 621 | ################################# 622 | # tcp-idle-timeout Maximum time in seconds that a TCP DNS connection is allowed to stay open while being idle 623 | # 624 | # tcp-idle-timeout=5 625 | 626 | ################################# 627 | # traceback-handler Enable the traceback handler (Linux only) 628 | # 629 | # traceback-handler=yes 630 | 631 | ################################# 632 | # trusted-notification-proxy IP address of incoming notification proxy 633 | # 634 | # trusted-notification-proxy= 635 | 636 | ################################# 637 | # udp-truncation-threshold Maximum UDP response size before we truncate 638 | # 639 | # udp-truncation-threshold=1680 640 | 641 | ################################# 642 | # version-string PowerDNS version in packets - full, anonymous, powerdns or custom 643 | # 644 | # version-string=full 645 | version-string=anonymous 646 | 647 | ################################# 648 | # webserver Start a webserver for monitoring (api=yes also enables the HTTP listener) 649 | # 650 | # webserver=no 651 | 652 | ################################# 653 | # webserver-address IP Address of webserver/API to listen on 654 | # 655 | # webserver-address=127.0.0.1 656 | 657 | ################################# 658 | # webserver-allow-from Webserver/API access is only allowed from these subnets 659 | # 660 | # webserver-allow-from=127.0.0.1,::1 661 | 662 | ################################# 663 | # webserver-password Password required for accessing the webserver 664 | # 665 | # webserver-password= 666 | 667 | ################################# 668 | # webserver-port Port of webserver/API to listen on 669 | # 670 | # webserver-port=8081 671 | 672 | ################################# 673 | # webserver-print-arguments If the webserver should print arguments 674 | # 675 | # webserver-print-arguments=no 676 | 677 | ################################# 678 | # write-pid Write a PID file 679 | # 680 | # write-pid=yes 681 | 682 | ################################# 683 | # xfr-max-received-mbytes Maximum number of megabytes received from an incoming XFR 684 | # 685 | # xfr-max-received-mbytes=100 686 | xfr-max-received-mbytes=1 687 | 688 | 689 | -------------------------------------------------------------------------------- /src/etc/pf.conf: -------------------------------------------------------------------------------- 1 | # $OpenBSD: pf.conf,v 1.4 2018/07/10 19:28:35 henning Exp $ 2 | # 3 | # See pf.conf(5) and /etc/examples/pf.conf 4 | 5 | # read the log file: tcpdump -n -e -ttt -r /var/log/pflog 6 | # real-time logging: tcpdump -neq -ttt -i pflog0 7 | # tcpdump -nettti pflog0 action drop 8 | # tcpdump -vvopn -i enc0 9 | # show queue: pfctl -vvs queue 10 | # systat queues 11 | # show stats: pfctl -s info 12 | # systat pf 13 | # show states: pfctl -s states 14 | # systat states 15 | # table stats: pfctl -v -t martians -T show 16 | # show rule nr. 4: pfctl -v -s rules -R 4 17 | # show rules, prepend rule numbers: pfctl -a '*' -vvsr 18 | # systat rules 19 | # show limits: pfctl -s memory 20 | 21 | # https://www.iana.org/assignments/iana-ipv4-special-registry/ 22 | # https://www.iana.org/assignments/iana-ipv6-special-registry/ 23 | table const persist counters file "/etc/pf.conf.table.martians" 24 | 25 | # Bad hosts 26 | table persist counters file "/etc/pf.conf.table.ban" 27 | 28 | # DNS name servers 29 | table persist counters file "/etc/pf.conf.table.dns" 30 | pdns = "20053" 31 | 32 | # Message submission agent (MSA) 33 | table persist counters file "/etc/pf.conf.table.msa" 34 | 35 | # Authenticated peers 36 | table persist counters 37 | 38 | # Options 39 | set loginterface egress 40 | set optimization normal 41 | set block-policy drop 42 | set syncookies adaptive (start 25%, end 12%) 43 | set skip on { lo0 } 44 | 45 | # Queue - HFSC with FQ-CoDel (reduce bufferbloat and achieve fairness) 46 | # (!) specify the upper bound within 90-95% of the expected bandwidth (bit/s) 47 | # (!) raise the default queue limit from 50 to 1024 (1:1 ratio with flows) 48 | queue outq on vio0 bandwidth 750M max 750M flows 1024 qlimit 1024 default 49 | 50 | # Sanitizing packet content 51 | # no-df + random-id = unique IP identifiers 52 | # max-mss must match net.inet.tcp.mssdflt in /etc/sysctl.conf 53 | anchor "scrub" in { 54 | match in all scrub (no-df random-id) 55 | } 56 | 57 | # Classification -- classify packets based on the defined firewall policy. 58 | 59 | # Block spoofed traffic 60 | antispoof log quick for { (egress) lo0 } 61 | 62 | # Block undesirable traffic 63 | anchor "block/all" 64 | anchor "block/in-quick-scan" in proto tcp 65 | anchor "block/in-quick-bad" in on egress 66 | anchor "block/out-quick-bad" out on egress 67 | load anchor "block" from "/etc/pf.conf.anchor.block" 68 | 69 | # Explicit pass 70 | anchor "external" on egress { 71 | 72 | # Outbound 73 | anchor out proto { tcp udp } from (egress) { 74 | # DNS 75 | pass log (user) proto { tcp udp } \ 76 | to port domain \ 77 | group { _unbound _nsd wheel } \ 78 | tag SELF_INET 79 | 80 | # NTP 81 | pass log (user) proto udp \ 82 | to port ntp \ 83 | user { _ntp root } \ 84 | tag SELF_INET 85 | 86 | # DHCP 87 | pass log (user) proto udp \ 88 | from port bootpc to port bootps \ 89 | tag SELF_INET 90 | 91 | # WWW 92 | pass log (user) proto tcp \ 93 | to port { http https } \ 94 | group { _ntp _pfetch _pkgfetch _relayd _syspatch wheel } \ 95 | tag SELF_INET 96 | 97 | # SSH, WHOIS 98 | pass log (user) proto tcp \ 99 | to port { ssh whois } \ 100 | group { wheel tsig } \ 101 | tag SELF_INET 102 | 103 | # MSA 104 | pass log proto tcp \ 105 | to port { smtps submission } \ 106 | user _smtpd \ 107 | tag SELF_INET 108 | } 109 | 110 | # Inbound 111 | anchor in proto { tcp udp } to (egress) { 112 | # SSH 113 | pass log proto tcp \ 114 | to port ssh \ 115 | keep state (max-src-conn-rate 100/10) \ 116 | tag INET_SELF 117 | 118 | # DNS 119 | pass log proto { tcp udp } \ 120 | to port domain \ 121 | tag INET_SELF 122 | # 123 | pass log proto { tcp udp } \ 124 | from to port domain \ 125 | keep state (max 500, max-src-conn-rate 100/10) \ 126 | tag INET_SELF 127 | # 128 | pass in log proto { tcp udp } \ 129 | from to port domain rdr-to (lo0) port $pdns \ 130 | keep state (max 500, max-src-conn-rate 5/1) \ 131 | tag INET_SELF 132 | } 133 | 134 | } # "external" end 135 | 136 | # ICMP and ICMP6 137 | anchor "icmp/ipv4-icmp" inet proto icmp 138 | anchor "icmp/ipv6-icmp" inet6 proto icmp6 139 | load anchor "icmp" from "/etc/pf.conf.anchor.icmp" 140 | 141 | -------------------------------------------------------------------------------- /src/etc/pf.conf.anchor.block: -------------------------------------------------------------------------------- 1 | # (!) disable "log" with small /var/log 2 | logblock = "log" # "log" or "" 3 | 4 | anchor "all" { 5 | block $logblock all 6 | } 7 | 8 | anchor "in-quick-scan" in proto tcp { 9 | # Confound network scanners 10 | block $logblock quick proto tcp all flags SF/SFRA 11 | ##block quick proto tcp all flags SFUP/SFRAU 12 | block $logblock quick proto tcp all flags FPU/SFRAUP 13 | block $logblock quick proto tcp all flags /SFRA 14 | block $logblock quick proto tcp all flags F/SFRA 15 | block $logblock quick proto tcp all flags U/SFRAU 16 | ##block quick proto tcp all flags P 17 | block $logblock quick proto tcp all flags FUP/FUP 18 | } 19 | 20 | anchor "in-quick-bad" in on egress { 21 | # Block incoming bad packets 22 | block $logblock quick inet proto icmp all icmp-type redir 23 | block $logblock quick inet6 proto icmp6 all icmp6-type redir 24 | 25 | # Block incoming traffic from the undesirable 26 | block $logblock quick \ 27 | from { no-route urpf-failed } 28 | } 29 | 30 | anchor "out-quick-bad" out on egress { 31 | # Block outgoing traffic to the undesirable, and tell us it's blocked 32 | block return $logblock quick \ 33 | to { no-route } 34 | 35 | # Block outgoing traffic that hasn't been translated 36 | block $logblock quick inet from ! (egress:0) 37 | } 38 | -------------------------------------------------------------------------------- /src/etc/pf.conf.anchor.icmp: -------------------------------------------------------------------------------- 1 | # (!) disable "log" with small /var/log 2 | logicmp = "" # "log" or "" 3 | 4 | anchor "ipv4-icmp" inet proto icmp { 5 | # https://datatracker.ietf.org/doc/draft-ietf-opsec-icmp-filtering/history/ 6 | # https://tools.ietf.org/html/draft-ietf-opsec-icmp-filtering-04 7 | pass $logicmp inet proto icmp icmp-type 3 code 0 max-pkt-rate 200/10 8 | pass $logicmp inet proto icmp icmp-type 3 code 1 max-pkt-rate 200/10 9 | pass in $logicmp inet proto icmp to (self) icmp-type 3 code 2 max-pkt-rate 200/10 10 | pass out $logicmp inet proto icmp from (self) icmp-type 3 code 2 11 | pass in $logicmp inet proto icmp to (self) icmp-type 3 code 3 max-pkt-rate 200/10 12 | pass out $logicmp inet proto icmp from (self) icmp-type 3 code 3 13 | pass $logicmp inet proto icmp icmp-type 3 code 4 max-pkt-rate 200/10 14 | pass in $logicmp inet proto icmp to (self) icmp-type 3 code 5 max-pkt-rate 200/10 15 | pass out $logicmp inet proto icmp from (self) icmp-type 3 code 5 16 | pass out $logicmp inet proto icmp from (self) icmp-type 3 code 7 17 | pass in $logicmp inet proto icmp to (self) icmp-type 3 code 11 max-pkt-rate 200/10 18 | pass out $logicmp inet proto icmp from (self) icmp-type 3 code 11 19 | pass in $logicmp inet proto icmp to (self) icmp-type 3 code 12 max-pkt-rate 200/10 20 | pass out $logicmp inet proto icmp from (self) icmp-type 3 code 12 21 | pass $logicmp inet proto icmp icmp-type 3 code 13 max-pkt-rate 200/10 22 | pass in $logicmp inet proto icmp to (self) icmp-type 3 code 14 max-pkt-rate 200/10 23 | pass out $logicmp inet proto icmp from (self) icmp-type 3 code 14 24 | pass in $logicmp inet proto icmp to (self) icmp-type 3 code 15 max-pkt-rate 200/10 25 | pass out $logicmp inet proto icmp from (self) icmp-type 3 code 15 26 | pass in $logicmp inet proto icmp to (self) icmp-type 5 code 0 max-pkt-rate 200/10 27 | pass out $logicmp inet proto icmp from (self) icmp-type 5 code 0 28 | pass in $logicmp inet proto icmp to (self) icmp-type 5 code 1 max-pkt-rate 200/10 29 | pass out $logicmp inet proto icmp from (self) icmp-type 5 code 1 30 | pass in $logicmp inet proto icmp to (self) icmp-type 5 code 2 max-pkt-rate 200/10 31 | pass out $logicmp inet proto icmp from (self) icmp-type 5 code 2 32 | pass in $logicmp inet proto icmp to (self) icmp-type 5 code 3 max-pkt-rate 200/10 33 | pass out $logicmp inet proto icmp from (self) icmp-type 5 code 3 34 | pass $logicmp inet proto icmp icmp-type 11 code 0 max-pkt-rate 200/10 35 | pass $logicmp inet proto icmp icmp-type 11 code 1 max-pkt-rate 200/10 36 | pass in $logicmp inet proto icmp to (self) icmp-type 12 code 0 max-pkt-rate 200/10 37 | pass out $logicmp inet proto icmp from (self) icmp-type 12 code 0 38 | pass in $logicmp inet proto icmp to (self) icmp-type 12 code 1 max-pkt-rate 200/10 39 | pass out $logicmp inet proto icmp from (self) icmp-type 12 code 1 40 | pass $logicmp inet proto icmp icmp-type 8 code 0 max-pkt-rate 200/10 41 | pass $logicmp inet proto icmp icmp-type 0 code 0 max-pkt-rate 200/10 42 | pass in $logicmp inet proto icmp to (self) icmp-type 10 code 0 max-pkt-rate 200/10 43 | pass out $logicmp inet proto icmp from (self) icmp-type 10 code 0 44 | pass in $logicmp inet proto icmp to (self) icmp-type 9 code 0 max-pkt-rate 200/10 45 | pass out $logicmp inet proto icmp from (self) icmp-type 9 code 0 46 | pass in $logicmp inet proto icmp to (self) icmp-type 13 code 0 max-pkt-rate 200/10 47 | pass out $logicmp inet proto icmp from (self) icmp-type 13 code 0 48 | pass in $logicmp inet proto icmp to (self) icmp-type 14 code 0 max-pkt-rate 200/10 49 | pass out $logicmp inet proto icmp from (self) icmp-type 14 code 0 50 | pass in $logicmp inet proto icmp to (self) icmp-type 17 code 0 max-pkt-rate 200/10 51 | pass out $logicmp inet proto icmp from (self) icmp-type 17 code 0 52 | pass in $logicmp inet proto icmp to (self) icmp-type 18 code 0 max-pkt-rate 200/10 53 | pass out $logicmp inet proto icmp from (self) icmp-type 18 code 0 54 | } 55 | 56 | anchor "ipv6-icmp" inet6 proto icmp6 { 57 | # RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls 58 | pass $logicmp inet6 proto icmp6 icmp6-type 1 code 0 max-pkt-rate 200/10 59 | pass $logicmp inet6 proto icmp6 icmp6-type 1 code 1 max-pkt-rate 200/10 60 | pass in $logicmp inet6 proto icmp6 to (self) icmp6-type 1 code 2 max-pkt-rate 200/10 61 | pass out $logicmp inet6 proto icmp6 from (self) icmp6-type 1 code 2 62 | pass $logicmp inet6 proto icmp6 icmp6-type 1 code 3 max-pkt-rate 200/10 63 | pass $logicmp inet6 proto icmp6 icmp6-type 1 code 4 max-pkt-rate 200/10 64 | pass in $logicmp inet6 proto icmp6 to (self) icmp6-type 1 code 5 max-pkt-rate 200/10 65 | pass out $logicmp inet6 proto icmp6 from (self) icmp6-type 1 code 5 66 | pass $logicmp inet6 proto icmp6 icmp6-type 1 code 6 max-pkt-rate 200/10 67 | pass $logicmp inet6 proto icmp6 icmp6-type 2 code 0 max-pkt-rate 200/10 68 | pass $logicmp inet6 proto icmp6 icmp6-type 3 code 0 max-pkt-rate 200/10 69 | pass $logicmp inet6 proto icmp6 icmp6-type 3 code 1 max-pkt-rate 200/10 70 | pass in $logicmp inet6 proto icmp6 to (self) icmp6-type 4 code 0 max-pkt-rate 200/10 71 | pass out $logicmp inet6 proto icmp6 from (self) icmp6-type 4 code 0 72 | pass in $logicmp inet6 proto icmp6 to (self) icmp6-type 4 code 1 max-pkt-rate 200/10 73 | pass out $logicmp inet6 proto icmp6 from (self) icmp6-type 4 code 1 74 | pass $logicmp inet6 proto icmp6 icmp6-type 4 code 2 max-pkt-rate 200/10 75 | pass $logicmp inet6 proto icmp6 icmp6-type 128 code 0 max-pkt-rate 200/10 76 | pass $logicmp inet6 proto icmp6 icmp6-type 129 code 0 max-pkt-rate 200/10 77 | 78 | # Mobile IPv6 messages that are needed to assist mobility 79 | pass $logicmp inet6 proto icmp6 icmp6-type { 144 145 146 147 } max-pkt-rate 200/10 80 | 81 | # RFC 4890, section 4.4 82 | # ff02::1: ff00:2: 83 | pass $logicmp inet6 proto icmp6 \ 84 | to { (self) ff02::/16 } \ 85 | icmp6-type { 130 131 132 133 134 135 136 137 141 142 143 148 149 151 152 153 } \ 86 | max-pkt-rate 200/10 87 | } 88 | -------------------------------------------------------------------------------- /src/etc/pf.conf.table.ban: -------------------------------------------------------------------------------- 1 | # /sbin/pfctl -t ban -T replace -f /etc/pf.conf.table.ban 2 | -------------------------------------------------------------------------------- /src/etc/pf.conf.table.dns: -------------------------------------------------------------------------------- 1 | # pfctl -t dns -T replace -f /etc/pf.conf.table.dns 2 | 3 | # HE.net 4 | # 5 | # notify: ns1.he.net 6 | 216.218.130.2 7 | 2001:470:100::2 8 | # axfr: slave.dns.he.net 9 | 216.218.133.2 10 | 2001:470:600::2 11 | 12 | # dnslave.1984.is 13 | # 14 | # notify and axfr 15 | 93.95.224.6 16 | 17 | # GratisDNS.com 18 | # 19 | # notify 20 | 91.221.196.11 21 | # axfr 22 | 91.221.196.0/28 23 | 2001:67c:3c0:0010::9 24 | 2001:67c:3c0:0010::11 25 | 26 | # Puck.nether.net 27 | # 28 | # axfr 29 | 204.42.254.5 30 | 2001:418:3f4::5 31 | 32 | # FreeDNS.afraid.org 33 | # 34 | # notify and axfr 35 | 69.65.50.192 36 | # axfr 37 | 2001:1850:1:5:800::6b 38 | 39 | # *.example.com 40 | # 41 | # notify and axfr 42 | -------------------------------------------------------------------------------- /src/etc/pf.conf.table.martians: -------------------------------------------------------------------------------- 1 | # /sbin/pfctl -t martians -T replace -f /etc/pf.conf.table.martians 2 | # 3 | # https://www.iana.org/assignments/iana-ipv4-special-registry/ 4 | 0.0.0.0/8 5 | 10.0.0.0/8 6 | 100.64.0.0/10 7 | 127.0.0.0/8 8 | 169.254.0.0/16 9 | 172.16.0.0/12 10 | 192.0.0.0/24 11 | 192.0.0.0/29 12 | 192.0.0.8/32 13 | #192.0.0.9/32 14 | #192.0.0.10/32 15 | 192.0.0.170/32 16 | 192.0.0.171/32 17 | 192.0.2.0/24 18 | #192.31.196.0/24 19 | #192.52.193.0/24 20 | 192.88.99.0/24 21 | 192.168.0.0/16 22 | #192.175.48.0/24 23 | 198.18.0.0/15 24 | 198.51.100.0/24 25 | 203.0.113.0/24 26 | 240.0.0.0/4 27 | 255.255.255.255/32 28 | # https://www.iana.org/assignments/iana-ipv6-special-registry/ 29 | ::1/128 30 | ::/128 31 | ::ffff:0:0/96 32 | #64:ff9b::/96 33 | 64:ff9b:1::/48 34 | 100::/64 35 | 2001::/23 36 | #2001::/32 37 | #2001:1::1/128 38 | 2001:2::/48 39 | #2001:3::/32 40 | #2001:4:112::/48 41 | #2001:5::/32 42 | 2001:10::/28 43 | #2001:20::/28 44 | 2001:db8::/32 45 | #2002::/16 46 | #2620:4f:8000::/48 47 | fc00::/7 48 | #fe80::/10 49 | -------------------------------------------------------------------------------- /src/etc/pf.conf.table.msa: -------------------------------------------------------------------------------- 1 | # /sbin/pfctl -t msa -T replace -f /etc/pf.conf.table.msa 2 | # 3 | # Caesonia 4 | 203.0.113.1 5 | 2001:0db8::1 6 | 203.0.113.2 7 | 2001:0db8::2 8 | -------------------------------------------------------------------------------- /src/etc/rc.conf.local: -------------------------------------------------------------------------------- 1 | check_quotas=NO 2 | nsd_flags= 3 | pkg_scripts=pdns_server 4 | #slaacd_flags=NO 5 | sndiod_flags=NO 6 | unbound_flags= 7 | -------------------------------------------------------------------------------- /src/etc/resolv.conf: -------------------------------------------------------------------------------- 1 | # unbound 2 | nameserver ::1 3 | nameserver 127.0.0.1 4 | # fallback 5 | nameserver 2001:470:20::2 6 | nameserver 74.82.42.42 7 | nameserver 2001:4860:4860::8888 8 | nameserver 8.8.8.8 9 | family inet6 inet4 10 | lookup file bind 11 | -------------------------------------------------------------------------------- /src/etc/ssh/sshd_banner: -------------------------------------------------------------------------------- 1 | Look out behind you! 2 | -------------------------------------------------------------------------------- /src/etc/ssh/sshd_config: -------------------------------------------------------------------------------- 1 | # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ 2 | 3 | # This is the sshd server system-wide configuration file. See 4 | # sshd_config(5) for more information. 5 | 6 | # The strategy used for options in the default sshd_config shipped with 7 | # OpenSSH is to specify options with their default value where 8 | # possible, but leave them commented. Uncommented options override the 9 | # default value. 10 | 11 | # (!) see usr/local/share/doc/caesonia/OpenSSH_Principals.md 12 | 13 | #Port 22 14 | #AddressFamily any 15 | #ListenAddress 0.0.0.0 16 | #ListenAddress :: 17 | 18 | #HostKey /etc/ssh/ssh_host_rsa_key 19 | #HostKey /etc/ssh/ssh_host_ecdsa_key 20 | #HostKey /etc/ssh/ssh_host_ed25519_key 21 | 22 | # https://man.openbsd.org/sshd_config.5#HostKeyAlgorithms 23 | #HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 24 | #HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub 25 | 26 | #TrustedUserCAKeys /etc/ssh/ca/.ssh/ssh_ca_ed25519.pub 27 | #RevokedKeys /etc/ssh/ca/ssh_ca.krl 28 | 29 | # https://man.openbsd.org/sshd_config.5#CASignatureAlgorithms 30 | #CASignatureAlgorithms ssh-ed25519 31 | 32 | # Ciphers and keying 33 | #RekeyLimit default none 34 | 35 | # Logging 36 | #SyslogFacility AUTH 37 | #LogLevel INFO 38 | 39 | # Authentication: 40 | 41 | AllowGroups wheel tsig authdns 42 | 43 | LoginGraceTime 1m # default: 2m 44 | PermitRootLogin no 45 | #StrictModes yes 46 | #MaxAuthTries 6 47 | #MaxSessions 10 48 | 49 | #PubkeyAuthentication yes 50 | # http://man.openbsd.org/sshd_config.5#PubkeyAcceptedKeyTypes 51 | #PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 52 | 53 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 54 | # but this is overridden so installations will only check .ssh/authorized_keys 55 | #AuthorizedKeysFile none # default: .ssh/authorized_keys 56 | 57 | # http://man.openbsd.org/sshd_config.5#AuthorizedPrincipalsFile 58 | #AuthorizedPrincipalsFile /etc/ssh/principals/%u # default: none 59 | 60 | #AuthorizedKeysCommand none 61 | #AuthorizedKeysCommandUser nobody 62 | 63 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 64 | #HostbasedAuthentication no 65 | # Change to yes if you don't trust ~/.ssh/known_hosts for 66 | # HostbasedAuthentication 67 | #IgnoreUserKnownHosts no 68 | # Don't read the user's ~/.rhosts and ~/.shosts files 69 | #IgnoreRhosts yes 70 | 71 | # To disable tunneled clear text passwords, change to no here! 72 | #PasswordAuthentication no # default: yes 73 | #PermitEmptyPasswords no 74 | 75 | # Change to no to disable s/key passwords 76 | #ChallengeResponseAuthentication yes 77 | 78 | #AllowAgentForwarding yes 79 | AllowTcpForwarding no # default: yes 80 | #GatewayPorts no 81 | #X11Forwarding no 82 | #X11DisplayOffset 10 83 | #X11UseLocalhost yes 84 | #PermitTTY yes 85 | #PrintMotd yes 86 | #PrintLastLog yes 87 | #TCPKeepAlive yes 88 | #PermitUserEnvironment no 89 | #Compression delayed 90 | #ClientAliveInterval 0 91 | #ClientAliveCountMax 3 92 | #UseDNS no 93 | #PidFile /var/run/sshd.pid 94 | #MaxStartups 10:30:100 95 | #PermitTunnel no 96 | #ChrootDirectory none 97 | #VersionAddendum none 98 | 99 | # no default banner path 100 | Banner /etc/ssh/sshd_banner # default: none 101 | 102 | # override default of no subsystems 103 | Subsystem sftp internal-sftp # internal-sftp for ChrootDirectory 104 | # default: /usr/libexec/sftp-server 105 | 106 | # Example of overriding settings on a per-user basis 107 | #Match User