Unbound DNS playbook to help prevent client data leakage

[cyrus104]

Would it be possible to have a playbook and make the following optional?

Disable systemd-resover
Install and enable unbound dns resolver
Configure unbound.conf similar to this config:

server:

  num-threads: 4

  #Enable logs
  verbosity: 1

  #list of Root DNS Server
  root-hints: "/var/lib/unbound/root.hints"

  #Use the root servers key for DNSSEC
  auto-trust-anchor-file: "/var/lib/unbound/root.key"

  #Respond to DNS requests on all interfaces
  interface: 0.0.0.0
  max-udp-size: 3072

  #Authorized IPs to access the DNS Server
  access-control: 0.0.0.0/0                 refuse
  access-control: 127.0.0.1                 allow
  access-control: 10.200.200.0/24         allow

  #not allowed to be returned for public internet  names
  private-address: 10.200.200.0/24

  # Hide DNS Server info
  hide-identity: yes
  hide-version: yes

  #Limit DNS Fraud and use DNSSEC
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes

  #Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
  unwanted-reply-threshold: 10000000

  #Have the validator print validation failures to the log.
  val-log-level: 1

  #Minimum lifetime of cache entries in seconds
  cache-min-ttl: 1800 

  #Maximum lifetime of cached entries
  cache-max-ttl: 14400
  prefetch: yes
  prefetch-key: yes

and

curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

Thanks

[cpu]

Hi @cyrus104

Would it be possible to have a playbook and make the following optional?

Are you offering to write a pull request or asking for someone else to? :-) If its the former: maybe! The project maintainers would need to discuss the proposal a bit more. If it's the latter: probably not anytime soon.

There are a handful of open issues regarding changes to Streisand's recursive DNS server:

• Would our own DNS resolver help? With anything? discussions#29
• QNAME minimization, replacing dnsmasq with Unbound discussions#12
• [Request] Add in DNS encryption. discussions#14

I recommend that you add your thoughts to the above issues. I don't think any of the maintainers have strong objections to the idea of improving Streisand's DNS but its a lot of work and would need to be carefully planned & tested.

Disable systemd-resover

Streisand currently targets 16.04 - I don't believe systemd-resolver is included in that configuration, but is in 18.04. We haven't crossed this bridge yet but you might be interested in looking at some in-progress work (#1453)

I'm going to close this issue since feature requests and general discussion are better suited to the discussions repository.

Thanks!