ageng/blahdns
1
0
Fork 0
mirror of https://github.com/ookangzheng/blahdns.git synced 2025-12-16 06:05:38 +07:00
Code Issues Projects Releases Wiki Activity

Re init git

Browse Source
This commit is contained in:
ookangzheng
2019-08-04 00:25:17 +08:00
commit a9fadc5d00
67 changed files with 1580436 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
server-conf/Readme.MD Normal file
View File

@@ -0,0 +1,3 @@
## Haproxy SSL
* SSL generated via : [Mozilla SSL](https://ssl-config.mozilla.org/#server=haproxy&server-version=1.9.8&config=intermediate)

52
server-conf/dnsdist.conf Executable file
View File

@@ -0,0 +1,52 @@
-- When an IPv6 IP:PORT combination is needed, the bracketed syntax from RFC 3986 should be used. e.g. “[2001:DB8:14::C0FF:FEE]:5300”
-- https://dnsdist.org/reference/config.html?highlight=servfail
--addTLSLocal('0.0.0.0', '/etc/letsencrypt/live/dns.jp.blahdns.com/fullchain.pem', '/etc/letsencrypt/live/dns.jp.blahdns.com/privkey.pem', { doTCP=true, reusePort=true })
--addTLSLocal("[::]", '/etc/letsencrypt/live/dns.jp.blahdns.com/fullchain.pem', '/etc/letsencrypt/live/dns.jp.blahdns.com/privkey.pem', { doTCP=true, reusePort=true})
addDNSCryptBind("0.0.0.0:8443", "2.dnscrypt-cert.blahdns.com", "/etc/dnsdist/ssl.cert", "/etc/dnsdist/ssl.key")
addDNSCryptBind("[::]:8443", "2.dnscrypt-cert.blahdns.com", "/etc/dnsdist/ssl.cert", "/etc/dnsdist/ssl.key")
addLocal('0.0.0.0:53', { doTCP=true, reusePort=true})
addLocal('[::]:53', { doTCP=true, reusePort=true})
addAction(MaxQPSIPRule(10, 32, 48), DropAction())
addAction(QTypeRule(dnsdist.ANY) ,DropAction())
addAction(QTypeRule(dnsdist.PTR) ,DropAction())
-- Force TCP
addAction(AndRule({NotRule(OrRule({QTypeRule(dnsdist.TXT), QTypeRule(dnsdist.A), QTypeRule(dnsdist.AAAA)})),TCPRule(false)}), TCAction())
setACL({'0.0.0.0/0', '::/0' })
-- https://dnsdist.org/reference/constants.html#dnsaction
-- https://dnsdist.org/rules-actions.html#addLuaAction
-- https://stackoverflow.com/questions/11271547/does-lua-have-or-comparisons
local dbr = dynBlockRulesGroup()
dbr:setQTypeRate(dnsdist.PTR, 5, 10, "Exceeded PTR rate", 60)
dbr:setQTypeRate(dnsdist.TXT, 5, 10, "Exceeded TXT rate", 60)
dbr:setQTypeRate(dnsdist.SOA, 5, 10, "Exceeded SOA rate", 60)
dbr:setQTypeRate(dnsdist.MX, 3, 10, "Exceeded MX rate", 60)
dbr:setQTypeRate(dnsdist.SRV, 3, 10, "Exceeded SRV rate", 60)
dbr:setQTypeRate(dnsdist.NS, 3, 10, "Exceeded PTR rate", 60)
dbr:setQTypeRate(dnsdist.SIG, 3, 10, "Exceeded PTR rate", 60)
function maintenance()
dbr:apply()
end
newServer({address="127.0.0.1:50", checkType="A", checkType=DNSClass.CHAOS, checkName="google.com", mustResolve=false})
newServer({address="[::1]:50", checkType="AAAA", checkType=DNSClass.CHAOS, checkName="google.com", mustResolve=false})
newServer({address="[::1]:51", checkType="AAAA", checkType=DNSClass.CHAOS, checkName="google.com", mustResolve=false})
-- function luarule(dq)
-- if(dq.qtype==dnsdist.ANY)
-- then
-- return DNSAction.ServFail
-- else
-- return DNSAction.None
-- end
-- end
-- addLuaAction(AllRule(), luarule)

