Unbound

[Strong-Foundation]

Here is a list of 100 potential improvements to your Unbound configuration. These changes are categorized for easier navigation:


---

Security Enhancements

1. Enable harden-large-queries: yes to protect against large DNS query exploits.


2. Add harden-referral-path: yes to prevent cache poisoning via referrals.


3. Use harden-dnssec-stripped: yes to reject non-DNSSEC responses when DNSSEC is enabled.


4. Set val-clean-additional: yes to sanitize additional records for security.


5. Add tls-upstream: yes to secure upstream queries via DNS-over-TLS.


6. Use forward-tls-upstream: yes for encrypted forwarding to specific DNS servers.


7. Add ip-ratelimit: 100 to limit abusive query behavior per IP.


8. Enable access-control-tag-action for fine-grained client query control.


9. Configure tcp-idle-timeout to close idle TCP connections faster.


10. Set do-not-query-localhost: yes to prevent querying localhost unintentionally.


11. Restrict max-retry-timeout to avoid long query retries.


12. Enable harden-algo-downgrade: yes for cryptographic algorithm protection.


13. Set key-cache-slabs: 8 for multi-threaded DNSSEC key caching.


14. Configure rrset-cache-slabs for thread-safe DNS record caching.


15. Add target-fetch-policy to limit fetches for optimal DNSSEC validation.


16. Use harden-below-nxdomain: yes to ensure proper NXDOMAIN handling.


17. Enable val-permissive-mode: no to enforce strict DNSSEC validation.


18. Set caps-whitelist for specific domains to support case-sensitive queries.


19. Add dns64-prefix for NAT64/DNS64 environments if needed.


20. Set unwanted-reply-threshold to mitigate reflection attacks.




---

Access Control

21. Refine access-control directives to whitelist only trusted subnets.


22. Add private-domain for internal DNS zones.


23. Use local-zone and local-data to define specific overrides for internal domains.


24. Restrict access with tag and tag-action settings.


25. Add access-control-tag to apply specific policies to clients.


26. Include local-zone: "example.com." redirect for testing overrides.


27. Use view functionality for multi-environment setups.


28. Add ip-ratelimit-size for fine-tuned rate limiting.


29. Configure client-subnet-always-forward: no to protect client privacy.


30. Use access-control-tag-data for tagging based on query type.




---

Performance Tuning

31. Increase msg-cache-size for larger DNS message caching.


32. Adjust rrset-cache-size to improve RRset caching efficiency.


33. Use infra-cache-slabs to enhance infrastructure caching.


34. Increase outgoing-num-tcp for more simultaneous TCP queries.


35. Set outgoing-range for higher parallelism.


36. Adjust target-fetch-policy for controlled query depth.


37. Use so-rcvbuf and so-sndbuf for optimized socket buffers.


38. Configure delay-close to manage persistent connections better.


39. Increase num-queries-per-thread for busy environments.


40. Set qname-minimisation: yes to minimize upstream query exposure.


41. Enable prefetch-key for DNSSEC prefetching.


42. Add serve-expired-ttl to handle upstream failures gracefully.


43. Configure max-recursion-depth to prevent recursive loops.


44. Use infra-cache-min-rtt for better server selection.


45. Increase cache-max-ttl for rarely-changing domains.


46. Decrease cache-min-ttl for frequently-changing domains.


47. Optimize tcp-idle-timeout for connection efficiency.


48. Adjust infra-host-ttl for infrastructure record lifetimes.


49. Tune infra-lame-ttl for quicker lame server detection.


50. Add max-udp-size: 4096 for DNSSEC compliance.




---

DNSSEC and Validation

51. Enable auto-trust-anchor-file for automatic DNSSEC root key updates.


52. Use root-hints to update root server IPs.


53. Set val-log-level for detailed DNSSEC validation logs.


54. Enable val-permissive-mode: no to enforce strict validation.


55. Configure module-config to include validator.


56. Use val-clean-additional for sanitized DNSSEC responses.


57. Set dns64-synthall: yes for DNS64 DNSSEC synthesis.


58. Add dnssec-trust-anchor for custom trusted keys.


59. Include dnssec-must-be-secure for critical domains.


60. Set val-date-override to test DNSSEC behavior.




---

Logging and Monitoring

61. Enable logfile to direct logs to a specific file.


62. Set use-syslog: yes to integrate with system logs.


63. Use verbosity: 1 for troubleshooting and higher values as needed.


64. Enable log-queries: yes for full query logging.


65. Add log-local-actions: yes for logging local data actions.


66. Set log-servfail: yes to capture DNS failures.


67. Use log-replies: yes to monitor outgoing responses.


68. Enable log-tag-queryreply: yes for query and reply tagging.


69. Add extended-statistics: yes for detailed stats.