anoncvs 108 | # X11Forwarding no 109 | # AllowTcpForwarding no 110 | # PermitTTY no 111 | # ForceCommand cvs server 112 | 113 | Match Group wheel 114 | AllowTcpForwarding yes 115 | # PermitOpen host:port 116 | 117 | Match Group authdns 118 | AllowTcpForwarding no 119 | ClientAliveInterval 15 # default 0 120 | ClientAliveCountMax 3 # default 3 121 | ForceCommand /sbin/nologin # disable sftp 122 | 123 | Match Group tsig 124 | AllowTcpForwarding no 125 | AuthorizedKeysFile .ssh/authorized_keys 126 | PasswordAuthentication no 127 | Banner none 128 | ForceCommand tsig-fetch tsig.example.com 129 | PermitTTY no 130 | PermitUserRC no 131 | 132 | -------------------------------------------------------------------------------- /src/etc/sysctl.conf: -------------------------------------------------------------------------------- 1 | ddb.panic=0 # default: 1 2 | kern.splassert=2 # default: 1 3 | -------------------------------------------------------------------------------- /src/etc/weekly.local: -------------------------------------------------------------------------------- 1 | next_part "TSIG Wizard:" 2 | /usr/local/bin/tsig-secret tsig.example.com 3 | /usr/local/bin/tsig-change tsig.example.com 4 | /usr/local/bin/tsig-share tsig.example.com 5 | 6 | -------------------------------------------------------------------------------- /src/usr/local/bin/nsec3salt: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # nsec3salt: NSEC3PARAM random SALT generator 3 | # for DNS Security (DNSSEC) Hashed Authenticated Denial of Existence (rfc5155) 4 | 5 | set -o errexit 6 | set -o nounset 7 | 8 | # SHA-1 calculate the message digest for 512 bytes of random 9 | readonly SALT="$(dd if=/dev/random of=/dev/stdout count=1 bs=512 | sha1)" 10 | # The salt SHOULD be at least 64 bits long and unpredictable (rfc5155#section-12.1.1) 11 | # i.e. 2*64 bits = 16 bytes (hexadecimal characters) 12 | printf "%.16s" ${SALT} 13 | 14 | -------------------------------------------------------------------------------- /src/usr/local/bin/pdns-backup: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # PowerDNS SQLite Backup 3 | 4 | set -o errexit 5 | set -o nounset 6 | 7 | # Bail out if non-privileged UID 8 | [ 0 -eq "$(id -u)" ] || exit 1 9 | 10 | KEY_DIR="${KEY_DIR:-/etc/ssl/dns}" 11 | ZONE_DIR="${ZONE_DIR:-/var/nsd/zones/master}" 12 | DB_DIR="${DB_DIR:-/var/pdns}" 13 | PDNS_DB="pdns.sqlite pdnssec.sqlite" 14 | 15 | mkdir -p ${KEY_DIR}/private 16 | chmod 755 ${KEY_DIR} 17 | chmod 700 ${KEY_DIR}/private 18 | 19 | mkdir -p ${ZONE_DIR} 20 | chmod 755 ${ZONE_DIR} 21 | 22 | mkdir -p ${DB_DIR} 23 | chmod 750 ${DB_DIR} 24 | chown _powerdns:wheel ${DB_DIR} 25 | 26 | umask 077 27 | 28 | # SQL to File 29 | while read _zone 30 | do 31 | # Key ID 32 | local \ 33 | _id=$(pdnsutil list-keys "${_zone}" | awk -v name="$_zone" '$0 ~ name { print $5 }') 34 | # Key format (i.e. CSK) 35 | local \ 36 | _sk=$(pdnsutil list-keys "${_zone}" | awk -v name="$_zone" '$0 ~ name { print $2 }') 37 | # Export key 38 | if [ "${_id}" ] 39 | then 40 | # Private key 41 | pdnsutil export-zone-key "${_zone}" "${_id}" \ 42 | > "${KEY_DIR}"/private/"${_zone}"."${_sk}" 43 | # DNSKEY RR 44 | pdnsutil export-zone-dnskey "${_zone}" "${_id}" \ 45 | > "${KEY_DIR}"/"${_zone}".DNSKEY 46 | fi 47 | # Export zone 48 | # - remove last (SOA) RR 49 | # - add parenthesis to SOA RR 50 | # - remove DNSSEC RRSet 51 | drill -p 20053 AXFR "${_zone}" @localhost \ 52 | | sed -e '$ d' \ 53 | -e '/SOA/ s/.*\. /& ( /' \ 54 | -e '/SOA/ s/$/ )/' \ 55 | -e '/NSEC3/d' \ 56 | -e '/RRSIG/d' \ 57 | -e '/DNSKEY/d' \ 58 | > "${ZONE_DIR}"/"${_zone}".zone 59 | done << EOF 60 | $(pdnsutil list-all-zones) 61 | EOF 62 | 63 | # SQL to SQL 64 | rcctl stop pdns_server 65 | for _db in ${PDNS_DB} 66 | do 67 | sqlite3 "${DB_DIR}"/"${_db}" .dump > "${DB_DIR}"/"${_db}".dump 68 | cp "${DB_DIR}"/"${_db}" "${DB_DIR}"/"${_db}".backup 69 | done 70 | rcctl start pdns_server 71 | 72 | -------------------------------------------------------------------------------- /src/usr/local/bin/rmchangelist: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # rmchangelist - remove local changelist backups 3 | 4 | set -o errexit 5 | set -o nounset 6 | 7 | # Bail out if non-privileged UID 8 | [ 0 -eq "$(id -u)" ] || exit 1 9 | 10 | changelist_local="/etc/changelist.local" 11 | changelist_tmp="$(mktemp)" 12 | 13 | if [ -r "${changelist_local}" ] 14 | then 15 | cp "${changelist_local}" "${changelist_tmp}" 16 | sed -i 's|^+||g' "${changelist_tmp}" 17 | sed -i 's|/|_|g' "${changelist_tmp}" 18 | sed -i 's|^_|rm /var/backups/|g' "${changelist_tmp}" 19 | sed -i '/^rm/ s|$|*|g' "${changelist_tmp}" 20 | sed -i '1s| changelist.local|!/bin/sh|' "${changelist_tmp}" 21 | chmod 500 "${changelist_tmp}" 22 | "${changelist_tmp}" 23 | rm "${changelist_tmp}" 24 | else 25 | ls "${changelist_local}" 26 | fi 27 | -------------------------------------------------------------------------------- /src/usr/local/bin/tsig-change: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Change TSIG secret for NSD and PowerDNS: tsig-change name [algorithm] 3 | # (!) Secret keys should be changed periodically: tsig-change tsig.example.com 4 | 5 | set -o errexit 6 | set -o nounset 7 | 8 | # Bail out if non-privileged UID 9 | [ 0 -eq "$(id -u)" ] || exit 1 10 | 11 | KEY_NAME="$1" 12 | KEY_HMAC="${2:-hmac-sha512}" 13 | KEY_DIR="${KEY_DIR:-/etc/ssl/dns}" 14 | NSD_DIR="${NSD_DIR:-/var/nsd}" 15 | 16 | umask 137 17 | 18 | [ -r ${KEY_DIR}/private/${KEY_NAME} ] 19 | 20 | # PowerDNS 21 | /usr/local/bin/pdnsutil import-tsig-key \ 22 | ${KEY_NAME} ${KEY_HMAC} $(cat ${KEY_DIR}/private/${KEY_NAME}) 23 | 24 | # NSD 25 | cp ${KEY_DIR}/private/${KEY_NAME} ${NSD_DIR}/etc/ 26 | nsd-checkconf ${NSD_DIR}/etc/nsd.conf && nsd-control reconfig 27 | 28 | -------------------------------------------------------------------------------- /src/usr/local/bin/tsig-fetch: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # TSIG fetch: tsig-fetch name 3 | # e.g. tsig-fetch tsig.example.com 4 | 5 | set -o errexit 6 | set -o nounset 7 | 8 | # Bail out if non-privileged UID 9 | [ 25353 -eq "$(id -u)" ] || exit 1 10 | 11 | KEY_NAME="$1" 12 | KEY_DIR="${KEY_DIR:-/etc/ssl/dns}" 13 | VALIDATE="/usr/local/share/doc/dithematic/validate.tsig" 14 | 15 | umask 077 16 | 17 | # Download 18 | cat - > ${HOME}/.key/${KEY_NAME} 19 | 20 | # Validate 21 | nsd-checkconf "${VALIDATE}" 22 | 23 | # Install 24 | doas cp ${HOME}/.key/${KEY_NAME} ${KEY_DIR}/private/ 25 | 26 | # Change 27 | doas tsig-change ${KEY_NAME} 28 | 29 | # Clean 30 | rm ${HOME}/.key/${KEY_NAME} 31 | 32 | -------------------------------------------------------------------------------- /src/usr/local/bin/tsig-secret: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # random base64 encoded TSIG secret generator: tsig-secret name [bytes] 3 | # The secret should be at least as long as the keyed message digest 4 | # i.e. 16 bytes for HMAC-MD5 5 | # 20 bytes for HMAC-SHA1 6 | # e.g. 64 bytes for HMAC-SHA512 authentication algorithm: 7 | # tsig-secret tsig.example.com 8 | # (*) https://tools.ietf.org/html/rfc2845.html 9 | 10 | set -o errexit 11 | set -o nounset 12 | 13 | # Bail out if non-privileged UID 14 | [ 0 -eq "$(id -u)" ] || exit 1 15 | 16 | KEY_NAME="$1" 17 | KEY_BYTES="${2:-64}" 18 | KEY_DIR="${KEY_DIR:-/etc/ssl/dns}" 19 | 20 | mkdir -p ${KEY_DIR}/private 21 | chmod 755 ${KEY_DIR} 22 | chmod 700 ${KEY_DIR}/private 23 | 24 | umask 077 25 | 26 | # Generate a new secret with the first KEY_BYTES from random(4) 27 | dd if=/dev/random of=/dev/stdout count=1 bs=${KEY_BYTES} | 28 | openssl enc -base64 -A -out ${KEY_DIR}/private/${KEY_NAME} 29 | 30 | -------------------------------------------------------------------------------- /src/usr/local/bin/tsig-share: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Share TSIG secrets with name servers: tsig-share name 3 | # (!) Secrets should never be shared by more than two entities 4 | # e.g. tsig-share tsig.example.com 5 | 6 | set -o errexit 7 | set -o nounset 8 | 9 | # Bail out if non-privileged UID 10 | [ 0 -eq "$(id -u)" ] || exit 1 11 | 12 | KEY_NAME="$1" 13 | KEY_DIR="${KEY_DIR:-/etc/ssl/dns}" 14 | KEY_USER="${KEY_USER:-tsig}" 15 | SSH_ID="/home/${KEY_USER}/.ssh/id_ed25519" 16 | SSH_LOGIN="${KEY_USER}" 17 | NS="${NS:-dig.example.com}" # (space-separated) domain name(s), or IP(s) 18 | 19 | [ -r ${KEY_DIR}/private/${KEY_NAME} ] 20 | 21 | for _ns in ${NS} 22 | do 23 | ssh -i ${SSH_ID} -l ${SSH_LOGIN} -o VerifyHostKeyDNS=yes ${_ns} exit \ 24 | < ${KEY_DIR}/private/${KEY_NAME} 25 | done 26 | 27 | -------------------------------------------------------------------------------- /src/usr/local/bin/zoneadd: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Add a zone: env DDNS=false zoneadd name 3 | 4 | set -o errexit 5 | set -o nounset 6 | 7 | # Bail out if non-privileged UID 8 | [ 0 -eq "$(id -u)" ] || exit 1 9 | 10 | GH_PROJECT="dithematic" 11 | PREFIX="/usr/local" 12 | DOCDIR="${PREFIX}/share/doc/${GH_PROJECT}" 13 | EXAMPLESDIR="${PREFIX}/share/examples/${GH_PROJECT}" 14 | BASESYSCONFDIR="/etc" 15 | VARBASE="/var" 16 | 17 | ZONE_NAME="$1" 18 | 19 | NSD_DIR="${VARBASE}/nsd" 20 | ZONE_DIR="${NSD_DIR}/zones/master" 21 | KEY_DIR="${KEY_DIR:-/etc/ssl/dns}" 22 | KEY_HMAC="${2:-hmac-sha512}" 23 | DDNS="${DDNS:-false}" 24 | DOMAIN=$(hostname | sed "s/$(hostname -s)\.//") 25 | 26 | # New keys if missing 27 | KEY_NAME="${KEY_NAME:-tsig.${ZONE_NAME}}" 28 | CSK="${CSK:-${ZONE_NAME}.CSK}" 29 | DNSKEY="${DNSKEY:-${ZONE_NAME}.DNSKEY}" 30 | 31 | # Role: master or slave 32 | grep "^master=yes" ${BASESYSCONFDIR}/pdns/pdns.conf && 33 | MASTER="${MASTER:-true}" || 34 | MASTER="${MASTER:-false}" 35 | 36 | # Dithematic IP 37 | MASTER_IP="${MASTER_IP:-\ 38 | 203.0.113.3 \ 39 | 2001:0db8::3 \ 40 | }" 41 | SLAVE_IP="${SLAVE_IP:-\ 42 | 203.0.113.4 \ 43 | 2001:0db8::4 \ 44 | }" # empty to disable 45 | 46 | # Vendor 47 | FREE_SLAVE="${FREE_SLAVE:-\ 48 | 1984.is \ 49 | FreeDNS.afraid.org \ 50 | GratisDNS.com \ 51 | HE.net \ 52 | Puck.nether.net \ 53 | }" # empty to disable 54 | 55 | umask 137 56 | 57 | # NSD 58 | # 59 | 60 | # Old zone 61 | ls -l ${VARBASE}/nsd/etc/nsd.conf.zone.${ZONE_NAME} && exit 1 62 | 63 | # New zone 64 | printf "%s\n" "zone:" > ${VARBASE}/nsd/etc/nsd.conf.zone.${ZONE_NAME} 65 | printf "\t%s\n" \ 66 | "name: \"${ZONE_NAME}.\"" \ 67 | "zonefile: \"slave/${ZONE_NAME}.zone\"" \ 68 | "notify-retry: 2" \ 69 | >> ${VARBASE}/nsd/etc/nsd.conf.zone.${ZONE_NAME} 70 | 71 | if "${MASTER}" 72 | then 73 | cp ${DOCDIR}/nsd.conf.master.PowerDNS ${VARBASE}/nsd/etc/ 74 | printf "\t%s\n" \ 75 | "# Super-Master" \ 76 | "include: ${VARBASE}/nsd/etc/nsd.conf.master.PowerDNS" \ 77 | >> ${VARBASE}/nsd/etc/nsd.conf.zone.${ZONE_NAME} 78 | [ -n "${SLAVE_IP}" ] && 79 | printf "\t%s\n" \ 80 | "# Super Slave(s)" \ 81 | "include: ${VARBASE}/nsd/etc/nsd.conf.slave.${ZONE_NAME}" \ 82 | >> ${VARBASE}/nsd/etc/nsd.conf.zone.${ZONE_NAME} 83 | [ -n "${FREE_SLAVE}" ] && 84 | printf "\t%s\n" \ 85 | "# Free Slave(s)" \ 86 | >> ${VARBASE}/nsd/etc/nsd.conf.zone.${ZONE_NAME} 87 | for _FREE_SLAVE in ${FREE_SLAVE} 88 | do 89 | cp ${DOCDIR}/nsd.conf.slave.${_FREE_SLAVE} ${VARBASE}/nsd/etc/ 90 | printf "\t%s\n" \ 91 | "include: ${VARBASE}/nsd/etc/nsd.conf.slave.${_FREE_SLAVE}" \ 92 | >> ${VARBASE}/nsd/etc/nsd.conf.zone.${ZONE_NAME} 93 | done 94 | else 95 | cp ${DOCDIR}/nsd.conf.slave.PowerDNS ${VARBASE}/nsd/etc/ 96 | printf "\t%s\n" \ 97 | "# Super Slave" \ 98 | "include: ${VARBASE}/nsd/etc/nsd.conf.slave.PowerDNS" \ 99 | "# Super Master(s)" \ 100 | "#multi-master-check: yes" \ 101 | "include: ${VARBASE}/nsd/etc/nsd.conf.master.${ZONE_NAME}" \ 102 | >> ${VARBASE}/nsd/etc/nsd.conf.zone.${ZONE_NAME} 103 | fi 104 | 105 | if "${MASTER}" 106 | then 107 | printf "\t%s\n" \ 108 | "# ${ZONE_NAME} slave" \ 109 | > ${VARBASE}/nsd/etc/nsd.conf.slave.${ZONE_NAME} 110 | for _SLAVE_IP in ${SLAVE_IP} 111 | do 112 | printf "\t%s\n" \ 113 | "provide-xfr: ${_SLAVE_IP} tsig.${DOMAIN}." \ 114 | "notify: ${_SLAVE_IP} tsig.${DOMAIN}." \ 115 | >> ${VARBASE}/nsd/etc/nsd.conf.slave.${ZONE_NAME} 116 | grep ${_SLAVE_IP} ${BASESYSCONFDIR}/pf.conf.table.dns || 117 | printf "%s\n" "${_SLAVE_IP}" >> ${BASESYSCONFDIR}/pf.conf.table.dns 118 | done 119 | else 120 | printf "\t%s\n" \ 121 | "# ${ZONE_NAME} master" \ 122 | > ${VARBASE}/nsd/etc/nsd.conf.master.${ZONE_NAME} 123 | for _MASTER_IP in ${MASTER_IP} 124 | do 125 | printf "\t%s\n" \ 126 | "request-xfr: AXFR ${_MASTER_IP} tsig.${DOMAIN}." \ 127 | "allow-notify: ${_MASTER_IP} tsig.${DOMAIN}." \ 128 | >> ${VARBASE}/nsd/etc/nsd.conf.master.${ZONE_NAME} 129 | grep ${_MASTER_IP} ${BASESYSCONFDIR}/pf.conf.table.dns || 130 | printf "%s\n" "${_MASTER_IP}" >> ${BASESYSCONFDIR}/pf.conf.table.dns 131 | done 132 | fi 133 | 134 | # pf table "dns" 135 | pfctl -t dns -T replace -f ${BASESYSCONFDIR}/pf.conf.table.dns 136 | 137 | # Include zone configuration 138 | grep "^include: ${VARBASE}/nsd/etc/nsd.conf.zone.${ZONE_NAME}" \ 139 | ${VARBASE}/nsd/etc/nsd.conf || 140 | printf "%s\n" \ 141 | "include: ${VARBASE}/nsd/etc/nsd.conf.zone.${ZONE_NAME}" \ 142 | >> ${VARBASE}/nsd/etc/nsd.conf 143 | 144 | # Reload 145 | rcctl reload nsd 146 | 147 | # PowerDNS 148 | # 149 | 150 | # Old zone 151 | pdnsutil list-zone ${ZONE_NAME} && exit 1 152 | 153 | # Load zone template from ${VARBASE}/nsd/zones/master/${ZONE_NAME}.zone 154 | [ -r ${ZONE_DIR}/${ZONE_NAME}.zone ] && 155 | pdnsutil load-zone ${ZONE_NAME} ${ZONE_DIR}/${ZONE_NAME}.zone || 156 | pdnsutil create-zone ${ZONE_NAME} 157 | 158 | # DNSSEC 159 | # 160 | if "${MASTER}" 161 | then 162 | [ -r ${KEY_DIR}/private/${CSK} ] || 163 | (umask 077; pdnsutil generate-zone-key KSK ecdsa256 | sed '/Flags/d' \ 164 | > ${KEY_DIR}/private/${CSK}) 165 | pdnsutil set-nsec3 ${ZONE_NAME} "1 0 333 $(nsec3salt)" inclusive 166 | pdnsutil import-zone-key ${ZONE_NAME} ${KEY_DIR}/private/${CSK} 167 | local \ 168 | _id=$(pdnsutil list-keys ${ZONE_NAME} | awk -v name=${ZONE_NAME} '$0 ~ name { print $5 }') 169 | pdnsutil activate-zone-key ${ZONE_NAME} "${_id}" 170 | fi 171 | 172 | # TSIG 173 | # 174 | if [ "${ZONE_NAME}" = "${DOMAIN}" -a "${MASTER}" ] 175 | then 176 | [ -r ${KEY_DIR}/private/${KEY_NAME} ] || tsig-secret ${KEY_NAME} 177 | tsig-change ${KEY_NAME} 178 | fi 179 | 180 | if [ "${DDNS}" -a "${MASTER}" ] 181 | then 182 | [ -r ${KEY_DIR}/private/${KEY_NAME} ] || tsig-secret ${KEY_NAME} 183 | pdnsutil import-tsig-key \ 184 | ${KEY_NAME} ${KEY_HMAC} $(<${KEY_DIR}/private/${KEY_NAME}) 185 | fi 186 | 187 | pdnsutil activate-tsig-key ${ZONE_NAME} tsig.