nixos-config/machines/valkyrie/unbound/default.nix

{
  services.unbound = {
    enable = true;
    localControlSocketPath = "/run/unbound/unbound.ctl";
    settings = {
      server = {
        # Setting logfile to an empty string outputs to stderr
        log-queries = false;
        verbosity = 1;

        port = 5335;
        do-ip4 = true;
        do-ip6 = true;
        do-udp = true;
        do-tcp = true;
        prefer-ip6 = true;

        hide-identity = true;
        hide-version = true;

        # Trust glue only if it is within the server's authority
        harden-glue = true;

        # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
        harden-dnssec-stripped = true;

        harden-referral-path = true;

        # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
        # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
        use-caps-for-id = false;

        # Reduce EDNS reassembly buffer size.
        # Suggested by the unbound man page to reduce fragmentation reassembly problems
        edns-buffer-size = 1472;

        # Perform prefetching of close to expired message cache entries
        # This only applies to domains that have been frequently queried
        prefetch = true;
        prefetch-key = true;

        # This attempts to reduce latency by serving the outdated record before
        # updating it instead of the other way around. Alternative is to increase
        # cache-min-ttl to e.g. 3600.
        cache-min-ttl = 0;
        serve-expired = true;

        rrset-cache-size = "256m";
        msg-cache-size = "128m";
        msg-cache-slabs = 4;
        # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
        num-threads = 2;

        # Ensure kernel buffer is large enough to not lose messages in traffic spikes
        so-rcvbuf = "1m";

        # Ensure privacy of local IP ranges
        private-address = [
          "192.168.0.0/16"
          "169.254.0.0/16"
          "172.16.0.0/12"
          "10.0.0.0/8"
          "fd00::/8"
          "fe80::/10"
        ];
      };
    };
  };
}
valkyrie: Move machine-specific modules to machine config 2024-01-22 19:57:40 +01:00			`{`
			`services.unbound = {`
			`enable = true;`
			`localControlSocketPath = "/run/unbound/unbound.ctl";`
			`settings = {`
			`server = {`
			`# Setting logfile to an empty string outputs to stderr`
			`log-queries = false;`
			`verbosity = 1;`

			`port = 5335;`
			`do-ip4 = true;`
			`do-ip6 = true;`
			`do-udp = true;`
			`do-tcp = true;`
			`prefer-ip6 = true;`

			`hide-identity = true;`
			`hide-version = true;`

			`# Trust glue only if it is within the server's authority`
			`harden-glue = true;`

			`# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS`
			`harden-dnssec-stripped = true;`

			`harden-referral-path = true;`

			`# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes`
			`# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details`
			`use-caps-for-id = false;`

			`# Reduce EDNS reassembly buffer size.`
			`# Suggested by the unbound man page to reduce fragmentation reassembly problems`
			`edns-buffer-size = 1472;`

			`# Perform prefetching of close to expired message cache entries`
			`# This only applies to domains that have been frequently queried`
			`prefetch = true;`
			`prefetch-key = true;`

			`# This attempts to reduce latency by serving the outdated record before`
			`# updating it instead of the other way around. Alternative is to increase`
			`# cache-min-ttl to e.g. 3600.`
			`cache-min-ttl = 0;`
			`serve-expired = true;`

			`rrset-cache-size = "256m";`
			`msg-cache-size = "128m";`
			`msg-cache-slabs = 4;`
			`# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.`
			`num-threads = 2;`

			`# Ensure kernel buffer is large enough to not lose messages in traffic spikes`
			`so-rcvbuf = "1m";`

			`# Ensure privacy of local IP ranges`
			`private-address = [`
			`"192.168.0.0/16"`
			`"169.254.0.0/16"`
			`"172.16.0.0/12"`
			`"10.0.0.0/8"`
			`"fd00::/8"`
			`"fe80::/10"`
			`];`
			`};`
			`};`
			`};`
			`}`