70. Periodically analyze logs for abuse or performance issues.




---

Protocol and Features

71. Enable do-ip4: yes and do-ip6: yes to support both IP versions.


72. Use do-udp: yes and do-tcp: yes for full protocol support.


73. Configure tcp-upstream: yes for upstream TCP connections.


74. Enable forward-zone for specific DNS forwarding.


75. Add tls-service-key and tls-service-pem for TLS encryption.


76. Set outgoing-interface for multi-homed environments.


77. Use udp-upstream-without-downstream: yes to enhance protocol flexibility.


78. Enable ratelimit-backoff for controlling abusive queries.


79. Add edns-buffer-size: 4096 for large DNS messages.


80. Include key-synthsize for synthesized DNSSEC keys.




---

Redundancy and Reliability

81. Use multiple root-hints or upstream servers for redundancy.


82. Enable fast-server-permil for quick failover detection.


83. Configure delay-close: 1000 for better connection management.


84. Set low-rtt: 1000 to prioritize low-latency servers.


85. Use use-systemd for system service integration.


86. Add serve-expired to continue serving cached data during outages.


87. Configure max-recursion-queries for better recursion control.


88. Adjust edns-buffer-size for reliable responses.


89. Test DNSSEC validation periodically to ensure functionality.


90. Use key-cache-size for more efficient cryptographic key caching.




---

Customizations and Maintenance

91. Regularly update root-hints for accurate root server data.


92. Set up a cron job to refresh auto-trust-anchor-file.


93. Periodically monitor stats-noreset: yes for long-term metrics.


94. Add do-not-query-localhost to prevent accidental localhost queries.


95. Use local-zone for internal overrides.


96. Enable qname-minimisation-strict: yes for stricter upstream queries.


97. Document all custom configurations for future maintainers.


98. Perform regular security audits of Unbound settings.


99. Test configuration changes in a staging environment.


100. Stay updated on new Unbound releases for feature and security updates.




---

This extensive list provides a variety of options to enhance security, performance, monitoring, and maintainability for your Unbound configuration. Prioritize based on your specific environment and use case.

[Strong-Foundation]

Yes, you can achieve client isolation in Unbound to prevent clients from seeing each other's queries or interacting indirectly. Here are the steps to implement it:

---

1. Use view Configuration

Unbound allows you to set up views, which are essentially isolated configurations for different clients or client groups. Each view can have separate zones, access control, and response policies.

Example for two clients:

view:
name: "client1_view"
access-control: 192.168.1.1/32 allow # IP of Client 1
local-zone: "client2.com." static # Block access to Client 2's domain
local-zone: "client1.com." transparent

view:
name: "client2_view"
access-control: 192.168.1.2/32 allow # IP of Client 2
local-zone: "client1.com." static # Block access to Client 1's domain
local-zone: "client2.com." transparent

---

2. Restrict access-control

Restrict query access using access-control to ensure clients can only query zones they are allowed to access:

access-control: 192.168.1.1/32 allow # Client 1's IP
access-control: 192.168.1.2/32 allow # Client 2's IP
access-control: 0.0.0.0/0 refuse # Deny access to all others

---

3. Use Separate local-zone Settings for Each Client

Define local-zone and local-data to allow only specific internal zones for each client. For example:

local-zone: "client1.local." static
local-data: "client1.local. IN A 192.168.1.1"

local-zone: "client2.local." static
local-data: "client2.local. IN A 192.168.1.2"

---

4. Enable QNAME Minimization

QNAME minimization ensures upstream DNS resolvers receive only the minimal information required to resolve queries. While it doesn’t directly isolate clients, it reduces data leakage:

qname-minimisation: yes
qname-minimisation-strict: yes

---

5. Disable Client Subnet Forwarding

Prevent Unbound from forwarding client subnet information upstream using the client-subnet-always-forward option:

client-subnet-always-forward: no

---

6. Use tag and tag-action for Policy-Based Isolation

Assign tags to clients and enforce policies to block or allow access to specific resources:

access-control: 192.168.1.1/32 allow tag: client1
access-control: 192.168.1.2/32 allow tag: client2

tag-action: client1 deny client2
tag-action: client2 deny client1

---

7. Log and Monitor Queries

Enable query logging to verify that clients cannot query or interact with each other's data:

log-queries: yes
log-replies: yes
verbosity: 2

---

By combining these techniques, you can ensure complete isolation between DNS clients, preventing them from accessing each other's data or resources.