runbound 0.4.16

A DNS server. Just for fun.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179

# Security Hardening Guide

This document lists every security-sensitive parameter in Runbound's systemd
service file and explains what breaks silently if it is missing or misconfigured.

**Quick check:** run this after every install or update:

```bash
runbound --check-config /etc/runbound/unbound.conf
```

---

## Capabilities

| Parameter | Effect if missing |
|---|---|
| `CAP_NET_BIND_SERVICE` | Cannot bind to port 53 — server fails to start |
| `CAP_NET_RAW` | XDP disabled silently — server runs normally on SO_REUSEPORT fallback |
| `CAP_NET_ADMIN` | XDP disabled silently |
| `CAP_BPF` | XDP disabled silently |

The recommended way to grant capabilities to the binary (without running as root):

```bash
sudo setcap cap_net_bind_service,cap_net_raw,cap_net_admin,cap_bpf+eip $(which runbound)
```

Or via systemd unit:

```ini
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_BPF
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_BPF
```

---

## Address families

| Parameter | Effect if missing |
|---|---|
| `AF_INET AF_INET6` | Server cannot open UDP/TCP sockets — fails to start |
| `AF_UNIX` | API socket unavailable |
| `AF_XDP` | XDP disabled silently — server runs normally without it |

Correct `RestrictAddressFamilies` line for a server with XDP:

```ini
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_XDP
```

---

## Locked memory

| Parameter | Effect if missing |
|---|---|
| `LimitMEMLOCK=infinity` | AF/XDP UMEM allocation fails — XDP disabled silently |

```ini
[Service]
LimitMEMLOCK=infinity
```

This is required because the AF/XDP UMEM region is a large shared memory area
that the kernel must pin (lock) in RAM. Without this limit, `mmap(MAP_LOCKED)`
fails with `ENOMEM` and the XDP path is silently skipped.

---

## eBPF / kernel hardening

| Parameter | Value needed for XDP | Effect if wrong value |
|---|---|---|
| `MemoryDenyWriteExecute` | `false` | eBPF JIT compilation blocked — XDP disabled silently |
| `ProtectKernelModules` | `false` | eBPF program loading blocked — XDP disabled silently |

```ini
[Service]
MemoryDenyWriteExecute=false
ProtectKernelModules=false
```

These two directives are commonly set to `true` in hardened systemd profiles.
They must be relaxed for the eBPF XDP program to load. All other kernel hardening
directives (`ProtectKernelTunables`, `ProtectKernelLogs`, `ProtectClock`, etc.)
can remain enabled.

---

## Configuration file

| Parameter | Effect if misconfigured |
|---|---|
| `rate-limit: 0` | Rate limiting disabled — all source IPs have unlimited query rate |
| `rate-limit: 200` | Recommended default for home / residential resolvers |
| `rate-limit: 5000` | Recommended for shared or production resolvers |

> **Version note:** in v0.4.6 and below, `rate-limit: 0` set the bucket to 0 tokens
> and refused every query. Fixed in v0.4.7 — `0` now correctly means unlimited.

---

## Verifying security at startup

Check the following lines appear in logs after every install or update:

```bash
journalctl -u runbound | grep -E "XDP|affinity|cache|socket|rate"
```

Expected output:

```
INFO runbound: CPU affinity enabled — physical cores (HT excluded) cores=N
INFO runbound::dns::server: cache size auto-sized from MemAvailable cache_size=N
INFO runbound::dns::server: DNS UDP listening (SO_REUSEPORT) addr=0.0.0.0:53 sockets=N
INFO runbound: XDP kernel-bypass fast path active iface=ethX
INFO runbound::dns::server: rate limiting disabled   ← or: rate limiting enabled limit=N
```

**If `XDP kernel-bypass fast path active` is absent**, check the following in order:

1. `runbound --check-config /etc/runbound/unbound.conf` — will identify the exact missing parameter
2. Capabilities: `cat /proc/$(pgrep runbound)/status | grep CapEff`
3. `AF_XDP` in `RestrictAddressFamilies`
4. `LimitMEMLOCK=infinity` in the service file
5. `MemoryDenyWriteExecute=false` and `ProtectKernelModules=false`

---

## Complete hardened service file (with XDP)

```ini
[Unit]
Description=Runbound DNS Server
After=network.target
Wants=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/runbound /etc/runbound/unbound.conf
Restart=on-failure
RestartSec=5

User=runbound
Group=runbound

# Capabilities — port 53 + XDP kernel-bypass
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_BPF
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_BPF
NoNewPrivileges=yes

# XDP requires AF_XDP + unlocked memory + eBPF JIT
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_XDP
LimitMEMLOCK=infinity
MemoryDenyWriteExecute=false
ProtectKernelModules=false

# General hardening (compatible with XDP)
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectClock=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes

[Install]
WantedBy=multi-user.target
```

---

See [security.md](security.md) for the full security model and audit findings.