From 3125aa118635afeba6989bc978512ddedf54a6e2 Mon Sep 17 00:00:00 2001 From: vuko Date: Sat, 31 Dec 2022 02:52:24 +0100 Subject: [PATCH] hswaw/customs: improve unbound config Change-Id: Ic616033897b87f692ee92a106b417423a09d630b Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1456 Reviewed-by: informatic --- .../customs.hackerspace.pl/configuration.nix | 28 ++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/hswaw/machines/customs.hackerspace.pl/configuration.nix b/hswaw/machines/customs.hackerspace.pl/configuration.nix index 6f880d23..45cd64fa 100644 --- a/hswaw/machines/customs.hackerspace.pl/configuration.nix +++ b/hswaw/machines/customs.hackerspace.pl/configuration.nix @@ -497,27 +497,47 @@ in { }; }; - services.unbound = { + services.unbound = let + local-zones = [ "waw.hackerspace.pl." "api.eye.fi." "api.ustream.tv." "i." ]; + in { enable = true; + #enableRootTrustAnchor = false; + settings = { server = { interface = [ networks.lan.ipv4 + networks.lan.ipv6 "127.0.0.1" "::1" - # networks.lan.ipv6 TODO ]; access-control = [ + "::1/128 allow" "127.0.0.1/8 allow" "10.0.0.0/8 allow" + "${networks.lan.ipv6}/64 allow" + "${networks.lan.ipv4}/8 allow" + ]; + + # disable DNSSEC on locally resolved domains + domain-insecure = local-zones; + + # allow LAN adresses only for local domains + private-domain = local-zones; + private-address = [ + "10.0.0.0/8" + "${networks.lan.ipv6}/64" ]; }; + # authoritative DNS servers stub-zone = map (name: { - name = name; + inherit name; stub-addr = networks.uplink.ipv4; - }) [ "waw.hackerspace.pl" "api.eye.fi" "api.ustream.tv" "i" ]; + }) local-zones; + + # recursive DNS servers forward-zone = { name = "."; forward-addr = "185.236.240.1";