Add raw unbound config and update the article's config

Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>

Add raw unbound config and update the article's config
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
058ebb61 · Shawn Webb · 15008728 · 058ebb61 · 058ebb61
Commit 058ebb61 authored Jan 07, 2022 by Shawn Webb
--- a/personal/2021-10-20_home_infra/article.md
+++ b/personal/2021-10-20_home_infra/article.md
@@ -348,10 +348,12 @@ server:
 	verbosity: 1
 	interface: 0.0.0.0
 	interface: ::0
-	#logfile: "unbound.log"
 	use-syslog: yes
 	log-identity: "dns-01.ip6.home.lan_unbound"
 	log-queries: yes
+	log-replies: yes
+	log-tag-queryreply: yes
+	log-servfail: yes
 	access-control: 192.168.99.0/24 allow
 	access-control: 2001:470:e1e1::/48 allow

@@ -394,7 +396,6 @@ include: /var/unbound/local-void.zones
 # Disable DoH/DoT
 local-zone: "use-application-dns.net." static

-# Note: I'm intentionally leaving out the home.lan file.
 include: /usr/local/etc/unbound/zones/home.lan
 ```


--- a/personal/2021-10-20_home_infra/configs/unbound.conf
+++ b/personal/2021-10-20_home_infra/configs/unbound.conf
+server:
+	logfile: "unbound.log"
+	verbosity: 1
+	interface: 0.0.0.0
+	interface: ::0
+	use-syslog: yes
+	log-identity: "dns-01.ip6.home.lan_unbound"
+	log-queries: yes
+	log-replies: yes
+	log-tag-queryreply: yes
+	log-servfail: yes
+	access-control: 192.168.99.0/24 allow
+	access-control: 2001:470:e1e1::/48 allow
+
+	###########################
+	#### Generic hardening ####
+	###########################
+	harden-algo-downgrade: yes
+	harden-glue: yes
+	harden-referral-path: yes
+	harden-short-bufsize: yes
+	hide-identity: yes
+	hide-version: yes
+	use-caps-for-id: no
+	ignore-cd-flag: yes
+
+	###################################
+	#### Validator-based hardening ####
+	###################################
+	val-clean-additional: yes
+	val-permissive-mode: no
+
+	#################################################################
+	#### Prevent DNS rebinding attacks by stripping private IPs #####
+	#################################################################
+	private-address: 10.0.0.0/8
+	private-address: 172.16.0.0/12
+	private-address: 192.168.0.0/16
+	private-address: 169.254.0.0/16
+	private-address: fd00::/8
+	private-address: fe80::/10
+	private-address: ::ffff:0:0/96
+
+	unwanted-reply-threshold: 10000000
+
+	module-config: "validator iterator"
+	auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
+
+include: /var/unbound/local-void.zones
+
+# Disable DoH/DoT
+local-zone: "use-application-dns.net." static
+
+include: /usr/local/etc/unbound/zones/home.lan