runbound 0.4.0

RFC-compliant DNS resolver — drop-in Unbound with REST API, ACME auto-TLS, HMAC audit log, and master/slave HA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

# ─────────────────────────────────────────────────────────────────────────────
# Runbound — Public/shared recursive resolver (VPS / datacenter)
#
# Use-case : High-performance DNS resolver accepting queries from the public
#            internet or a large number of tenant VMs.
# - High rate limit (DDoS mitigation handled at network level)
# - DoT + DoH enabled (Let's Encrypt cert)
# - No local zones (pure forwarding resolver)
# - Memory guard active (auto-clears caches at 80 % RAM)
# ─────────────────────────────────────────────────────────────────────────────

server:
    # Bind to the public IP of the server (replace with your IP or 0.0.0.0).
    interface:  0.0.0.0
    port:       53

    do-ip4:     yes
    do-ip6:     yes
    do-udp:     yes
    do-tcp:     yes

    # ── Access control ───────────────────────────────────────────────────────
    # SECURITY NOTICE: Never leave 0.0.0.0/0 allowed on a public port 53 UDP
    # unless you are intentionally running a public service (like 1.1.1.1) 
    # and have network-level anti-DDoS/scrubbing active.
    
    access-control: 127.0.0.0/8    allow   # localhost
    access-control: 10.0.0.0/8     allow   # internal tenant/VPC range
    access-control: 192.168.0.0/16 allow   # office/customer range
    access-control: 0.0.0.0/0      refuse  # block the rest of the internet
    access-control: ::/0           refuse

    # ── Rate limiting ────────────────────────────────────────────────────────
    # 5 000 q/s per source IP; set higher for trusted networks.
    # The inflight cap (4 096 concurrent) provides a hard OOM backstop.
    rate-limit:    5000
    cache-max-ttl: 3600   # cap TTLs at 1 hour

    # ── DNS rebinding protection ─────────────────────────────────────────────
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: 127.0.0.0/8
    private-address: fd00::/8

    # ── TLS — DNS-over-TLS (853) + DNS-over-HTTPS (443) ─────────────────────
    # Issue cert with:
    #   certbot certonly --standalone -d dns.example.com
    tls-service-pem: /etc/letsencrypt/live/dns.example.com/fullchain.pem
    tls-service-key: /etc/letsencrypt/live/dns.example.com/privkey.pem

    # Runbound-specific: fix API key via config (override with RUNBOUND_API_KEY)
    # api-key: "change-me-in-production"

# ── Upstream resolvers — Quad9 + Cloudflare DoT (encrypted) ─────────────────
forward-zone:
    name:                 "."
    forward-addr:         9.9.9.9@853
    forward-addr:         149.112.112.112@853
    forward-addr:         1.1.1.1@853
    forward-addr:         1.0.0.1@853
    forward-tls-upstream: yes