181
server-conf/fail2ban.sh Executable file
View File

@@ -0,0 +1,181 @@
#!/bin/bash
CHECK_OS(){
if [[ -f /etc/redhat-release ]];then
release="centos"
elif cat /etc/issue | grep -q -E -i "debian";then
release="debian"
elif cat /etc/issue | grep -q -E -i "ubuntu";then
release="ubuntu"
elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat";then
release="centos"
elif cat /proc/version | grep -q -E -i "debian";then
release="debian"
elif cat /proc/version | grep -q -E -i "ubuntu";then
release="ubuntu"
elif cat /proc/version | grep -q -E -i "centos|red hat|redhat";then
release="centos"
fi
}
GET_SETTING_FAIL2BAN_INFO(){
read -p "允许SSH登陆失败次数,默认10:" BLOCKING_THRESHOLD
if [[ ${BLOCKING_THRESHOLD} = "" ]];then
BLOCKING_THRESHOLD='10'
fi
read -p "SSH登陆失败次数超过${BLOCKING_THRESHOLD}次时,封禁时长(h),默认8760:" BLOCKING_TIME_H
if [[ ${BLOCKING_TIME_H} = "" ]];then
BLOCKING_TIME_H='8760'
fi
BLOCKING_TIME_S=$(expr ${BLOCKING_TIME_H} \* 3600)
}
INSTALL_FAIL2BAN(){
if [ ! -e /etc/fail2ban/jail.local ];then
CHECK_OS
case "${release}" in
centos)
GET_SETTING_FAIL2BAN_INFO
yum -y install epel-release
yum -y install fail2ban;;
debian|ubuntu)
GET_SETTING_FAIL2BAN_INFO
apt-get -y install fail2ban;;
*)
echo "请使用CentOS,Debian,Ubuntu系统.";;
esac
else
echo "fail2ban已经安装了.";exit
fi
}
REMOVE_FAIL2BAN(){
if [ -e /etc/fail2ban/jail.local ];then
CHECK_OS
case "${release}" in
centos)
service fail2ban stop
yum -y remove fail2ban
rm -rf /etc/fail2ban/jail.local;;
debian|ubuntu)
service fail2ban stop
apt-get -y remove fail2ban
rm -rf /etc/fail2ban/jail.local;;
esac
else
echo "fail2ban尚未安装.";exit
fi
}
SETTING_FAIL2BAN(){
CHECK_OS
case "${release}" in
centos)
echo "[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = 3
findtime = 1800
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = ${BLOCKING_THRESHOLD}
findtime = 3600
bantime = ${BLOCKING_TIME_S}" > /etc/fail2ban/jail.local
if [ -e /usr/bin/systemctl ];then
systemctl restart fail2ban
systemctl enable fail2ban
systemctl restart sshd
else
service fail2ban restart
chkconfig fail2ban on
service ssh restart
fi;;
debian|ubuntu)
echo "[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = ${BLOCKING_THRESHOLD}
findtime = 1800
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = ${BLOCKING_THRESHOLD}
findtime = 3600
bantime = ${BLOCKING_TIME_S}" > /etc/fail2ban/jail.local
service fail2ban restart
service ssh restart;;
esac
}
VIEW_RUN_LOG(){
CHECK_OS
case "${release}" in
centos)
tail -f /var/log/secure;;
debian|ubuntu)
tail -f /var/log/auth.log;;
esac
}
case "${1}" in
install)
INSTALL_FAIL2BAN
SETTING_FAIL2BAN;;
uninstall)
REMOVE_FAIL2BAN;;
status)
echo -e "\033[41;37m【进程】\033[0m";ps aux | grep fail2ban
echo;echo -e "\033[41;37m【状态】\033[0m";fail2ban-client ping
echo;echo -e "\033[41;37m【Service】\033[0m";service fail2ban status;;
blocklist|bl)
if [ -e /etc/fail2ban/jail.local ];then
fail2ban-client status ssh-iptables
else
echo "fail2ban尚未安装.";exit
fi;;
unlock|ul)
if [ -e /etc/fail2ban/jail.local ];then
if [[ "${2}" = "" ]];then
read -p "请输入需要解封的IP:" UNLOCK_IP
if [[ ${UNLOCK_IP} = "" ]];then
echo "不允许空值,请重试.";exit
else
fail2ban-client set ssh-iptables unbanip ${UNLOCK_IP}
fi
else
fail2ban-client set ssh-iptables unbanip ${2}
fi
else
echo "fail2ban尚未安装.";exit
fi;;
more)
echo "【参考文章】
https://www.fail2ban.org
https://linux.cn/article-5067-1.html
【更多命令】
fail2ban-client -h";;
runlog)
VIEW_RUN_LOG;;
start)
service fail2ban start;;
stop)
service fail2ban stop;;
restart)
service fail2ban restart;;
*)
echo "bash fail2ban.sh {install|uninstall|runlog|more}"
echo "bash fail2ban.sh {start|stop|restart|status}"
echo "bash fail2ban.sh {blocklist|unlock}";;
esac
#END

