- By default, recent versions of
unbound
filter queries for.onion
and do not pass them to upstream resolvers. This is pretty handy for preventing leaks like Brave's recent one (https://www.zdnet.com/article/brave-browser-leaks-onion-addresses-in-dns-traffic/).
- Alpine does not include
logrotate
or similar as far as I can see, so anything logging outside of syslog should use its own rotation.- By default, Alpine's
syslogd
will rotate/var/log/messages
every 200KB and keep one single rotated log. - This can be changed by editing the
/etc/conf.d/syslog
file. - The full list of config options can be found by running
syslogd --help
. - I could not find an
unbound.conf
option to rotate logs and for this reason I allowunbound
to log to syslog (which is the default) instead of to file. - In the future I might consider logging
unbound
logs to a separate file and rotating withlogrotate
but I am trying to keep complexity low.
- By default, Alpine's
- You can use
conntrack
(provided by theconntrack-tools
package) to investigate the connection-tracking layer in the Linux Kernel itself. - Some interesting
conntrack
commands:doas conntrack -C
-- Check number of conntrack entries.doas sysctl net.netfilter.nf_conntrack_max
-- Check the maximum number of conntrack entries.doas conntrack -E
-- Print a scrolling list of conntrack events as they happen.doas conntrack -L
-- List the current entries in the conntrack table.
- With
nftables
, don't worry too much about having a super optimised ruleset. Everything is compiled down to netfilter bytecode when the ruleset is loaded. - You can see the raw bytecode at the top of the output of:
doas nft --debug=netlink -a list ruleset | less
- Analyse the state of the server in terms of cache hits and misses and total queries:
doas unbound-control stats_noreset | grep "total.num"
- We use
stats_noreset
above because otherwise the stats reset when we run the command.
- We can list our "local zones" with the following:
doas unbound-control list_local_zones
- With that above, we should see our defined
transparent
local zone (localhost.
), and also things likeonion.
andinvalid.
which should never be forwarded upstream.
- NICs are usually capable of offloading various processing features direct to the hardware.
- To get a view of how this is working on your system, try:
doas ethtool -k eth1
- You can check the currently allocated DHCP leases with:
less /var/lib/kea/dhcp4.leases
- To upgrade the system:
doas apk update && doas apk upgrade
- If we upgrade Alpine to a new point release, we should make sure to check the Release Notes for the specific release:
- Commit notes for upgraded packages in
main
repo.- So there aren't super detailed release notes for each package release, but the packages move slowly enough that you can generally track everything in
main
by running a search on the Alpineabuild
repo: - https://git.alpinelinux.org/aports/log/?qt=grep&q=main%2F
- So there aren't super detailed release notes for each package release, but the packages move slowly enough that you can generally track everything in
- APK is pretty amazing in that you can basically use it as a HIDS as it will allow you to compare your system against the package database defaults.
- For a generic audit comparing configuration files against the package db:
apk audit --backup --check-permissions | less
- For an audit of system files:
apk audit --system --check-permissions | less
- You can check the stats of installed packages with:
apk stats
- Finally, you can list installed packages with:
apk list --installed | less