${DOMAIN} master 188 | pdnsutil activate-tsig-key ${ZONE_NAME} tsig.${DOMAIN} slave 189 | 190 | # Master or Slave 191 | if "${MASTER}" 192 | then 193 | pdnsutil set-kind ${ZONE_NAME} master 194 | if ${DDNS} 195 | then 196 | pdnsutil set-meta ${ZONE_NAME} ALLOW-DNSUPDATE-FROM 0.0.0.0/0,::/0 197 | pdnsutil set-meta ${ZONE_NAME} TSIG-ALLOW-DNSUPDATE ${KEY_NAME} 198 | pdnsutil set-meta ${ZONE_NAME} NOTIFY-DNSUPDATE 1 199 | fi 200 | else 201 | pdnsutil set-kind ${ZONE_NAME} slave 202 | pdnsutil change-slave-zone-master ${ZONE_NAME} 127.0.0.1:10053 [::1]:10053 203 | pdnsutil unset-presigned ${ZONE_NAME} 204 | fi 205 | pdnsutil set-meta ${ZONE_NAME} SOA-EDIT-DNSUPDATE SOA-EDIT-INCREASE 206 | 207 | # Finish 208 | # 209 | if "${MASTER}" 210 | then 211 | pdnsutil export-zone-dnskey ${ZONE_NAME} "${_id}" > ${KEY_DIR}/${DNSKEY} 212 | echo Send the DNSKEY to registrar: 213 | cat ${KEY_DIR}/${DNSKEY} 214 | fi 215 | pdnsutil rectify-zone ${ZONE_NAME} 216 | env EDITOR="${EDITOR:-vi}" pdnsutil edit-zone ${ZONE_NAME} 217 | 218 | echo Add ${ZONE_NAME} to all nameservers and share the master key: tsig-share tsig.${DOMAIN} 219 | 220 | -------------------------------------------------------------------------------- /src/usr/local/bin/zonedel: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Remove a zone: zonedel name 3 | 4 | set -o errexit 5 | set -o nounset 6 | 7 | # Bail out if non-privileged UID 8 | [ 0 -eq "$(id -u)" ] || exit 1 9 | 10 | ZONE_NAME="$1" 11 | 12 | NSD_DIR="${NSD_DIR:-/var/nsd}" 13 | KEY_DIR="${KEY_DIR:-/etc/ssl/dns}" 14 | DOMAIN=$(hostname | sed "s/$(hostname -s)\.//") 15 | 16 | # NSD 17 | # 18 | rm -f ${NSD_DIR}/etc/nsd.conf.*.${ZONE_NAME} 19 | sed -i "/nsd.conf.zone.${ZONE_NAME}/d" ${NSD_DIR}/etc/nsd.conf 20 | 21 | # PowerDNS 22 | # 23 | pdnsutil list-zone ${ZONE_NAME} && pdnsutil delete-zone ${ZONE_NAME} 24 | 25 | # Finish 26 | # 27 | ls -l ${KEY_DIR}/private/*${ZONE_NAME}* ${KEY_DIR}/*${ZONE_NAME}* 28 | 29 | -------------------------------------------------------------------------------- /src/usr/local/share/doc/dithematic/disklabel: -------------------------------------------------------------------------------- 1 | / 512M 2 | swap 1G 3 | /var/log 512M 4 | /tmp 1G 5 | /usr 2G 6 | /usr/X11R6 512M 7 | /usr/local 2G 8 | /home 512M 9 | /var 2G-* 10 | -------------------------------------------------------------------------------- /src/usr/local/share/doc/dithematic/disklabel.min: -------------------------------------------------------------------------------- 1 | / 256M 2 | swap 1G 3 | /var/log 512M 4 | /tmp 1G 5 | /usr 1300M 6 | /usr/local 1G 7 | /home 512M 8 | /var 2G-* 9 | -------------------------------------------------------------------------------- /src/usr/local/share/doc/dithematic/dithematic-256x256.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vedetta-com/dithematic/04d260c2fe3942c4431a1ecfcb2f0df82ae0ded1/src/usr/local/share/doc/dithematic/dithematic-256x256.png -------------------------------------------------------------------------------- /src/usr/local/share/doc/dithematic/install.conf: -------------------------------------------------------------------------------- 1 | # autoinstall response file for unattended installation 2 | # https://man.openbsd.org/autoinstall 3 | Choose your keyboard layout = default 4 | System hostname = dot 5 | Which network interface do you wish to configure = vio0 6 | IPv4 address for vio0 = dhcp 7 | IPv6 address for vio0 = autoconf 8 | Which network interface do you wish to configure = done 9 | Default IPv4 route = 10 | DNS domain name = example.com 11 | Password for root account = plaintext / encrypt(1) / "*************" to disable 12 | #Public ssh key for root account = ssh key stored in /root/.ssh/authorized_keys 13 | Start sshd(8) by default = yes 14 | Do you expect to run the X Window System = no 15 | Setup a user = puffy 16 | Full name for user = Puffy 17 | Password for user = plaintext / encrypt(1) / "*************" to disable 18 | #Public ssh key for user = ssh key stored in ~/.ssh/authorized_keys 19 | Allow root ssh login = no 20 | What timezone are you in = America/New_York 21 | Which disk is the root disk = sd0 22 | # see disklabel.min, disklabel, or disklabel.lax 23 | URL to autopartitioning template for disklabel = https://raw.githubusercontent.com/vedetta-com/dithematic/master/src/usr/local/share/doc/dithematic/disklabel 24 | Location of sets = http 25 | HTTP proxy URL = none 26 | HTTP Server = cdn.openbsd.org 27 | Server directory = pub/OpenBSD/6.4/amd64 28 | Set name(s) = -game* -xserv* 29 | # or minimum sets (disklabel.min) 30 | #Set name(s) = -comp* -game* -x* 31 | -------------------------------------------------------------------------------- /src/usr/local/share/doc/dithematic/nsd.conf.master.PowerDNS: -------------------------------------------------------------------------------- 1 | # PowerDNS master 2 | request-xfr: 127.0.0.1@20053 tsig.example.com. 3 | request-xfr: ::1@20053 tsig.example.com. 4 | allow-notify: 127.0.0.1 tsig.example.com. 5 | allow-notify: ::1 tsig.example.com. 6 | 7 | -------------------------------------------------------------------------------- /src/usr/local/share/doc/dithematic/nsd.conf.slave.1984.is: -------------------------------------------------------------------------------- 1 | # 1984.is slave (noDNSSEC) 2 | provide-xfr: 93.95.224.6 NOKEY 3 | notify: 93.95.224.6 NOKEY 4 | 5 | -------------------------------------------------------------------------------- /src/usr/local/share/doc/dithematic/nsd.conf.slave.FreeDNS.afraid.org: -------------------------------------------------------------------------------- 1 | # FreeDNS.afraid.org slave 2 | provide-xfr: 69.65.50.192 NOKEY 3 | provide-xfr: 2001:1850:1:5:800::6b NOKEY 4 | notify: 69.65.50.192 NOKEY 5 | 6 | -------------------------------------------------------------------------------- /src/usr/local/share/doc/dithematic/nsd.conf.slave.GratisDNS.com: -------------------------------------------------------------------------------- 1 | # GratisDNS.com slave 2 | provide-xfr: 91.221.196.0/28 NOKEY 3 | provide-xfr: 2001:67c:3c0:0010::9 NOKEY 4 | provide-xfr: 2001:67c:3c0:0010::11 NOKEY 5 | notify: 91.221.196.11 NOKEY 6 | 7 | -------------------------------------------------------------------------------- /src/usr/local/share/doc/dithematic/nsd.conf.slave.HE.net: -------------------------------------------------------------------------------- 1 | # HE.net slave 2 | provide-xfr: 216.218.133.2 NOKEY 3 | provide-xfr: 2001:470:600::2 NOKEY 4 | notify: 216.218.130.2 NOKEY 5 | notify: 2001:470:100::2 NOKEY 6 | 7 | -------------------------------------------------------------------------------- /src/usr/local/share/doc/dithematic/nsd.conf.slave.PowerDNS: -------------------------------------------------------------------------------- 1 | # PowerDNS slave 2 | provide-xfr: 127.0.0.1 tsig.example.com. 3 | provide-xfr: ::1 tsig.example.com. 4 | notify: 127.0.0.1@20053 tsig.example.com. 5 | notify: ::1@20053 tsig.example.com. 6 | 7 | -------------------------------------------------------------------------------- /src/usr/local/share/doc/dithematic/nsd.conf.slave.Puck.nether.net: -------------------------------------------------------------------------------- 1 | # Puck.nether.net slave 2 | provide-xfr: 204.42.254.5 NOKEY 3 | provide-xfr: 2001:418:3f4::5 NOKEY 4 | notify: 204.42.254.5 NOKEY 5 | notify: 2001:418:3f4::5 NOKEY 6 | 7 | -------------------------------------------------------------------------------- /src/usr/local/share/doc/dithematic/validate.tsig: -------------------------------------------------------------------------------- 1 | key: 2 | name: "tsig.example.com." 3 | algorithm: hmac-sha512 4 | secret: include: ~/.key/tsig.