151
server-conf/haproxy.cfg Executable file
View File

@@ -0,0 +1,151 @@
## NEW HTTP2 CONFIG ###
## Thanks to DNSWARDEN.com author: @bhanupratapys
global
no log
chroot /var/lib/haproxy
user haproxy
group haproxy
pidfile /var/run/haproxy.pid
tune.ssl.default-dh-param 2048
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-dh-param-file /etc/haproxy/dhparam.pem
ssl-default-bind-ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults
option dontlognull
retries 1
timeout connect 5s
timeout check 5s
timeout queue 10s
timeout client 60s
timeout client-fin 1s
timeout server-fin 1s
timeout server 30s
timeout tunnel 10m
timeout http-request 10s
#bind :::443 v4v6 ssl crt /etc/haproxy/dot-jp.blahdns.pem alpn h2,http/1.1
#bind :::443 v4v6 tfo ssl crt /etc/haproxy/dot-jp.blahdns.pem
frontend front_end_dot_853
mode tcp
bind 0.0.0.0:853
bind :::853
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 2s
tcp-request content accept if tls
use_backend dot-uncensor if { req_ssl_sni -i dot-jp.blahdns.com }
default_backend dot-uncensor
frontend front_end_doh_dot_443
mode tcp
bind 0.0.0.0:443
bind :::443
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 2s
tcp-request content accept if tls
use_backend doh-front if { req_ssl_sni -i doh-jp.blahdns.com }
use_backend dot-uncensor if { req_ssl_sni -i dot-jp.blahdns.com }
default_backend dot-uncensor
frontend dot-in-uncensor
mode tcp
bind 127.150.150.150:15000 ssl crt /etc/haproxy/dot-jp.blahdns.pem
default_backend dot-servers-uncensor
frontend doh-in
mode http
bind 127.250.250.250:25000 ssl crt /etc/haproxy/dot-jp.blahdns.pem alpn h2
acl adblock_url path_beg -i /dns-query
use_backend doh-servers-uncensor if adblock_url
backend dot-uncensor
mode tcp
#balance source
server dot-uncensor-haproxy-ssl 127.150.150.150:15000 check
backend doh-front
mode tcp
#balance source
server doh-haproxy-ssl 127.250.250.250:25000 check
backend dot-servers-uncensor
mode tcp
server dns-uncensor 127.0.0.1:50
backend doh-servers-uncensor
mode http
http-response del-header server
http-response del-header x-powered-by
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
server doh-proxy-uncensor 127.0.0.1:3000
### End ####
### Start old config as backup, igonre it ###
global
#log /dev/log local0
no log
chroot /var/lib/haproxy
user haproxy
group haproxy
maxconn 3000
pidfile /var/run/haproxy.pid
tune.ssl.default-dh-param 2048
#ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ssl-default-bind-ciphers TLS13-CHACHA20-POLY1305-SHA256:EECDH+CHACHA20:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+AESGCM:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
ssl-default-bind-options no-tls-tickets no-sslv3 no-tlsv10 no-tlsv11
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
defaults
option dontlognull
option http-server-close
retries 1
option http-use-htx
maxconn 3000
timeout check 5s
timeout queue 10s
timeout client 30s
timeout client-fin 3s
timeout server-fin 3s
timeout server 30s
timeout tunnel 5m
timeout http-request 10s
option http-keep-alive
frontend doh-in
#mode tcp
no log
#bind *:443 ssl crt /etc/haproxy/dot-jp.blahdns.pem alpn h2
bind :::443 v4v6 tfo ssl crt /etc/haproxy/dot-jp.blahdns.pem
http-response set-header Strict-Transport-Security "max-age=31536000"
tcp-request inspect-delay 2s
tcp-request content accept if HTTP
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend dot-server if { req.ssl_hello_type 1 }
acl dns_url path_beg -i /dns-query
use_backend doh-server if dns_url
#use_backend doh-server if HTTP
default_backend dot-server
#listen http-in
backend dot-server
mode tcp
server dns 127.0.0.1:50 maxconn 20
backend doh-server
#http-response set-header Strict-Transport-Security "max-age=31536000"
option forwardfor
server doh-proxy 127.0.0.1:3000 maxconn 20

