[ipfire-2.x.git] / config / unbound / unbound.conf

#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
#

server:
	# Common Server Options
	chroot: ""
	directory: "/etc/unbound"
	username: "nobody"
	do-ip6: no

	# System Tuning
	include: "/etc/unbound/tuning.conf"

	# Logging Options
	use-syslog: yes
	log-time-ascii: yes

	# Unbound Statistics
	statistics-interval: 86400
	extended-statistics: yes

	# Prefetching
	prefetch: yes
	prefetch-key: yes

	# Privacy Options
	hide-identity: yes
	hide-version: yes

	# DNSSEC
	auto-trust-anchor-file: "/var/lib/unbound/root.key"
	val-log-level: 1
	log-servfail: yes

	# Hardening Options
	harden-large-queries: yes
	harden-referral-path: yes
	aggressive-nsec: yes

	# TLS
	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt

	# Harden against DNS cache poisoning
	unwanted-reply-threshold: 1000000

	# Listen on all interfaces
	interface-automatic: yes
	interface: 0.0.0.0

	# Allow access from everywhere
	access-control: 0.0.0.0/0 allow

	# Timeout behaviour
	infra-keep-probing: yes

	# Bootstrap root servers
	root-hints: "/etc/unbound/root.hints"

	# Include DHCP leases
	include: "/etc/unbound/dhcp-leases.conf"

	# Include hosts
	include: "/etc/unbound/hosts.conf"

	# Include any forward zones
	include: "/etc/unbound/forward.conf"

remote-control:
	control-enable: yes
	control-use-cert: no
	control-interface: 127.0.0.1

# Import any local configurations
include: "/etc/unbound/local.d/*.conf"
Commit	Line	Data
d0e5f71f ML	1	#
	2	# Unbound configuration file for IPFire
	3	#
	4	# The full documentation is available at:
e737776d	5	# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
d0e5f71f ML	6	#
	7
	8	server:
b8f5eda8 MT	9	# Common Server Options
	10	chroot: ""
	11	directory: "/etc/unbound"
	12	username: "nobody"
d0e5f71f	13	do-ip6: no
d0e5f71f	14
b658a451 MT	15	# System Tuning
	16	include: "/etc/unbound/tuning.conf"
	17
b8f5eda8	18	# Logging Options
b8f5eda8	19	use-syslog: yes
d0e5f71f ML	20	log-time-ascii: yes
	21
	22	# Unbound Statistics
2e0660f9	23	statistics-interval: 86400
d0e5f71f ML	24	extended-statistics: yes
d0e5f71f ML	25
b658a451	26	# Prefetching
b8f5eda8 MT	27	prefetch: yes
	28	prefetch-key: yes
	29
b8f5eda8	30	# Privacy Options
d0e5f71f ML	31	hide-identity: yes
d0e5f71f ML	32	hide-version: yes
d0e5f71f	33
b8f5eda8 MT	34	# DNSSEC
b8f5eda8 MT	35	auto-trust-anchor-file: "/var/lib/unbound/root.key"
b8f5eda8	36	val-log-level: 1
e737776d	37	log-servfail: yes
b8f5eda8 MT	38
b8f5eda8 MT	39	# Hardening Options
d0e5f71f	40	harden-large-queries: yes
b8f5eda8	41	harden-referral-path: yes
8a058583	42	aggressive-nsec: yes
d0e5f71f	43
ffc46751 MT	44	# TLS
	45	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
	46
ffba3c98 PM	47	# Harden against DNS cache poisoning
	48	unwanted-reply-threshold: 1000000
	49
1b4d5ad9	50	# Listen on all interfaces
d4af85f2	51	interface-automatic: yes
1b4d5ad9 MT	52	interface: 0.0.0.0
1b4d5ad9 MT	53
3ddad158 MT	54	# Allow access from everywhere
3ddad158 MT	55	access-control: 0.0.0.0/0 allow
d0e5f71f	56
211b6bc1 JS	57	# Timeout behaviour
	58	infra-keep-probing: yes
	59
b8f5eda8	60	# Bootstrap root servers
d0e5f71f ML	61	root-hints: "/etc/unbound/root.hints"
d0e5f71f ML	62
b8f5eda8 MT	63	# Include DHCP leases
b8f5eda8 MT	64	include: "/etc/unbound/dhcp-leases.conf"
d0e5f71f	65
6137797c MT	66	# Include hosts
	67	include: "/etc/unbound/hosts.conf"
	68
b8f5eda8 MT	69	# Include any forward zones
b8f5eda8 MT	70	include: "/etc/unbound/forward.conf"
d0e5f71f	71
d0e5f71f ML	72	remote-control:
d0e5f71f ML	73	control-enable: yes
9bc17600	74	control-use-cert: no
d0e5f71f	75	control-interface: 127.0.0.1
d0e5f71f	76
b8f5eda8 MT	77	# Import any local configurations
b8f5eda8 MT	78	include: "/etc/unbound/local.d/*.conf"