]>
Commit | Line | Data |
---|---|---|
d0e5f71f ML |
1 | # |
2 | # Unbound configuration file for IPFire | |
3 | # | |
4 | # The full documentation is available at: | |
5 | # https://www.unbound.net/documentation/unbound.conf.html | |
6 | # | |
7 | ||
8 | server: | |
b8f5eda8 MT |
9 | # Common Server Options |
10 | chroot: "" | |
11 | directory: "/etc/unbound" | |
12 | username: "nobody" | |
d0e5f71f ML |
13 | port: 53 |
14 | do-ip4: yes | |
15 | do-ip6: no | |
16 | do-udp: yes | |
17 | do-tcp: yes | |
d0e5f71f | 18 | so-reuseport: yes |
d0e5f71f ML |
19 | do-not-query-localhost: yes |
20 | ||
b658a451 MT |
21 | # System Tuning |
22 | include: "/etc/unbound/tuning.conf" | |
23 | ||
b8f5eda8 | 24 | # Logging Options |
d0e5f71f | 25 | verbosity: 1 |
b8f5eda8 | 26 | use-syslog: yes |
d0e5f71f | 27 | log-time-ascii: yes |
b8f5eda8 | 28 | log-queries: no |
d0e5f71f ML |
29 | |
30 | # Unbound Statistics | |
2e0660f9 | 31 | statistics-interval: 86400 |
d0e5f71f ML |
32 | statistics-cumulative: yes |
33 | extended-statistics: yes | |
34 | ||
b658a451 | 35 | # Prefetching |
b8f5eda8 MT |
36 | prefetch: yes |
37 | prefetch-key: yes | |
38 | ||
39 | # Randomise any cached responses | |
40 | rrset-roundrobin: yes | |
41 | ||
42 | # Privacy Options | |
d0e5f71f ML |
43 | hide-identity: yes |
44 | hide-version: yes | |
c2adb460 | 45 | qname-minimisation: yes |
d0e5f71f ML |
46 | minimal-responses: yes |
47 | ||
b8f5eda8 MT |
48 | # DNSSEC |
49 | auto-trust-anchor-file: "/var/lib/unbound/root.key" | |
50 | val-permissive-mode: no | |
51 | val-clean-additional: yes | |
52 | val-log-level: 1 | |
53 | ||
54 | # Hardening Options | |
d0e5f71f | 55 | harden-glue: yes |
b8f5eda8 | 56 | harden-short-bufsize: no |
d0e5f71f ML |
57 | harden-large-queries: yes |
58 | harden-dnssec-stripped: yes | |
c2adb460 | 59 | harden-below-nxdomain: yes |
b8f5eda8 | 60 | harden-referral-path: yes |
d0e5f71f | 61 | harden-algo-downgrade: no |
4e4128fa | 62 | use-caps-for-id: yes |
8a058583 | 63 | aggressive-nsec: yes |
beebf925 | 64 | qname-minimisation: yes |
d0e5f71f | 65 | |
ffc46751 MT |
66 | # TLS |
67 | tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt | |
68 | ||
372576e0 MT |
69 | # EDNS Buffer Size (#12240) |
70 | edns-buffer-size: 1232 | |
d0e5f71f | 71 | |
ffba3c98 PM |
72 | # Harden against DNS cache poisoning |
73 | unwanted-reply-threshold: 1000000 | |
74 | ||
1b4d5ad9 | 75 | # Listen on all interfaces |
d4af85f2 | 76 | interface-automatic: yes |
1b4d5ad9 MT |
77 | interface: 0.0.0.0 |
78 | ||
3ddad158 MT |
79 | # Allow access from everywhere |
80 | access-control: 0.0.0.0/0 allow | |
d0e5f71f | 81 | |
b8f5eda8 | 82 | # Bootstrap root servers |
d0e5f71f ML |
83 | root-hints: "/etc/unbound/root.hints" |
84 | ||
b8f5eda8 MT |
85 | # Include DHCP leases |
86 | include: "/etc/unbound/dhcp-leases.conf" | |
d0e5f71f | 87 | |
6137797c MT |
88 | # Include hosts |
89 | include: "/etc/unbound/hosts.conf" | |
90 | ||
b8f5eda8 MT |
91 | # Include any forward zones |
92 | include: "/etc/unbound/forward.conf" | |
d0e5f71f | 93 | |
d0e5f71f ML |
94 | remote-control: |
95 | control-enable: yes | |
9bc17600 | 96 | control-use-cert: no |
d0e5f71f | 97 | control-interface: 127.0.0.1 |
d0e5f71f | 98 | |
b8f5eda8 MT |
99 | # Import any local configurations |
100 | include: "/etc/unbound/local.d/*.conf" |