19
server-conf/knot-tls.service Executable file
View File

@@ -0,0 +1,19 @@
[Unit]
Description=Knot-tls
After=syslog.target
After=network.target
[Service]
Type=simple
User=root
Group=root
WorkingDirectory=/etc/knot-resolver/
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
ExecStartPre=/root/clean.sh
ExecStartPost=/bin/sleep 0.1
ExecStart=kresd -c /etc/knot-resolver/kresd-tls.conf -f 1
Restart=always
[Install]
WantedBy=multi-user.target

72
server-conf/kresd.conf Executable file
View File

@@ -0,0 +1,72 @@
modules = {
'policy',
'hints > iterate',
'serve_stale < cache',
'workarounds < iterate',
'predict'
}
--modules.unload('cache')
--modules.unload('hints')
--modules.unload('priming')
--modules.unload('ta_sentinel')
--modules.unload('ta_signal_query')
--modules.unload('detect_time_jump')
--modules.unload('detect_time_skew')
net.listen({'::1', '127.0.0.1'}, 55)
hints.add_hosts('/etc/knot-resolver/hints.list')
-- Disallow ANY & PTR queries
policy.add(function (req, query)
if query.stype == kres.type.ANY then
return policy.DROP
elseif query.stype == kres.type.PTR then
return policy.DROP
end
end)
--policy.add(function (req, query)
-- if query.stype == kres.type.TXT or query.stype == kres.type.SRV or query.stype == kres.type.NS or query.stype == kres.type.MX or query.stype == kres.type.SOA or query.stype == kres.type.PTR then
-- return policy.TC
-- end
--end)
-- qname minimalization true
--option('NO_MINIMIZE', false)
-- Cache size
cache.size = 150 * MB
--cache.min_ttl(300)
-- Force cache timeout every 5 sec
--cache.max_ttl(5)
policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/rpz.blacklist'))
-- OpenNIC
opennicTrees = policy.todnames({'uu','ti','te','ku','lib','emc','coin','baza','glue','parody','pirate','oss','oz','bit','dns.opennic.glue','bbs','chan','cyb','dyn','fur','gopher','geek','opennic.glue','o','neo','indy','libre', 'null'})
-- Beware: the rule order is important, as STUB is not a chain action.
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), opennicTrees))
policy.add(policy.suffix(policy.STUB({'::1@52'}), opennicTrees))
-- Disable cache
view:addr('0.0.0.0/0', policy.all(policy.FLAGS({'NO_CACHE'})))
view:addr('::/0', policy.all(policy.FLAGS({'NO_CACHE'})))
--view:addr('198.252.153.0/24', function (req, qry) return policy.PASS end)
--view:addr('204.13.164.0/24', function (req, qry) return policy.PASS end)
--view:addr('199.254.238.0/24', function (req, qry) return policy.PASS end)
--view:addr('199.58.80.128/25', function (req, qry) return policy.PASS end)
--view:addr('199.58.81.137/25', function (req, qry) return policy.PASS end)
--view:addr('10.0.1.0/24', function (req, qry) return policy.PASS end)
--view:addr('10.0.2.0/24', function (req, qry) return policy.PASS end)
--view:addr('127.0.0.1', function (req, qry) return policy.PASS end)
--- Drop everything that hasn't matched
-- view:addr('0.0.0.0/0', function (req, qry) return policy.DROP end)
-- policy.add(policy.all(policy.FORWARD('::1@51')))
-- Disable dnssec, if need so
-- trust_anchors.negative = { '.' }

