sssnake/Autarch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Autarch/services/dns-server/config/config.go

85 lines
2.9 KiB
Go
Raw Permalink Normal View History

v2.2.0 — Full arsenal expansion: 16 new security modules Add WiFi Audit, API Fuzzer, Cloud Scanner, Threat Intel, Log Correlator, Steganography, Anti-Forensics, BLE Scanner, Forensics, RFID/NFC, Malware Sandbox, Password Toolkit, Web Scanner, Report Engine, Net Mapper, and C2 Framework. Each module includes CLI interface, Flask routes, and web UI template. Also includes Go DNS server source + binary, IP Capture service, SYN Flood, Gone Fishing mail server, and hack hijack modules from v2.0 work. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 05:16:31 -08:00
package config
import (
"crypto/rand"
"encoding/hex"
)
// Config holds all DNS server configuration.
type Config struct {
ListenDNS string `json:"listen_dns"`
ListenAPI string `json:"listen_api"`
APIToken string `json:"api_token"`
Upstream []string `json:"upstream"`
CacheTTL int `json:"cache_ttl"`
ZonesDir string `json:"zones_dir"`
DNSSECKeyDir string `json:"dnssec_keys_dir"`
LogQueries bool `json:"log_queries"`
// Hosts file support
HostsFile string `json:"hosts_file"` // Path to hosts file (e.g., /etc/hosts)
HostsAutoLoad bool `json:"hosts_auto_load"` // Auto-load system hosts file on start
// Encryption
EnableDoH bool `json:"enable_doh"` // DNS-over-HTTPS to upstream
EnableDoT bool `json:"enable_dot"` // DNS-over-TLS to upstream
// Security hardening
RateLimit int `json:"rate_limit"` // Max queries/sec per source IP (0=unlimited)
BlockList []string `json:"block_list"` // Blocked domain patterns
AllowTransfer []string `json:"allow_transfer"` // IPs allowed zone transfers (empty=none)
MinimalResponses bool `json:"minimal_responses"` // Minimize response data
RefuseANY bool `json:"refuse_any"` // Refuse ANY queries (amplification protection)
MaxUDPSize int `json:"max_udp_size"` // Max UDP response size
// Advanced
QueryLogMax int `json:"querylog_max"` // Max query log entries (default 1000)
NegativeCacheTTL int `json:"negative_cache_ttl"` // TTL for NXDOMAIN cache (default 60)
PrefetchEnabled bool `json:"prefetch_enabled"` // Prefetch expiring cache entries
ServFailCacheTTL int `json:"servfail_cache_ttl"` // TTL for SERVFAIL cache (default 30)
}
// DefaultConfig returns security-hardened defaults.
// No upstream forwarders — full recursive resolution from root hints.
// Upstream can be configured as optional fallback if recursive fails.
func DefaultConfig() *Config {
return &Config{
ListenDNS: "0.0.0.0:53",
ListenAPI: "127.0.0.1:5380",
APIToken: generateToken(),
Upstream: []string{}, // Empty = pure recursive from root hints
CacheTTL: 300,
ZonesDir: "data/dns/zones",
DNSSECKeyDir: "data/dns/keys",
LogQueries: true,
// Hosts
HostsFile: "",
HostsAutoLoad: false,
// Encryption defaults
EnableDoH: true,
EnableDoT: true,
// Security defaults
RateLimit: 100, // 100 qps per source IP
BlockList: []string{},
AllowTransfer: []string{}, // No zone transfers
MinimalResponses: true,
RefuseANY: true, // Block DNS amplification attacks
MaxUDPSize: 1232, // Safe MTU, prevent fragmentation
// Advanced defaults
QueryLogMax: 1000,
NegativeCacheTTL: 60,
PrefetchEnabled: false,
ServFailCacheTTL: 30,
}
}
func generateToken() string {
b := make([]byte, 16)
rand.Read(b)
return hex.EncodeToString(b)
}
Reference in New Issue Copy Permalink