2 # Unbound configuration file for IPFire
4 # The full documentation is available at:
5 # https://www.unbound.net/documentation/unbound.conf.html
9 # common server options
10 chroot: "/etc/unbound"
12 pidfile: "/var/run/unbound.pid"
23 unwanted-reply-threshold: 10000
24 do-not-query-localhost: yes
27 logfile: "log/unbound.log"
34 statistics-interval: 3600
35 statistics-cumulative: yes
36 extended-statistics: yes
41 qname-minimisation: yes
42 minimal-responses: yes
44 # hardening options (some experimental)
46 harden-large-queries: yes
47 harden-dnssec-stripped: yes
48 harden-short-bufsize: no
49 harden-below-nxdomain: no
50 harden-referral-path: no
51 harden-algo-downgrade: no
54 # listen on localhost interface
57 # file with ipfire interfaces
58 include: "/etc/unbound/interfaces.conf"
60 # control which clients are allowed to make (recursive) queries
61 access-control: 0.0.0.0/0 refuse
62 access-control: 127.0.0.0/8 allow
63 access-control: ::0/0 refuse
64 access-control: ::1 allow
65 access-control: ::ffff:127.0.0.1 allow
67 # file with ipfire networks
68 include: "/etc/unbound/access.conf"
71 val-clean-additional: yes
73 # file with ipfire dnssec configuration
74 include: "/etc/unbound/dnssec.conf"
77 # For DNS Rebinding prevention
79 # All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
81 private-address: 0.0.0.0/8 # Broadcast address
82 private-address: 10.0.0.0/8
83 private-address: 127.0.0.0/8 # Loopback Localhost
84 private-address: 172.16.0.0/12
85 private-address: 192.168.0.0/16
86 private-address: 169.254.0.0/16
87 private-address: 198.18.0.0/15 # Used for testing inter-network communications
88 private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
89 private-address: 203.0.113.0/24 # Documentation network TEST-NET-3
90 private-address: 233.252.0.0/24 # Documentation network MCAST-TEST-NET
92 private-address: ::1/128 # Loopback Localhost
93 private-address: 2001:db8::/32 # Documentation network IPv6
94 private-address: fc00::/8 # Unique local address (ULA) part of "fc00::/7", not defined yet
95 private-address: fd00::/8 # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
96 private-address: fe80::/10 # Link-local address (LLA)
98 # file with root servers
99 root-hints: "/etc/unbound/root.hints"
101 # custom DNS zone files
102 include: "/etc/unbound/zones/*.conf"
104 # DHCP leases (if configured)
105 include: /etc/unbound/dhcpleases.conf
108 include: "/etc/unbound/blocklists/*.conf"
111 # enable remote control only on localhost
114 control-use-cert: yes
115 control-interface: 127.0.0.1
116 server-key-file: "/etc/unbound/unbound_server.key"
117 server-cert-file: "/etc/unbound/unbound_server.pem"
118 control-key-file: "/etc/unbound/unbound_control.key"
119 control-cert-file: "/etc/unbound/unbound_control.pem"
120 # end remote control config
122 # custom DNS forward config
123 include: "/etc/unbound/forward.conf"