34
server-conf/monitor-kresd.sh Executable file
View File

@@ -0,0 +1,34 @@
#if lsof -Pi :50 -sUDP:LISTEN -t >/dev/null ; then
# echo "running"
#else
# echo "not running"
#fi
#netstat -ln | grep ":50 " 2>&1 > /dev/null
#if [ $? -eq 1 ]; then
# echo Starting Meteor;
#fi
!/bin/bash
# Check if gedit is running
# -x flag only match processes whose name (or command line if -f is
# specified) exactly match the pattern.
if ps -e | grep dnscrypt-wrap
then
echo "Dnscrypt wrapper is running"
else
/root/dns/dnscrypt-start.sh
echo "Dnscrypt is Stopped"
fi
if pgrep -x "kresd"
then
echo "kresd is Running"
else
echo "kresd is Stopped and restart service "
/root/kresd.sh
#service knot-tls stop
#service knot-tls start
fi

14
server-conf/restart.sh Executable file
View File

@@ -0,0 +1,14 @@
## Cronjob every 6 hours clear logs and restart services
cd /var/log
rm -rf haproxy.log*
rm -rf daemon.log*
rm -rf messages*
rm -rf syslog*
rm -rf user*
rm -rf kern*
rm -rf debug*
service haproxy restart
service doh-server restart

