Add dnssec validating recursive resolver and razorfy+rspamd users

2021-05-21 08:46:35 +02:00
parent c5722c4c2c
commit 3d96c2ca70
6 changed files with 68 additions and 8 deletions
--- a/etc/dnsmasq.d/custom
+++ b/etc/dnsmasq.d/custom
@ -1,5 +1,6 @@
 interface=lo
-server=127.0.0.1#54
+server=127.0.0.1#55
+server=/.onion/127.0.0.1#54
 no-resolv
 cache-size=10000
-
+dnssec
--- a/etc/rc.local
+++ b/etc/rc.local
@ -23,15 +23,12 @@ ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 #allow tor traffic
-for tor in debian-tor _tor-a _tor-b _tor-c _tor-d _tor-e _tor-f _tor-g _tor-h _tor-i _tor-j _tor-k _tor-l _tor-m _tor-n _tor-o _tor-p _tor-q _tor-r _tor-s; do(
+for tor in bind9 debian-tor _tor-a _tor-b _tor-c _tor-d _tor-e _tor-f _tor-g _tor-h _tor-i _tor-j _tor-k _tor-l _tor-m _tor-n _tor-o _tor-p _tor-q _tor-r _tor-s; do(
 iptables -t nat -A OUTPUT -m owner --uid-owner $tor -j RETURN;
 ip6tables -t nat -A OUTPUT -m owner --uid-owner $tor -j RETURN;
 iptables -A OUTPUT -m owner --uid-owner $tor -j ACCEPT;
 ip6tables -A OUTPUT -m owner --uid-owner $tor -j ACCEPT;
 )done
-#redirect all outgoing DNS querries to our tor
-iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
 #allow querriying ntp servers (must mach /etc/systemd/timesyncd.conf
 for clearnet in 88.191.68.178 51.15.142.60 51.255.197.148 91.121.181.58; do(
 iptables -t nat -A OUTPUT -p udp --dport 123 -d $clearnet -j RETURN;
@ -58,6 +55,9 @@ for clearnet in ::1; do(
 ip6tables -t nat -A OUTPUT -d $clearnet -j RETURN;
 ip6tables -A OUTPUT -d $clearnet -j ACCEPT;
 ) done
+#redirect all outgoing DNS querries to our tor
+iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
+ip6tables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
 #redirect everything else
 iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
 ip6tables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
--- a/etc/resolv.conf
+++ b/etc/resolv.conf
@ -1 +1,2 @@
 nameserver 127.0.0.1
+options edns0 trust-ad
--- a/etc/systemd/system/razorfy.service
+++ b/etc/systemd/system/razorfy.service
@ -0,0 +1,32 @@
+[Unit]
+Description=Razorfy Service
+Requires=network.target local-fs.target time-sync.target
+
+[Service]
+Type=simple
+User=razorfy
+Group=razorfy
+
+EnvironmentFile=/etc/razorfy.conf
+ExecStart=/usr/local/bin/razorfy.pl
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStop=/bin/kill $MAINPID
+
+Restart=always
+RestartSec=3
+
+PIDFile=/var/run/razor.pid
+TimeoutStopSec=30
+
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+
+[Install]
+WantedBy=multi-user.target
--- a/etc/systemd/system/rspamd.service
+++ b/etc/systemd/system/rspamd.service
@ -0,0 +1,17 @@
+[Unit]
+Description=rapid spam filtering system
+After=nss-lookup.target network-online.target
+Documentation=https://rspamd.com/doc/
+
+[Service]
+LimitNOFILE=1048576
+NonBlocking=true
+ExecStart=/usr/local/bin/rspamd -c /usr/local/etc/rspamd/rspamd.conf -f
+ExecReload=/bin/kill -HUP $MAINPID
+User=_rspamd
+RuntimeDirectory=rspamd
+RuntimeDirectoryMode=0755
+Restart=always
+
+[Install]
+WantedBy=multi-user.target