# Unbound configuration file for IPFire
#
# The full documentation is available at:
-# https://www.unbound.net/documentation/unbound.conf.html
+# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
#
server:
chroot: ""
directory: "/etc/unbound"
username: "nobody"
- port: 53
- do-ip4: yes
do-ip6: no
- do-udp: yes
- do-tcp: yes
- so-reuseport: yes
- do-not-query-localhost: yes
# System Tuning
include: "/etc/unbound/tuning.conf"
# Logging Options
- verbosity: 1
use-syslog: yes
log-time-ascii: yes
- log-queries: no
# Unbound Statistics
statistics-interval: 86400
- statistics-cumulative: yes
extended-statistics: yes
# Prefetching
# Privacy Options
hide-identity: yes
hide-version: yes
- qname-minimisation: yes
- minimal-responses: yes
# DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
- val-permissive-mode: no
- val-clean-additional: yes
val-log-level: 1
+ log-servfail: yes
# Hardening Options
- harden-glue: yes
- harden-short-bufsize: no
harden-large-queries: yes
- harden-dnssec-stripped: yes
- harden-below-nxdomain: yes
harden-referral-path: yes
- harden-algo-downgrade: no
- use-caps-for-id: yes
aggressive-nsec: yes
+ # TLS
+ tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
+
+ # EDNS Buffer Size (#12240)
+ edns-buffer-size: 1232
+
# Harden against DNS cache poisoning
unwanted-reply-threshold: 1000000
# Include DHCP leases
include: "/etc/unbound/dhcp-leases.conf"
+ # Include hosts
+ include: "/etc/unbound/hosts.conf"
+
# Include any forward zones
include: "/etc/unbound/forward.conf"
remote-control:
control-enable: yes
- control-use-cert: yes
+ control-use-cert: no
control-interface: 127.0.0.1
- server-key-file: "/etc/unbound/unbound_server.key"
- server-cert-file: "/etc/unbound/unbound_server.pem"
- control-key-file: "/etc/unbound/unbound_control.key"
- control-cert-file: "/etc/unbound/unbound_control.pem"
# Import any local configurations
include: "/etc/unbound/local.d/*.conf"