5
server-conf/unbound/bind.keys Executable file
View File

@@ -0,0 +1,5 @@
trusted-keys {
. 257 3 8 "AwEAAaq+qqsdDHByq/DFR5/u23qcDNOQJzjYBcSfjrGNLdY2+vY+ubhu iz0hG1xk5D+dK78Eh58wZ3tQnsRr3bVNVfcovlx/rdwuw5blez2TT0Et 4IF/3b/RpMpCwSSOWTMGvi0EwIMNsjYWEZlRjcWku3cnAAvSD3YdaRW2 JCKsbkK5OQp2YjuQgIOL7J6f8mN6nkfAWd9L2U9H+TSEnx8gqqkXIEIR WcbdWN1FiCdy3L8CaHbZcttzx5lLOGrjPW+raXn+KaQSU+WW9n2PPOZb NUrQnsW/DJ+b+soNQQbhwFlp/av5VzaxB7/57vEKqj71x+Xu8S0sGpLc Xrkf5p3ri93ScLsJOT11fIlMRIwcKsWZEIIyYzuQeq8MoVTenvN6re/y 872Vb6JBHbBMk0JmsRwkXltz9PINWyvVyqM3PA1bJ4fz8QbqXnTnJiR/ yylhcE8rjPUtnf29NyDN7Co9JzPwnwE74F3k3R18w45L8E5Dt5it2PIA 9/rb6GDMrPAPsa1X82qNLzcboosMj9vT7Ofg8M+x2/VYt6u4xX4glZRa vyjTs6qGfzFS+Z44zrIP4CtNa0fL0AwJ/wsK4YJSX0xZ6/CJI/NNXeSg G5vfMw04kUDI9d9oO9jkAhYDmTaOI6C5nVTymAs3uje8/mZlo/pUSllB 0DkpTgd5PTAwQsA1";
. 256 3 8 "AwEAAcnclWrEkYgk+zGEAtbUoFpkKojImn4go0WwsD3TyGq5Mp7Xb5yv yO3VzcGLyeMJ1p55PFTij4xXR+LiXlzdjIgvy8JloXDh6Pg3mhQ/x6YR aWjkstFbeTicyR94Q7ns7/0tqcR/4kjvcK/haViADuamvt0flv04wBeq ZaJBdj5TLYXfYCYr8QVvlryvHf6SCF9Xwgo/34iP+T0EH1yGL4HASeHL Cn8Kh5zTsIbefAvjkPPv7T23xeiT0FfJ4AJim9tMU5DYZFPU4J5Gtsk9 LIFBju5TAlbXf9nldM9WfESP/ZPBvLlrPeNzXrSEbyqkE72xtpr/3ckY jZd5aODWCmhp3tTc/UBcZxzw4IcJ3j5cmdTnrnOlLOA4DXnkB1Ts90BM G00ySdBeXeW0abKOiCH/qqdWlPR3jLEZth9y5WWHVIcY5JsjbpQnv85A YaQYzUA2W79oM1XoQ35EB5PHPs3lCMJ/42zDmbhJ2n7m2xx3DbCnzHTt H9Fsqi1+8s8LNQAbQeINBkiDeyeEpY2CFVz222zEusCOj/cbWuirBqMD WjIajMwBpF2z0x8FznahSEoR+djYNpXpv9pFcl4rYTCqnQcKy0PUoGrs 8X4OzLW7egrAWodF3z7KieAMyK09/0qBf7rtB8qOLR7NiFA/UYvkZTwz E74ZGP9Y4kOi0lA5";
. 256 3 8 "AwEAAetFT8ZCzhqTOT7em1LxFynu1zwZXwu0qzSNtO8ABxfls+QfDMxB 4jUdOkAVJKG313bS9rHwUqG3Sg2fPGmdo4xzt3ps9/Tmh6c657r5zYTd tlAy3tjU2G7VUWnbwwHFAIe4R9ajnScvdNfFZpUalrxT3FsfLbTfhnt3 HZljYbyVYi9v8H+gweoBGfq5xIrNwKz4DNu217GWtZaOGhPcS2HYgqDD 0BuRxYwAkoiphcoHwc9QOHIMWlN9Wdw1+udpHZ43Oysp8EXqF2miYljd 3EprDthfZ0MU0xqbHzLbtPQCVQir3HymJxTbrpE1fpKbKyXlyRqSUxTL ONud5BQISb0=";
};

26
server-conf/unbound/opennic.hints Executable file
View File

@@ -0,0 +1,26 @@
;; ANSWER SECTION:
. 86400 IN NS ns2.opennic.glue.
. 86400 IN NS ns6.opennic.glue.
. 86400 IN NS ns5.opennic.glue.
. 86400 IN NS ns8.opennic.glue.
. 86400 IN NS ns9.opennic.glue.
. 86400 IN NS ns10.opennic.glue.
. 86400 IN NS ns4.opennic.glue.
;; ADDITIONAL SECTION:
ns2.opennic.glue. 7200 IN A 161.97.219.84
ns2.opennic.glue. 7200 IN AAAA 2001:470:4212:10::100:53:10
ns4.opennic.glue. 7200 IN A 163.172.168.171
ns5.opennic.glue. 7200 IN A 94.103.153.176
ns5.opennic.glue. 7200 IN AAAA 2a02:990:219:1:ba:1337:cafe:3
ns6.opennic.glue. 7200 IN A 207.192.71.13
ns8.opennic.glue. 7200 IN A 178.63.116.152
ns8.opennic.glue. 7200 IN AAAA 2a01:4f8:141:4281::999
ns9.opennic.glue. 7200 IN A 174.138.48.29
ns9.opennic.glue. 7200 IN AAAA 2604:a880:800:a1::2a:2001
ns10.opennic.glue. 7200 IN A 188.226.146.136
ns10.opennic.glue. 7200 IN AAAA 2001:470:1f04:ebf::2
;; Query time: 212 msec
;; SERVER: 174.138.48.29#53(174.138.48.29)
;; WHEN: Wed Oct 31 15:28:13 CST 2018

