mirror of
https://github.com/NLnetLabs/unbound.git
synced 2026-01-05 14:29:37 -05:00
ff8fd0be5c
1. Remove `ProtectKernelTunables=true`: This prevents various with socket options from working as shown below. `unbound[] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.` 2. Add `CAP_NET_ADMIN` to available caps which is needed for `ip-transparent: yes` config option to work as shown below. `unbound[] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted` 3. Make `ReadWritePaths` less permissive: `UNBOUND_SYSCONF_DIR` equals to `sysconfdir` which usually equals to `/etc` and `UNBOUND_LOCALSTATE_DIR` equals to `localstatedir` which usually equals to `/var`. Allowing write access for those dirs shouldn't be needed. The only dirs unbound should be allow to write to are `/run` ( for pidfile), `@UNBOUND_RUN_DIR@` (for chroot) and `@UNBOUND_CHROOT_DIR@` in case it differs from the previous one. 4. Bind-mount `/run/systemd/notify`, `UNBOUND_PIDFILE`, `/dev/log`, `/dev/urandom` in order to use them inside chroot. 5. Add few extra hardening options: `RestrictNamespaces`, `LockPersonality` and `RestrictSUIDSGID` should be safe to use. |
||
|---|---|---|
| .. | ||
| selinux | ||
| aaaa-filter-iterator.patch | ||
| build-unbound-localzone-from-hosts.pl | ||
| create_unbound_ad_servers.cmd | ||
| create_unbound_ad_servers.sh | ||
| fastrpz.patch | ||
| libunbound.pc.in | ||
| libunbound.so.conf | ||
| parseunbound.pl | ||
| patch_rsamd5_enable.diff | ||
| rc_d_unbound | ||
| README | ||
| redirect-bogus.patch | ||
| unbound-fuzzme.patch | ||
| unbound-host.nagios.patch | ||
| unbound-querycachedb.py | ||
| unbound.init | ||
| unbound.init_fedora | ||
| unbound.plist | ||
| unbound.service.in | ||
| unbound.socket.in | ||
| unbound.spec | ||
| unbound.spec_fedora | ||
| unbound_cache.cmd | ||
| unbound_cache.sh | ||
| unbound_cacti.tar.gz | ||
| unbound_munin_ | ||
| unbound_smf22.tar.gz | ||
| update-anchor.sh | ||
| validation-reporter.sh | ||
| warmup.cmd | ||
| warmup.sh | ||
These files are contributed to unbound, and are not part of the official distribution but may be helpful. * rc_d_unbound: FreeBSD compatible /etc/rc.d script. * parseunbound.pl: perl script to run from cron that parses statistics from the log file and stores them. * unbound.spec and unbound.init: RPM specfile and Linux rc.d initfile. * update-anchor.sh: shell script that uses unbound-host to update a set of trust anchor files. Run from cron twice a month. * unbound_munin_ : plugin for munin statistics report * unbound_cacti.tar.gz : setup files for cacti statistics report * selinux: the .fc and .te files for SElinux protection of the unbound daemon * unbound.plist: launchd configuration file for MacOSX. * build-unbound-localzone-from-hosts.pl: perl script to turn /etc/hosts into a local-zone and local-data include file for unbound.conf. * unbound-host.nagios.patch: makes unbound-host return status that fits right in with the nagios monitoring framework. Contributed by Migiel de Vos. * patch_rsamd5_enable.diff: this patch enables RSAMD5 validation (otherwise it is treated as insecure). The RSAMD5 algorithm is deprecated (RFC6725). * create_unbound_ad_servers.sh: shell script to enter anti-ad server lists. * create_unbound_ad_servers.cmd: windows script to enter anti-ad server lists. * unbound_cache.sh: shell script to save and load the cache. * unbound_cache.cmd: windows script to save and load the cache. * warmup.sh: shell script to warm up DNS cache by your own MRU domains. * warmup.cmd: windows script to warm up DNS cache by your own MRU domains. * aaaa-filter-iterator.patch: adds config option aaaa-filter: yes that works like the BIND feature (removes AAAA records unless AAAA-only domain). Useful for certain 'broken IPv6 default route' scenarios. Patch from Stephane Lapie for ASAHI Net. * unbound_smf22.tar.gz: Solaris SMF installation/removal scripts. Contributed by Yuri Voinov. * unbound.socket and unbound.service: systemd files for unbound, install them in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov. * redirect-bogus.patch: Return configured address for bogus A and AAAA answers, instead of SERVFAIL. Contributed by SIDN. * fastrpz.patch: fastrpz support from Farsight Security. * libunbound.so.conf: ltrace.conf file, see ltrace.conf(5), for libunbound. * unbound-querycachedb.py: utility to show data stored in cachedb backend for a particular query name and type. It requires dnspython and (for redis backend) redis Python modules. * unbound-fuzzme.patch: adds unbound-fuzzme program that parses a packet from stdin. Used with fuzzers, patch from Jacob Hoffman-Andrews.