diff --git a/INSTALL.md b/INSTALL.md index e2cbd71..aec0241 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -277,7 +277,7 @@ Unbound DNS validating resolver from root nameservers, with fallback: unbound-anchor -a "/var/unbound/db/root.key" ftp -o /var/unbound/etc/root.hints https://FTP.INTERNIC.NET/domain/named.cache rcctl restart unbound -install -o root -g wheel -m 0644 -b src/etc/resolv.conf /etc/ +cp src/etc/resolv.conf /etc/ ``` ### Sieve diff --git a/README.md b/README.md index 3b5329f..f0c37ff 100644 --- a/README.md +++ b/README.md @@ -110,12 +110,10 @@ full sync: replication_full_sync_interval\ =\ 1h Disklabel: [var/www/htdocs/mercury.example.com/disklabel.min](src/var/www/htdocs/mercury.example.com/disklabel.min) -Permissions are described in [usr/local/bin/hier.sh](src/usr/local/bin/hier.sh) - Ansible: [ansible-role-mailserver](https://github.com/gonzalo-/ansible-role-mailserver/) ## Prerequisites -A DNS name server (from a registrar, a free service, VPS host, or self-hosted) is required, which allows editing the following record types: A, AAAA, MX, CAA, TXT, SSHFP +A DNS name server (from a registrar, a free service, VPS host, or self-hosted) is required, which allows editing the following record types: [A](#forward-confirmed-reverse-dns-fcrdns), [AAAA](#forward-confirmed-reverse-dns-fcrdns), [MX](#mail-exchanger-mx), [CAA](#certification-authority-authorization-caa), [SSHFP](#secure-shell-fingerprint-sshfp), [TXT](#sender-policy-framework-spf) #### Forward-confirmed reverse DNS ([FCrDNS](https://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations-06)) Each MX subdomain has record types A, and AAAA with the VPS IPv4, and IPv6: diff --git a/UPGRADE.md b/UPGRADE.md index 3f79ac5..4d1af74 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -14,7 +14,12 @@ sed '/rspamd.log/s|HUP|USR1|' /etc/newsyslog.conf Disable block log in pf, with small /var/log: ```sh -install -o root -g wheel -m 0600 -b src/etc/pf.conf.anchor.block /etc/ +cp src/etc/pf.conf.anchor.block /etc/ +``` + +DNS Transport over TCP ([rfc7766](https://tools.ietf.org/html/rfc7766)): +```sh +awk '/port domain/{sub(/udp/, "{ tcp udp }", last)} NR>1{print last} {last=$0} END {print last}' /etc/pf.conf > /tmp/pf.conf && cp /tmp/pf.conf /etc/pf.conf && rm /tmp/pf.conf ``` Include quota usage in daily stats, with formatting for small screens: @@ -43,9 +48,9 @@ unbound-anchor -a "/var/unbound/db/root.key" ftp -o /var/unbound/etc/root.hints https://FTP.INTERNIC.NET/domain/named.cache rcctl restart unbound -install -o root -g wheel -m 0640 -b src/etc/dhclient.conf /etc/ +cp src/etc/dhclient.conf /etc/ sh /etc/netstart vio0 -install -o root -g wheel -m 0644 -b src/etc/resolv.conf /etc/ +cp src/etc/resolv.conf /etc/ crontab -e > 20 2 1,14 * * unbound-anchor -a "/var/unbound/db/root.key" && rcctl restart unbound @@ -54,7 +59,7 @@ crontab -e *n.b.*: Unbound configured to use ~10MB RAM ```sh -ps -U _unbound -o rss | awk '{sum += $1} END {print "RSS for _unbound", sum/1024 "MB"}' +ps -U _unbound -o rss | awk '{sum += $1} END {print "RSS for _unbound", sum/1024 "MB"}' > RSS for _unbound 6.66406MB ``` diff --git a/src/etc/pf.conf b/src/etc/pf.conf index 990e6be..0727c6a 100644 --- a/src/etc/pf.conf +++ b/src/etc/pf.conf @@ -70,7 +70,7 @@ anchor "external" on egress { # Outbound anchor out proto { tcp udp } from (egress) { # DNS - pass log (user) proto udp \ + pass log (user) proto { tcp udp } \ to port domain \ tag SELF_INET diff --git a/src/etc/resolv.conf b/src/etc/resolv.conf index d60f3cb..1b52bcd 100644 --- a/src/etc/resolv.conf +++ b/src/etc/resolv.conf @@ -1,10 +1,10 @@ # unbound -nameserver 127.0.0.1 nameserver ::1 +nameserver 127.0.0.1 # fallback -nameserver 74.82.42.42 # he.net nameserver 2001:470:20::2 # he.net -nameserver 8.8.8.8 # google.com +nameserver 74.82.42.42 # he.net nameserver 2001:4860:4860::8888 # google.com +nameserver 8.8.8.8 # google.com family inet6 inet4 # prefer IPv6 lookup file bind