Autarch Will Control The Internet

services/dns-server/config/config.go

@@ -0,0 +1,84 @@
+package config
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+)
+
+// Config holds all DNS server configuration.
+type Config struct {
+	ListenDNS    string   `json:"listen_dns"`
+	ListenAPI    string   `json:"listen_api"`
+	APIToken     string   `json:"api_token"`
+	Upstream     []string `json:"upstream"`
+	CacheTTL     int      `json:"cache_ttl"`
+	ZonesDir     string   `json:"zones_dir"`
+	DNSSECKeyDir string   `json:"dnssec_keys_dir"`
+	LogQueries   bool     `json:"log_queries"`
+
+	// Hosts file support
+	HostsFile     string `json:"hosts_file"`      // Path to hosts file (e.g., /etc/hosts)
+	HostsAutoLoad bool   `json:"hosts_auto_load"` // Auto-load system hosts file on start
+
+	// Encryption
+	EnableDoH bool `json:"enable_doh"` // DNS-over-HTTPS to upstream
+	EnableDoT bool `json:"enable_dot"` // DNS-over-TLS to upstream
+
+	// Security hardening
+	RateLimit        int      `json:"rate_limit"`         // Max queries/sec per source IP (0=unlimited)
+	BlockList        []string `json:"block_list"`         // Blocked domain patterns
+	AllowTransfer    []string `json:"allow_transfer"`     // IPs allowed zone transfers (empty=none)
+	MinimalResponses bool     `json:"minimal_responses"`  // Minimize response data
+	RefuseANY        bool     `json:"refuse_any"`         // Refuse ANY queries (amplification protection)
+	MaxUDPSize       int      `json:"max_udp_size"`       // Max UDP response size
+
+	// Advanced
+	QueryLogMax      int  `json:"querylog_max"`       // Max query log entries (default 1000)
+	NegativeCacheTTL int  `json:"negative_cache_ttl"` // TTL for NXDOMAIN cache (default 60)
+	PrefetchEnabled  bool `json:"prefetch_enabled"`   // Prefetch expiring cache entries
+	ServFailCacheTTL int  `json:"servfail_cache_ttl"` // TTL for SERVFAIL cache (default 30)
+}
+
+// DefaultConfig returns security-hardened defaults.
+// No upstream forwarders — full recursive resolution from root hints.
+// Upstream can be configured as optional fallback if recursive fails.
+func DefaultConfig() *Config {
+	return &Config{
+		ListenDNS:    "0.0.0.0:53",
+		ListenAPI:    "127.0.0.1:5380",
+		APIToken:     generateToken(),
+		Upstream:     []string{}, // Empty = pure recursive from root hints
+		CacheTTL:     300,
+		ZonesDir:     "data/dns/zones",
+		DNSSECKeyDir: "data/dns/keys",
+		LogQueries:   true,
+
+		// Hosts
+		HostsFile:     "",
+		HostsAutoLoad: false,
+
+		// Encryption defaults
+		EnableDoH: true,
+		EnableDoT: true,
+
+		// Security defaults
+		RateLimit:        100,        // 100 qps per source IP
+		BlockList:        []string{},
+		AllowTransfer:    []string{}, // No zone transfers
+		MinimalResponses: true,
+		RefuseANY:        true, // Block DNS amplification attacks
+		MaxUDPSize:       1232, // Safe MTU, prevent fragmentation
+
+		// Advanced defaults
+		QueryLogMax:      1000,
+		NegativeCacheTTL: 60,
+		PrefetchEnabled:  false,
+		ServFailCacheTTL: 30,
+	}
+}
+
+func generateToken() string {
+	b := make([]byte, 16)
+	rand.Read(b)
+	return hex.EncodeToString(b)
+}