]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - config/unbound/unbound.conf
New package: unbound 1.5.9
[people/pmueller/ipfire-2.x.git] / config / unbound / unbound.conf
1 #
2 # Unbound configuration file for IPFire
3 #
4 # The full documentation is available at:
5 # https://www.unbound.net/documentation/unbound.conf.html
6 #
7
8 server:
9 # common server options
10 chroot: "/etc/unbound"
11 username: "unbound"
12 pidfile: "/var/run/unbound.pid"
13 num-threads: 2
14 port: 53
15 do-ip4: yes
16 do-ip6: no
17 do-udp: yes
18 do-tcp: yes
19 prefetch: yes
20 so-reuseport: yes
21 cache-min-ttl: 3600
22 cache-max-ttl: 86400
23 unwanted-reply-threshold: 10000
24 do-not-query-localhost: yes
25
26 # logging options
27 logfile: "log/unbound.log"
28 use-syslog: no
29 verbosity: 1
30 log-queries: no
31 log-time-ascii: yes
32
33 # Unbound Statistics
34 statistics-interval: 3600
35 statistics-cumulative: yes
36 extended-statistics: yes
37
38 # privacy options
39 hide-identity: yes
40 hide-version: yes
41 qname-minimisation: yes
42 minimal-responses: yes
43
44 # hardening options (some experimental)
45 harden-glue: yes
46 harden-large-queries: yes
47 harden-dnssec-stripped: yes
48 harden-short-bufsize: no
49 harden-below-nxdomain: no
50 harden-referral-path: no
51 harden-algo-downgrade: no
52 use-caps-for-id: yes
53
54 # listen on localhost interface
55 interface: 127.0.0.1
56
57 # file with ipfire interfaces
58 include: "/etc/unbound/interfaces.conf"
59
60 # control which clients are allowed to make (recursive) queries
61 access-control: 0.0.0.0/0 refuse
62 access-control: 127.0.0.0/8 allow
63 access-control: ::0/0 refuse
64 access-control: ::1 allow
65 access-control: ::ffff:127.0.0.1 allow
66
67 # file with ipfire networks
68 include: "/etc/unbound/access.conf"
69
70 # dnssec main options
71 val-clean-additional: yes
72 val-log-level: 1
73 # file with ipfire dnssec configuration
74 include: "/etc/unbound/dnssec.conf"
75
76 # DNS Rebinding
77 # For DNS Rebinding prevention
78 #
79 # All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
80 # IPv4 Addresses
81 private-address: 0.0.0.0/8 # Broadcast address
82 private-address: 10.0.0.0/8
83 private-address: 127.0.0.0/8 # Loopback Localhost
84 private-address: 172.16.0.0/12
85 private-address: 192.168.0.0/16
86 private-address: 169.254.0.0/16
87 private-address: 198.18.0.0/15 # Used for testing inter-network communications
88 private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
89 private-address: 203.0.113.0/24 # Documentation network TEST-NET-3
90 private-address: 233.252.0.0/24 # Documentation network MCAST-TEST-NET
91 # IPv6 Addresses
92 private-address: ::1/128 # Loopback Localhost
93 private-address: 2001:db8::/32 # Documentation network IPv6
94 private-address: fc00::/8 # Unique local address (ULA) part of "fc00::/7", not defined yet
95 private-address: fd00::/8 # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
96 private-address: fe80::/10 # Link-local address (LLA)
97
98 # file with root servers
99 root-hints: "/etc/unbound/root.hints"
100
101 # custom DNS zone files
102 include: "/etc/unbound/zones/*.conf"
103
104 # DHCP leases (if configured)
105 include: /etc/unbound/dhcpleases.conf
106
107 # Blocklists
108 include: "/etc/unbound/blocklists/*.conf"
109 # end server config
110
111 # enable remote control only on localhost
112 remote-control:
113 control-enable: yes
114 control-use-cert: yes
115 control-interface: 127.0.0.1
116 server-key-file: "/etc/unbound/unbound_server.key"
117 server-cert-file: "/etc/unbound/unbound_server.pem"
118 control-key-file: "/etc/unbound/unbound_control.key"
119 control-cert-file: "/etc/unbound/unbound_control.pem"
120 # end remote control config
121
122 # custom DNS forward config
123 include: "/etc/unbound/forward.conf"