Difference between revisions of "User:Rdeckard/Post-installation"

From ArchWiki
Jump to navigation Jump to search
(New page)
 
(move content from installation page)
Line 1: Line 1:
 +
== Setup networking ==
  
 +
If you have a '''wired''' connection, [[start/enable]] the {{ic|dhcpcd@''interface''.service}} unit.
 +
 +
If you have a '''wireless''' connection, create the following file:
 +
 +
{{hc|1=/etc/wpa_supplicant/wpa_supplicant.conf|2=
 +
ctrl_interface=/run/wpa_supplicant
 +
update_config=1}}
 +
 +
Then connect to a wifi network with:
 +
 +
# wpa_supplicant -B -i ''interface'' -c /etc/wpa_supplicant/wpa_supplicant.conf
 +
# wpa_cli
 +
> scan
 +
> scan_results
 +
> add_network
 +
> set_network 0 ssid "''SSID''"
 +
> set_network 0 psk "''passphrase''"
 +
> enable_network 0
 +
> save_config
 +
> quit
 +
 +
Now [[start/enable]] the {{ic|dhcpcd.service}}.
 +
 +
Now add the dhcpcd hook for wpa_supplicant:
 +
 +
# ln -s /usr/share/dhcpcd/hooks/10-wpa_supplicant /usr/lib/dhcpcd/dhcpcd-hooks/
 +
 +
[[Enable]] the {{ic|ntpd.service}} to keep your clock in sync.
 +
 +
== DNS Resolver ==
 +
 +
[[Install]] the {{pkg|unbound}} package.
 +
 +
Set your DNS server to {{ic|127.0.0.1}}:
 +
 +
{{hc|/etc/resolv.conf|127.0.0.1}}
 +
 +
Ensure that ''dhcpcd'' won't overwrite it:
 +
 +
{{hc|/etc/dhcpcd.conf|nohook resolv.conf}}
 +
 +
Add the following configuration file for ''unbound''. It includes DNSSEC, root hints, and ad blocking. Add the IP addresses of DNS servers where indicated.
 +
 +
{{hc|/etc/unbound/unbound.conf|
 +
server:
 +
 +
  username: unbound
 +
  pidfile: "/etc/unbound/unbound.pid"
 +
  directory: "/etc/unbound"
 +
 +
  trust-anchor-file: "/etc/unbound/root.key"
 +
  root-hints: "/etc/unbound/root.hints"
 +
  include: /etc/unbound/ads.conf
 +
 +
  do-not-query-localhost: no
 +
  forward-zone:
 +
    name: "."
 +
    forward-addr: ''dns_ip_addr1''
 +
    forward-addr: ''dns_ip_addr2''}}
 +
 +
Update the trust anchor file:
 +
 +
# unbound-anchor -a /etc/unbound/root.key
 +
 +
Update the root hints file:
 +
 +
# curl -o /etc/unbound/root.hints <nowiki>https://www.internic.net/domain/named.cache</nowiki>
 +
 +
Update the ad blocking file:
 +
 +
# curl <nowiki>https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts</nowiki> | awk '/^0\.0\.0\.0/ {print "local-zone: \""$2"\" redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > /etc/unbound/ads.conf
 +
 +
{{Tip|Put the above two commands in systemd timers to regularly update the files.}}
 +
 +
[[Start/enable]] the {{ic|unbound.service}}.
 +
 +
=== Test DNSSEC ===
 +
 +
$ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
 +
 +
The first output line should be something like the following. Note the word "secure".
 +
sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
 +
 +
$ unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net
 +
 +
The first output line should be something like the following. Note the word "BOGUS".
 +
sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))

Revision as of 01:30, 17 January 2018

Setup networking

If you have a wired connection, start/enable the dhcpcd@interface.service unit.

If you have a wireless connection, create the following file:

/etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=/run/wpa_supplicant
update_config=1

Then connect to a wifi network with:

# wpa_supplicant -B -i interface -c /etc/wpa_supplicant/wpa_supplicant.conf
# wpa_cli
> scan
> scan_results
> add_network
> set_network 0 ssid "SSID"
> set_network 0 psk "passphrase"
> enable_network 0
> save_config
> quit

Now start/enable the dhcpcd.service.

Now add the dhcpcd hook for wpa_supplicant:

# ln -s /usr/share/dhcpcd/hooks/10-wpa_supplicant /usr/lib/dhcpcd/dhcpcd-hooks/

Enable the ntpd.service to keep your clock in sync.

DNS Resolver

Install the unbound package.

Set your DNS server to 127.0.0.1:

/etc/resolv.conf
127.0.0.1

Ensure that dhcpcd won't overwrite it:

/etc/dhcpcd.conf
nohook resolv.conf

Add the following configuration file for unbound. It includes DNSSEC, root hints, and ad blocking. Add the IP addresses of DNS servers where indicated.

/etc/unbound/unbound.conf
server:

  username: unbound
  pidfile: "/etc/unbound/unbound.pid"
  directory: "/etc/unbound"

  trust-anchor-file: "/etc/unbound/root.key"
  root-hints: "/etc/unbound/root.hints"
  include: /etc/unbound/ads.conf

  do-not-query-localhost: no
  forward-zone:
    name: "."
    forward-addr: dns_ip_addr1
    forward-addr: dns_ip_addr2

Update the trust anchor file:

# unbound-anchor -a /etc/unbound/root.key

Update the root hints file:

# curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache

Update the ad blocking file:

# curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '/^0\.0\.0\.0/ {print "local-zone: \""$2"\" redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > /etc/unbound/ads.conf
Tip: Put the above two commands in systemd timers to regularly update the files.

Start/enable the unbound.service.

Test DNSSEC

$ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net

The first output line should be something like the following. Note the word "secure".

sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
$ unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net

The first output line should be something like the following. Note the word "BOGUS".

sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))