From d1a9529475be890717ce19c1e2931bbbf6c09cce Mon Sep 17 00:00:00 2001 From: Wolfgang Hottgenroth Date: Fri, 29 Oct 2021 15:00:37 +0200 Subject: [PATCH] initial --- doh_hottis_de_https.mobileconfig | 76 ++++++++++++++++++++++++++++++++ doh_hottis_de_tls.mobileconfig | 75 +++++++++++++++++++++++++++++++ readme.md | 13 ++++++ renewcerts.sh | 15 +++++++ unbound.conf | 38 ++++++++++++++++ unbound.service | 17 +++++++ 6 files changed, 234 insertions(+) create mode 100644 doh_hottis_de_https.mobileconfig create mode 100644 doh_hottis_de_tls.mobileconfig create mode 100644 readme.md create mode 100755 renewcerts.sh create mode 100644 unbound.conf create mode 100644 unbound.service diff --git a/doh_hottis_de_https.mobileconfig b/doh_hottis_de_https.mobileconfig new file mode 100644 index 0000000..93fdec9 --- /dev/null +++ b/doh_hottis_de_https.mobileconfig @@ -0,0 +1,76 @@ + + + + + PayloadDisplayName + Hottis DNS-over-HTTPS + PayloadIdentifier + de.hottis.doh.https + PayloadUUID + 34c7d729-3aee-459e-9563-dd4e5769c269 + PayloadDescription + Hottis DNS-over-HTTPS + PayloadRemovalDisallowed + + PayloadVersion + 1 + PayloadType + Configuration + PayloadContent + + + PayloadDisplayName + Hottis DNS-over-HTTPS + PayloadType + com.apple.dnsSettings.managed + PayloadIdentifier + com.apple.dnsSettings.managed.3dd84456-72bc-42a3-b9c3-64f8738b8a16 + PayloadUUID + cda373f6-10f7-4344-8821-88add5d21907 + PayloadVersion + 1 + ProhibitDisablement + + DNSSettings + + DNSProtocol + HTTPS + ServerAddresses + + 130.162.53.245 + + ServerURL + https://doh.hottis.de/dns-query + + OnDemandEnabled + 1 + OnDemandRules + + + Action + Disconnect + InterfaceTypeMatch + WiFi + SSIDMatch + + test + + + + Action + Connect + InterfaceTypeMatch + WiFi + + + Action + Connect + InterfaceTypeMatch + Cellular + + + + + + + diff --git a/doh_hottis_de_tls.mobileconfig b/doh_hottis_de_tls.mobileconfig new file mode 100644 index 0000000..264ee50 --- /dev/null +++ b/doh_hottis_de_tls.mobileconfig @@ -0,0 +1,75 @@ + + + + + PayloadDisplayName + Hottis DNS-over-TLS + PayloadIdentifier + de.hottis.doh.tls + PayloadUUID + 86665a45-0dbd-48e3-b0fa-3e703a42a758 + PayloadDescription + Hottis DNS-over-TLS + PayloadRemovalDisallowed + + PayloadVersion + 1 + PayloadType + Configuration + PayloadContent + + + PayloadDisplayName + Hottis DNS-over-TLS + PayloadType + com.apple.dnsSettings.managed + PayloadIdentifier + com.apple.dnsSettings.managed.e1a386eb-0562-4b5b-8a4f-7989743c4cd8 + PayloadUUID + 800dfe36-754a-4803-8fe4-36d82f67bdb3 + PayloadVersion + 1 + ProhibitDisablement + + DNSSettings + + DNSProtocol + TLS + ServerAddresses + + 130.162.53.245 + + ServerName + doh.hottis.de + + OnDemandEnabled + 1 + OnDemandRules + + + Action + Disconnect + InterfaceTypeMatch + WiFi + SSIDMatch + + test + + + + Action + Connect + InterfaceTypeMatch + WiFi + + + Action + Connect + InterfaceTypeMatch + Cellular + + + + + + diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..a0935fd --- /dev/null +++ b/readme.md @@ -0,0 +1,13 @@ +* for Ubuntu (since Debian is not available in Oracle-Cloud): + * install libnghttp2-dev to build, libnghttp2-14 to run + * install libssl-dev to build, libssl1.1 to run + * install libevent-dev to build, libevent-2.1-7 to run + * install libexpat1-dev to build, libexpat1 to run +* clone unbound or download and unpack the tarball +* ``./configure --with-libnghttp2 --with-libevent --prefix /opt/unbound --sysconfdir /etc/unbound`` +* ``make && make install`` +* download the root.hints file with ``curl https://www.internic.net/domain/named.root > /etc/unbound/root.hints`` +* create the initial trust key: ``unbound-anchor -a /etc/unbound/root.key`` +* create the initial Let's Encrypt certificate using ``certbot certonly --standalone --preferred-challenges http -d ``, put key and certificate into ``/etc/unbound`` +* run the script ``renewcerts.sh`` once a month (e.g. from cron) + diff --git a/renewcerts.sh b/renewcerts.sh new file mode 100755 index 0000000..64ea148 --- /dev/null +++ b/renewcerts.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +echo "Running certbot" +/usr/bin/certbot renew --standalone + +echo "Copying cert and key to unbound" +cp /etc/letsencrypt/live/doh.hottis.de/privkey.pem /etc/unbound/privkey.pem +chown unbound:unbound /etc/unbound/privkey.pem +cp /etc/letsencrypt/live/doh.hottis.de/fullchain.pem /etc/unbound/pubcert.pem +chown unbound:unbound /etc/unbound/pubcert.pem + +echo "Restarting unbound" +systemctl restart unbound + + diff --git a/unbound.conf b/unbound.conf new file mode 100644 index 0000000..0827305 --- /dev/null +++ b/unbound.conf @@ -0,0 +1,38 @@ +server: + chroot: /etc/unbound + + do-ip4: yes + do-ip6: no + + interface: 0.0.0.0@53 + port: 53 + + # tls-upstream: yes + # tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + + # initially create using unbound-anchor -a /etc/unbound/root.key + auto-trust-anchor-file: /etc/unbound/root.key + + # can be created using letsencrypt means, e.g. by a companion Apache httpd with mod_md or using certbot + tls-service-key: /etc/unbound/privkey.pem + tls-service-pem: /etc/unbound/pubcert.pem + interface: 0.0.0.0@853 + tls-port: 853 + interface: 0.0.0.0@443 + https-port: 443 + + num-threads: 2 + + # curl https://www.internic.net/domain/named.root > /etc/unbound/root.hints + root-hints: /etc/unbound/root.hints + + do-daemonize: no + + verbosity: 1 + logfile: "/etc/unbound/unbound.log" + log-time-ascii: yes + log-queries: yes + log-replies: yes + + access-control: 0.0.0.0/0 allow + diff --git a/unbound.service b/unbound.service new file mode 100644 index 0000000..a1f5d25 --- /dev/null +++ b/unbound.service @@ -0,0 +1,17 @@ +[Unit] +Description=unbound +Wants=network-online.target +After=network-online.target + +[Service] +Type=simple +GuessMainPID=yes +ExecStart=/opt/unbound/sbin/unbound +ExecStop=kill -SIGINT $mainpid +Restart=on-failure +WorkingDirectory=/etc/unbound + +[Install] +Alias=unbound +WantedBy=multi-user.target +