127
server-conf/unbound/unbound.conf Executable file
View File

@@ -0,0 +1,127 @@
server:
interface: 127.0.0.1@48
interface: ::1@48
access-control: 127.0.0.1 allow
access-control: ::1 allow
#access-control: 0.0.0.0/0 allow
#access-control: ::/0 allow
prefer-ip6: yes
delay-close: 1500
do-ip4: yes
do-ip6: yes
do-tcp: yes
do-udp: yes
do-not-query-localhost: no
verbosity: 0
log-time-ascii: no
log-servfail: no
client-subnet-always-forward: yes
aggressive-nsec: yes
harden-dnssec-stripped: yes # if 'no', disable dnssec
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-below-nxdomain: yes
harden-referral-path: yes
use-caps-for-id: yes
qname-minimisation: yes
qname-minimisation-strict: no #some domain might be failed to request
so-reuseport: yes
minimal-responses: yes
deny-any: yes
rrset-roundrobin: yes
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 86400 # max 1 day
#serve-expired-ttl-reset: no
hide-identity: yes
hide-version: yes
hide-trustanchor: yes
edns-tcp-keepalive: yes
#edns-tcp-keepalive-timeout: 12000 # 2min
#tcp-idle-timeout: 30000 # 30 sec
num-threads: 1
msg-cache-slabs: 1
rrset-cache-slabs: 1
key-cache-slabs: 1
infra-cache-slabs: 1
msg-cache-size: 54m # default 4m
rrset-cache-size: 108m # rrset=msg*2 # default 4m
key-cache-size: 54m # default 4m
neg-cache-size: 27m # default 1m
infra-cache-numhosts: 50000
# dnscrypt-shared-secret-cache-size: 13m # default 4m
# dnscrypt-nonce-cache-size: 13m # default 4m
outgoing-range: 4096
incoming-num-tcp: 100
outgoing-num-tcp: 100
neg-cache-size: 25m
unwanted-reply-threshold: 10000000
cache-min-ttl: 90
cache-max-ttl: 900
infra-host-ttl: 3600
val-bogus-ttl: 120
cache-max-negative-ttl: 10 # Time to live maximum for negative responses, these have a SOA in the authority section that is limited in time. Default is 3600. This applies to nxdomain and nodata answers.
infra-cache-numhosts: 50000
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Refence: https://github.com/publicarray/dns-resolver-infra/blob/master/unbound/unbound.conf
local-zone: example. static
local-zone: local. static
local-zone: i2p. static
local-zone: home. static
local-zone: zghjccbob3n0. static
local-zone: dhcp. static
local-zone: lan. static
local-zone: localdomain. static
local-zone: ip. static
local-zone: internal. static
local-zone: openstacklocal. static
local-zone: dlink. static
local-zone: gateway. static
local-zone: corp. static
local-zone: workgroup. static
local-zone: belkin. static
local-zone: davolink. static
local-zone: z. static
local-zone: domain. static
local-zone: virtualmin. static
private-address: 0.0.0.0/8 # Should not be on the Internet (only valid as source address)
private-address: 10.0.0.0/8 # Private networks
private-address: 127.0.0.0/8 # Loopback, spam-blocklists (RBL) (https://www.dnsbl.info/) e.g. "dig +short 0.0.0.0.zen.spamhaus.org" will stop working (https://www.spamhaus.org/zen/, https://www.spamhaus.org/faq/section/DNSBL%20Usage#202)
private-address: 169.254.0.0/16 # link-local (networks without DHCP)
private-address: 172.16.0.0/12 # Private networks
private-address: 192.168.0.0/16 # Private networks
private-address: 255.255.255.255/32 # Broadcast destination
## IPv6
private-address: ::/128 # Unspecified addresses (only valid as source address)
private-address: ::1/128 # Loopback
private-address: 2001:db8::/32 # Documentation addresses used for documentation purposes such as user manuals, RFCs, etc. (RFC3849)
# private-address: ::ffff:0:0/96 # IPv4-mapped IPv6 addresses (depreciated and should not be on the public internet) (blocks potentially valid addresses / gives wrong result from DNS Benchmark)
private-address: fe80::/10 # IP address autoconfiguration (link-local unicast, Private network)
private-address: fc00::/7 # Unique Local Addresses (Private network)
# private-address: fec0::/10 # Depreciated site networks
# private-address: 2002::/16 # 6to4 (deprecated)
# private-address: 64:ff9b::/96 # 6to4 "Well-Known" Prefix
# private-address: 2001::/32 # Teredo
private-address: 2001:10::/28 # ORCHID
# private-address: ff00::/8 # Multicast
## Selected IPv4 mapped addresses from IPv4 above (fixes potentially wrong result from DNS Benchmark if blocking all of ::ffff:0:0/96)
private-address: ::ffff:0.0.0.0/120 # Private IPv4-mapped addresses
private-address: ::ffff:10.0.0.0/120 # Private IPv4-mapped addresses
private-address: ::ffff:127.0.0.1/120 # Loopback IPv4-mapped addresses, spam-blocklists (RBL)
private-address: ::ffff:169.254.0.0/112 # Link-local IPv4-mapped addresses
private-address: ::ffff:172.16.0.0/116 # Private IPv4-mapped addresses
private-address: ::ffff:192.168.0.0/112 # Private IPv4-mapped addresses
private-address: ::ffff:255.255.255.255/128 # Broadcast IPv4-mapped addresses

