-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathunbound.conf
96 lines (74 loc) · 3.68 KB
/
unbound.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
server:
# if no logfile is specified, syslog is used
#verbosity: 2
#logfile: "/opt/unbound/unbound.log"
#log-time-ascii: yes
interface: 0.0.0.0
port: 5053
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have "native" IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# File with trust anchor for one zone, which is tracked with RFC5011 probes.
# Get the root hint and anchor key from dns-root-data package
root-hints: "/usr/share/dns/root.hints"
auto-trust-anchor-file: "/usr/share/dns/root.key"
# Run unbound as root. need only to have read and write access to dns-root-data data directory
username: "root"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most
# users running on small networks or on a single machine, it should be unnecessary to
# seek performance enhancement by increasing num-threads above 1.
num-threads: 4
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 1m
so-rcvbuf: 0
# Ensure privacy of local IP ranges
#private-address: 192.168.0.0/16
#private-address: 169.254.0.0/16
#private-address: 172.16.0.0/12
#private-address: 10.0.0.0/8
#private-address: fd00::/8
#private-address: fe00::/10
private-address: 192.168.1.0/24
# allow access from all
access-control: 0.0.0.0/0 allow
# If enabled id.server and hostname.bind queries are refused
hide-identity: yes
# If enabled version.server and version.bind queries are refused
hide-version: yes
# ssl cert
#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
###########################################################################
# LOCAL ZONE
###########################################################################
# # Include file for local-data and local-data-ptr
# include: /opt/unbound/a-records.conf
# include: /opt/unbound/srv-records.conf
# ###########################################################################
# # FORWARD ZONE
# ###########################################################################
# include: /opt/unbound/forward-records.conf
#forward-zone:
# name: "."
# forward-addr: 1.1.1.1@853#cloudflare-dns.com
# forward-addr: 1.0.0.1@853#cloudflare-dns.com
# forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
# forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
# forward-tls-upstream: yes