]>
Commit | Line | Data |
---|---|---|
d0e5f71f ML |
1 | # |
2 | # Unbound configuration file for IPFire | |
3 | # | |
4 | # The full documentation is available at: | |
5 | # https://www.unbound.net/documentation/unbound.conf.html | |
6 | # | |
7 | ||
8 | server: | |
9 | # common server options | |
10 | chroot: "/etc/unbound" | |
11 | username: "unbound" | |
12 | pidfile: "/var/run/unbound.pid" | |
13 | num-threads: 2 | |
14 | port: 53 | |
15 | do-ip4: yes | |
16 | do-ip6: no | |
17 | do-udp: yes | |
18 | do-tcp: yes | |
19 | prefetch: yes | |
20 | so-reuseport: yes | |
21 | cache-min-ttl: 3600 | |
22 | cache-max-ttl: 86400 | |
23 | unwanted-reply-threshold: 10000 | |
24 | do-not-query-localhost: yes | |
25 | ||
26 | # logging options | |
27 | logfile: "log/unbound.log" | |
28 | use-syslog: no | |
29 | verbosity: 1 | |
30 | log-queries: no | |
31 | log-time-ascii: yes | |
32 | ||
33 | # Unbound Statistics | |
34 | statistics-interval: 3600 | |
35 | statistics-cumulative: yes | |
36 | extended-statistics: yes | |
37 | ||
38 | # privacy options | |
39 | hide-identity: yes | |
40 | hide-version: yes | |
41 | qname-minimisation: yes | |
42 | minimal-responses: yes | |
43 | ||
44 | # hardening options (some experimental) | |
45 | harden-glue: yes | |
46 | harden-large-queries: yes | |
47 | harden-dnssec-stripped: yes | |
48 | harden-short-bufsize: no | |
49 | harden-below-nxdomain: no | |
50 | harden-referral-path: no | |
51 | harden-algo-downgrade: no | |
52 | use-caps-for-id: yes | |
53 | ||
54 | # listen on localhost interface | |
55 | interface: 127.0.0.1 | |
56 | ||
57 | # file with ipfire interfaces | |
58 | include: "/etc/unbound/interfaces.conf" | |
59 | ||
60 | # control which clients are allowed to make (recursive) queries | |
61 | access-control: 0.0.0.0/0 refuse | |
62 | access-control: 127.0.0.0/8 allow | |
63 | access-control: ::0/0 refuse | |
64 | access-control: ::1 allow | |
65 | access-control: ::ffff:127.0.0.1 allow | |
66 | ||
67 | # file with ipfire networks | |
68 | include: "/etc/unbound/access.conf" | |
69 | ||
70 | # dnssec main options | |
71 | val-clean-additional: yes | |
72 | val-log-level: 1 | |
73 | # file with ipfire dnssec configuration | |
74 | include: "/etc/unbound/dnssec.conf" | |
75 | ||
76 | # DNS Rebinding | |
77 | # For DNS Rebinding prevention | |
78 | # | |
79 | # All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet. | |
80 | # IPv4 Addresses | |
81 | private-address: 0.0.0.0/8 # Broadcast address | |
82 | private-address: 10.0.0.0/8 | |
83 | private-address: 127.0.0.0/8 # Loopback Localhost | |
84 | private-address: 172.16.0.0/12 | |
85 | private-address: 192.168.0.0/16 | |
86 | private-address: 169.254.0.0/16 | |
87 | private-address: 198.18.0.0/15 # Used for testing inter-network communications | |
88 | private-address: 198.51.100.0/24 # Documentation network TEST-NET-2 | |
89 | private-address: 203.0.113.0/24 # Documentation network TEST-NET-3 | |
90 | private-address: 233.252.0.0/24 # Documentation network MCAST-TEST-NET | |
91 | # IPv6 Addresses | |
92 | private-address: ::1/128 # Loopback Localhost | |
93 | private-address: 2001:db8::/32 # Documentation network IPv6 | |
94 | private-address: fc00::/8 # Unique local address (ULA) part of "fc00::/7", not defined yet | |
95 | private-address: fd00::/8 # Unique local address (ULA) part of "fc00::/7", "/48" prefix group | |
96 | private-address: fe80::/10 # Link-local address (LLA) | |
97 | ||
98 | # file with root servers | |
99 | root-hints: "/etc/unbound/root.hints" | |
100 | ||
101 | # custom DNS zone files | |
102 | include: "/etc/unbound/zones/*.conf" | |
103 | ||
104 | # DHCP leases (if configured) | |
105 | include: /etc/unbound/dhcpleases.conf | |
106 | ||
107 | # Blocklists | |
108 | include: "/etc/unbound/blocklists/*.conf" | |
109 | # end server config | |
110 | ||
111 | # enable remote control only on localhost | |
112 | remote-control: | |
113 | control-enable: yes | |
114 | control-use-cert: yes | |
115 | control-interface: 127.0.0.1 | |
116 | server-key-file: "/etc/unbound/unbound_server.key" | |
117 | server-cert-file: "/etc/unbound/unbound_server.pem" | |
118 | control-key-file: "/etc/unbound/unbound_control.key" | |
119 | control-cert-file: "/etc/unbound/unbound_control.pem" | |
120 | # end remote control config | |
121 | ||
122 | # custom DNS forward config | |
123 | include: "/etc/unbound/forward.conf" |