ff8fd0be5c
1. Remove `ProtectKernelTunables=true`: This prevents various with socket options from working as shown below. `unbound[] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.` 2. Add `CAP_NET_ADMIN` to available caps which is needed for `ip-transparent: yes` config option to work as shown below. `unbound[] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted` 3. Make `ReadWritePaths` less permissive: `UNBOUND_SYSCONF_DIR` equals to `sysconfdir` which usually equals to `/etc` and `UNBOUND_LOCALSTATE_DIR` equals to `localstatedir` which usually equals to `/var`. Allowing write access for those dirs shouldn't be needed. The only dirs unbound should be allow to write to are `/run` ( for pidfile), `@UNBOUND_RUN_DIR@` (for chroot) and `@UNBOUND_CHROOT_DIR@` in case it differs from the previous one. 4. Bind-mount `/run/systemd/notify`, `UNBOUND_PIDFILE`, `/dev/log`, `/dev/urandom` in order to use them inside chroot. 5. Add few extra hardening options: `RestrictNamespaces`, `LockPersonality` and `RestrictSUIDSGID` should be safe to use. |
||
|---|---|---|
| cachedb | ||
| compat | ||
| contrib | ||
| daemon | ||
| dns64 | ||
| dnscrypt | ||
| dnstap | ||
| doc | ||
| edns-subnet | ||
| ipsecmod | ||
| ipset | ||
| iterator | ||
| libunbound | ||
| pythonmod | ||
| respip | ||
| services | ||
| sldns | ||
| smallapp | ||
| testcode | ||
| testdata | ||
| util | ||
| validator | ||
| winrc | ||
| .gitattributes | ||
| .gitignore | ||
| .travis.yml | ||
| ac_pkg_swig.m4 | ||
| aclocal.m4 | ||
| acx_nlnetlabs.m4 | ||
| acx_python.m4 | ||
| ax_pthread.m4 | ||
| config.guess | ||
| config.h.in | ||
| config.sub | ||
| configure | ||
| configure.ac | ||
| install-sh | ||
| LICENSE | ||
| ltmain.sh | ||
| makedist.sh | ||
| Makefile.in | ||
| README | ||
| README.md | ||
| systemd.m4 | ||
Unbound
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. If you have any feedback, we would love to hear from you. Don’t hesitate to create an issue on Github or post a message on the Unbound mailing list. You can lean more about Unbound by reading our documentation.
Compiling
Make sure you have the C toolchain, OpenSSL and its include files, and libexpat installed. Unbound can be compiled and installed using:
./configure && make && make install
You can use libevent if you want. libevent is useful when using many (10000) outgoing ports. By default max 256 ports are opened at the same time and the builtin alternative is equally capable and a little faster.
Use the --with-libevent=dir configure option to compile Unbound with libevent
support.
Unbound configuration
All of Unbound's configuration options are described in the man pages, which will be installed and are available on the Unbound documentation page.
An example configuration file is located in doc/example.conf.