* 5 | 6 | -------------------------------------------------------------------------------- /src/usr/local/share/examples/dithematic/ddns.example.com.zone: -------------------------------------------------------------------------------- 1 | ddns.example.com. 3600 IN SOA dot.example.com. hostmaster.example.com. ( 2000007637 10800 3600 604800 3600 ) 2 | ddns.example.com. 3600 IN A 203.0.113.200 3 | ddns.example.com. 3600 IN AAAA 2001:0db8::200 4 | ddns.example.com. 3600 IN NS dig.example.com. 5 | ddns.example.com. 3600 IN NS dot.example.com. 6 | ddns.example.com. 3600 IN TXT "v=spf1 -all" 7 | ddns.example.com. 3600 IN CAA 128 issue "letsencrypt.org" 8 | ddns.example.com. 3600 IN CAA 128 issuewild ";" 9 | -------------------------------------------------------------------------------- /src/usr/local/share/examples/dithematic/example.com.zone: -------------------------------------------------------------------------------- 1 | example.com. 86400 IN SOA dot.example.com. hostmaster.example.com. ( 2018142333 28800 7200 604800 86400 ) 2 | example.com. 86400 IN NS dig.example.com. 3 | example.com. 86400 IN NS dot.example.com. 4 | example.com. 86400 IN MX 10 mercury.example.com. 5 | example.com. 86400 IN MX 20 hermes.example.com. 6 | example.com. 86400 IN TXT "v=spf1 mx:example.com -all" 7 | example.com. 86400 IN CAA 128 issue "example.com" 8 | example.com. 86400 IN CAA 128 issue "letsencrypt.org" 9 | example.com. 86400 IN CAA 128 issuewild ";" 10 | example.com. 86400 IN ALIAS web.example.com. 11 | www.example.com. 86400 IN CNAME example.com. 12 | web.example.com. 86400 IN A 203.0.113.5 13 | web.example.com. 86400 IN TXT "v=spf1 -all" 14 | web.example.com. 86400 IN AAAA 2001:0db8::5 15 | web.example.com. 86400 IN SSHFP 4 1 abcd 16 | web.example.com. 86400 IN SSHFP 4 2 abcd 17 | dig.example.com. 86400 IN A 203.0.113.4 18 | dig.example.com. 86400 IN TXT "v=spf1 -all" 19 | dig.example.com. 86400 IN AAAA 2001:0db8::4 20 | dig.example.com. 86400 IN SSHFP 4 1 abcd 21 | dig.example.com. 86400 IN SSHFP 4 2 abcd 22 | dot.example.com. 86400 IN A 203.0.113.3 23 | dot.example.com. 86400 IN TXT "v=spf1 -all" 24 | dot.example.com. 86400 IN AAAA 2001:0db8::3 25 | dot.example.com. 86400 IN SSHFP 4 1 abcd 26 | dot.example.com. 86400 IN SSHFP 4 2 abcd 27 | hermes.example.com. 86400 IN A 203.0.113.2 28 | hermes.example.com. 86400 IN TXT "v=spf1 a -all" 29 | hermes.example.com. 86400 IN AAAA 2001:0db8::2 30 | hermes.example.com. 86400 IN SSHFP 4 1 abcd 31 | hermes.example.com. 86400 IN SSHFP 4 2 abcd 32 | mercury.example.com. 86400 IN A 203.0.113.1 33 | mercury.example.com. 86400 IN TXT "v=spf1 a -all" 34 | mercury.example.com. 86400 IN AAAA 2001:0db8::1 35 | mercury.example.com. 86400 IN SSHFP 4 1 abcd 36 | mercury.example.com. 86400 IN SSHFP 4 2 abcd 37 | _pop3._tcp.example.com. 86400 IN SRV 0 0 0 . 38 | _pop3s._tcp.example.com. 86400 IN SRV 0 0 0 . 39 | _submission._tcp.example.com. 86400 IN SRV 0 1 465 mercury.example.com. 40 | _submission._tcp.example.com. 86400 IN SRV 5 1 587 mercury.example.com. 41 | _imap._tcp.example.com. 86400 IN SRV 0 0 0 . 42 | _imaps._tcp.example.com. 86400 IN SRV 0 1 993 mercury.example.com. 43 | _openpgpkey._tcp.example.com. 86400 IN SRV 0 0 443 wkd.example.com. 44 | obsd._domainkey.example.com. 86400 IN TXT "v=DKIM1; k=rsa; p=abcd" 45 | _dmarc.example.com. 86400 IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarcreports@example.com" 46 | _smtp._tls.example.com. 86400 IN TXT "v=TLSRPTv1; rua=mailto:tlsreports@example.com" 47 | _mta-sts.example.com. 86400 IN TXT "v=STSv1; id=20190515085700Z;" 48 | mta-sts.example.com. 86400 IN CNAME mercury.example.com. 49 | autoconfig.example.com. 86400 IN CNAME mercury.example.com. 50 | wkd.example.com. 86400 IN CNAME mercury.example.com. 51 | ddns.example.com. 86400 IN NS dig.example.com. 52 | ddns.example.com. 86400 IN NS dot.example.com. 53 | -------------------------------------------------------------------------------- /src/usr/local/share/examples/dithematic/nsd.conf.master.example.com: -------------------------------------------------------------------------------- 1 | # example.com master 2 | request-xfr: AXFR 203.0.113.3 tsig.example.com. 3 | request-xfr: AXFR 2001:0db8::3 tsig.example.com. 4 | allow-notify: 203.0.113.3 tsig.example.com. 5 | allow-notify: 2001:0db8::3 tsig.example.com. 6 | 7 | -------------------------------------------------------------------------------- /src/usr/local/share/examples/dithematic/nsd.conf.slave.example.com: -------------------------------------------------------------------------------- 1 | # example.com slave 2 | provide-xfr: 203.0.113.4 tsig.example.com. 3 | provide-xfr: 2001:0db8::4 tsig.example.com. 4 | notify: 203.0.113.4 tsig.example.com. 5 | notify: 2001:0db8::4 tsig.example.com. 6 | 7 | -------------------------------------------------------------------------------- /src/usr/local/share/examples/dithematic/nsd.conf.zone.example.com: -------------------------------------------------------------------------------- 1 | # nsd-checkconf /var/nsd/etc/nsd.conf 2 | 3 | zone: 4 | name: "example.com." 5 | zonefile: "slave/example.com.zone" 6 | notify-retry: 2 7 | # 8 | # as a slave with master(s) 9 | # 10 | # Super Slave 11 | # include: /var/nsd/etc/nsd.conf.slave.PowerDNS 12 | # Super Master(s) 13 | # multi-master-check: yes 14 | # include: /var/nsd/etc/nsd.conf.master.example.com 15 | # 16 | # or a master with slave(s) 17 | # 18 | # Super Master 19 | include: /var/nsd/etc/nsd.conf.master.PowerDNS 20 | # Super Slave(s) 21 | include: /var/nsd/etc/nsd.conf.slave.example.com 22 | # Free Slave(s) 23 | # include: /var/nsd/etc/nsd.conf.slave.FreeDNS.afraid.org 24 | # include: /var/nsd/etc/nsd.conf.slave.GratisDNS.com 25 | # include: /var/nsd/etc/nsd.conf.slave.HE.net 26 | # include: /var/nsd/etc/nsd.conf.slave.Puck.nether.net 27 | # include: /var/nsd/etc/nsd.conf.slave.1984.is 28 | 29 | -------------------------------------------------------------------------------- /src/var/cron/cron.allow: -------------------------------------------------------------------------------- 1 | root 2 | -------------------------------------------------------------------------------- /src/var/cron/tabs/root: -------------------------------------------------------------------------------- 1 | # DO NOT EDIT THIS FILE - edit the master and reinstall. 