468
server-conf/unbound/unbound.conf.d/opennic.root.conf Executable file
View File

@@ -0,0 +1,468 @@
server:
domain-insecure: "opennic.glue"
auth-zone:
name: "opennic.glue"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/opennic.glue"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "dns.opennic.glue"
auth-zone:
name: "dns.opennic.glue"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/dns.opennic.glue"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "micro"
auth-zone:
name: "micro"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/micro"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "ing"
auth-zone:
name: "ing"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/ing"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "glue"
auth-zone:
name: "glue"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/glue"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "bbs"
auth-zone:
name: "bbs"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/bbs"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "bit"
auth-zone:
name: "bit"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/bit"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "chan"
auth-zone:
name: "chan"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/chan"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "dyn"
auth-zone:
name: "dyn"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/dyn"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "free"
auth-zone:
name: "free"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/free"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "fur"
auth-zone:
name: "fur"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/fur"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "geek"
auth-zone:
name: "geek"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/geek"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "gopher"
auth-zone:
name: "gopher"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/gopher"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "indy"
auth-zone:
name: "indy"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/indy"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "libre"
auth-zone:
name: "libre"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/libre"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "neo"
auth-zone:
name: "neo"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/neo"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "null"
auth-zone:
name: "null"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/null"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "oss"
auth-zone:
name: "oss"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/oss"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "oz"
auth-zone:
name: "oz"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/oz"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "parody"
auth-zone:
name: "parody"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/parody"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "pirate"
auth-zone:
name: "pirate"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/pirate"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "o"
auth-zone:
name: "o"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/o"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "lib"
auth-zone:
name: "lib"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/lib"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "coin"
auth-zone:
name: "coin"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/coin"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "emc"
auth-zone:
name: "emc"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/emc"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "bazar"
auth-zone:
name: "bazar"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/bazar"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "cyb"
auth-zone:
name: "cyb"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/cyb"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "ku"
auth-zone:
name: "ku"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/ku"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "te"
auth-zone:
name: "te"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/te"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "uu"
auth-zone:
name: "uu"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/uu"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "ti"
auth-zone:
name: "ti"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/ti"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53