2 | # (/tmp/crontab.BxglGn7vE8 installed on Wed Jul 25 21:16:32 2018) 3 | # (Cron version V5.0) 4 | # 5 | SHELL=/bin/sh 6 | PATH=/bin:/sbin:/usr/bin:/usr/sbin 7 | HOME=/var/log 8 | # 9 | #minute hour mday month wday command 10 | # 11 | # rotate log files every hour, if necessary 12 | 0 * * * * /usr/bin/newsyslog 13 | # send log file notifications, if necessary 14 | #1-59 * * * * /usr/bin/newsyslog -m 15 | # 16 | # do daily/weekly/monthly maintenance 17 | 30 1 * * * /bin/sh /etc/daily 18 | 30 3 * * 6 /bin/sh /etc/weekly 19 | 30 5 1 * * /bin/sh /etc/monthly 20 | #0 * * * * sleep $((RANDOM \% 2048)) && /usr/libexec/spamd-setup 21 | # list available patches 22 | 30 9 * * * syspatch -c; fw_update -i | grep -v Installed 23 | # send reboot notification 24 | @reboot echo "Reboot $(date)" 25 | -------------------------------------------------------------------------------- /src/var/nsd/etc/nsd.conf: -------------------------------------------------------------------------------- 1 | # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $ 2 | 3 | ## Verify: 4 | # nsd-checkconf /var/nsd/etc/nsd.conf 5 | # nsd-checkzone example.com /var/nsd/zones/slave/example.com.zone 6 | 7 | server: 8 | ip-address: 127.0.0.1@10053 9 | ip-address: ::1@10053 10 | ip-address: 203.0.113.3@53 11 | ip-address: 2001:0db8::3@53 12 | identity: "" 13 | hide-version: yes 14 | verbosity: 3 15 | database: "" 16 | 17 | key: 18 | name: "tsig.example.com." 19 | algorithm: hmac-sha512 20 | secret: include: /var/nsd/etc/tsig.example.com 21 | 22 | remote-control: 23 | control-enable: yes 24 | control-interface: 127.0.0.1 25 | control-interface: ::1 26 | server-key-file: /var/nsd/etc/nsd_server.key 27 | server-cert-file: /var/nsd/etc/nsd_server.pem 28 | control-key-file: /var/nsd/etc/nsd_control.key 29 | control-cert-file: /var/nsd/etc/nsd_control.pem 30 | 31 | #include: /var/nsd/etc/nsd.conf.zone.example.com 32 | 33 | -------------------------------------------------------------------------------- /src/var/unbound/etc/unbound.conf: -------------------------------------------------------------------------------- 1 | # $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $ 2 | # 3 | # https://man.openbsd.org/unbound.conf#MEMORY_CONTROL_EXAMPLE 4 | 5 | server: 6 | num-threads: 1 7 | 8 | # lo0@53 9 | interface: 127.0.0.1 10 | interface: ::1 11 | 12 | # Block all 13 | access-control: 0.0.0.0/0 refuse 14 | access-control: ::0/0 refuse 15 | # Allow lo0 16 | access-control: 127.0.0.0/8 allow 17 | access-control: ::1 allow 18 | 19 | #verbosity: 1 20 | # Prints one line per query to the log, making the server (significantly) slower 21 | #log-queries: no 22 | 23 | # Extended statistics takes time 24 | extended-statistics: yes 25 | 26 | hide-identity: yes 27 | hide-version: yes 28 | # Refuse trustanchor.unbound queries 29 | hide-trustanchor: yes 30 | 31 | outgoing-range: 60 # uses less memory, but less performance. 32 | 33 | outgoing-num-tcp: 2 # this limits TCP service, uses less buffers. 34 | incoming-num-tcp: 2 35 | 36 | msg-buffer-size: 8192 # note this limits service, 'no huge stuff'. 37 | msg-cache-size: 100k 38 | msg-cache-slabs: 2 39 | 40 | num-queries-per-thread: 30 41 | 42 | rrset-cache-size: 100k 43 | rrset-cache-slabs: 2 44 | 45 | # Less queries for min ttl 46 | #cache-min-ttl: 3600 47 | 48 | infra-cache-slabs: 2 49 | infra-cache-numhosts: 200 50 | 51 | target-fetch-policy: "2 1 0 0 0 0" 52 | 53 | harden-short-bufsize: yes 54 | harden-large-queries: yes 55 | 56 | # Use 0x20-encoded random bits in the query to foil spoof attempts 57 | use-caps-for-id: yes 58 | 59 | # DNSSEC bogus answers against DNS Rebinding 60 | # RFC1918 private IP address space not allowed to be returned for public internet names 61 | private-address: 192.168.0.0/16 62 | private-address: 172.16.0.0/12 63 | private-address: 10.0.0.0/8 64 | private-address: 169.254.0.0/16 65 | private-address: fd00::/8 66 | private-address: fe80::/10 67 | # Turning on 127.0.0.0/8 would hinder many spamblocklists as they use that 68 | #private-address: 127.0.0.0/8 69 | # Adding ::ffff:0:0/96 stops IPv4-mapped IPv6 addresses from bypassing the filter 70 | private-address: ::ffff:0:0/96 71 | 72 | unwanted-reply-threshold: 10000000 73 | 74 | # Affects buffer space 75 | #prefetch: no 76 | 77 | key-cache-size: 100k 78 | key-cache-slabs: 2 79 | 80 | neg-cache-size: 10k 81 | 82 | # Uncomment to enable DNSSEC validation. 83 | # 84 | auto-trust-anchor-file: "/var/unbound/db/root.key" 85 | 86 | # Serve zones authoritatively from Unbound to resolver clients. 87 | # Not for external service. 88 | # 89 | #local-zone: "10.in-addr.arpa." nodefault 90 | #local-zone: "16.172.in-addr.arpa." nodefault 91 | #local-zone: "168.192.in-addr.arpa." nodefault 92 | 93 | # UDP EDNS reassembly buffer advertised to peers. Default 4096. 94 | # May need lowering on broken networks with fragmentation/MTU issues, 95 | # particularly if validating DNSSEC. 96 | # 97 | #edns-buffer-size: 1480 98 | 99 | # Use TCP for "forward-zone" requests. Useful if you are making 100 | # DNS requests over an SSH port forwarding. 101 | # 102 | #tcp-upstream: yes 103 | 104 | # DNS64 options, synthesizes AAAA records for hosts that don't have 105 | # them. For use with NAT64 (PF "af-to"). 106 | # 107 | #module-config: "dns64 validator iterator" 108 | #dns64-prefix: 64:ff9b::/96 # well-known prefix (default) 109 | #dns64-synthall: no 110 | 111 | # Validation failure log level 2: query, reason, and server 112 | val-log-level: 2 113 | 114 | # Synthesise NXDOMAIN from nsec/nsec3 without hitting the authoritative 115 | aggressive-nsec: yes 116 | 117 | remote-control: 118 | control-enable: yes 119 | control-use-cert: no 120 | control-interface: /var/run/unbound.sock 121 | 122 | # Local copy of the full root zone, fallback to resolving from root servers 123 | # "get off my lawn: if a lot of people were doing this it could considerably 124 | # reduce the load on root nameservers and could increase resiliency in case of 125 | # a dDOS attack on the root zone" --Florian Obser 126 | # https://tools.ietf.org/html/draft-ietf-dnsop-7706bis-01 127 | # https://github.com/wkumari/draft-kh-dnsop-7706bis/pull/8 128 | auth-zone: 129 | name: "." 130 | zonefile: /db/root.zone 131 | master: 199.9.14.201 # b.root-servers.net 132 | master: 2001:500:200::b # b.root-servers.net 133 | master: 192.33.4.12 # c.root-servers.net 134 | master: 2001:500:2::c # c.root-servers.net 135 | master: 199.7.91.13 # d.root-servers.net 136 | master: 2001:500:2d::d # d.root-servers.net 137 | master: 192.5.5.241 # f.root-servers.net 138 | master: 2001:500:2f::f # f.root-servers.net 139 | master: 192.112.36.4 # g.root-servers.net 140 | master: 2001:500:12::d0d # g.root-servers.net 141 | master: 193.0.14.129 # k.root-servers.net 142 | master: 2001:7fd::1 # k.root-servers.net 143 | master: 192.0.32.132 # xfr.lax.dns.icann.org 144 | master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org 145 | master: 192.0.47.132 # xfr.cjr.dns.icann.org 146 | master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org 147 | fallback-enabled: yes 148 | for-downstream: no 149 | 150 | --------------------------------------------------------------------------------