[ipfire-2.x.git] / config / unbound / unbound.conf

#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://www.unbound.net/documentation/unbound.conf.html
#

server:
	# common server options
	chroot: "/etc/unbound"
	username: "unbound"
	pidfile: "/var/run/unbound.pid"
	num-threads: 2
	port: 53
	do-ip4: yes
	do-ip6: no
	do-udp: yes
	do-tcp: yes
	prefetch: yes
	so-reuseport: yes
	cache-min-ttl: 3600
	cache-max-ttl: 86400
	unwanted-reply-threshold: 10000
	do-not-query-localhost: yes

	# logging options
	logfile: "log/unbound.log"
	use-syslog: no
	verbosity: 1
	log-queries: no
	log-time-ascii: yes

	# Unbound Statistics
	statistics-interval: 3600
	statistics-cumulative: yes
	extended-statistics: yes

	# privacy options
	hide-identity: yes
	hide-version: yes
	qname-minimisation: yes
	minimal-responses: yes

	# hardening options (some experimental)
	harden-glue: yes
	harden-large-queries: yes
	harden-dnssec-stripped: yes
	harden-short-bufsize: no
	harden-below-nxdomain: no
	harden-referral-path: no
	harden-algo-downgrade: no
	use-caps-for-id: yes

	# listen on localhost interface
	interface: 127.0.0.1

	# file with ipfire interfaces
	include:  "/etc/unbound/interfaces.conf"

	# control which clients are allowed to make (recursive) queries
	access-control: 0.0.0.0/0 refuse
	access-control: 127.0.0.0/8 allow
	access-control: ::0/0 refuse
	access-control: ::1 allow
	access-control: ::ffff:127.0.0.1 allow

	# file with ipfire networks
	include: "/etc/unbound/access.conf"

	# dnssec main options
	val-clean-additional: yes
	val-log-level: 1
	# file with ipfire dnssec configuration
	include:  "/etc/unbound/dnssec.conf"

	# DNS Rebinding
	# For DNS Rebinding prevention
	#
	# All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
	# IPv4 Addresses
	private-address: 0.0.0.0/8       # Broadcast address
	private-address: 10.0.0.0/8
	private-address: 127.0.0.0/8     # Loopback Localhost
	private-address: 172.16.0.0/12
	private-address: 192.168.0.0/16
	private-address: 169.254.0.0/16
	private-address: 198.18.0.0/15   # Used for testing inter-network communications
	private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
	private-address: 203.0.113.0/24  # Documentation network TEST-NET-3
	private-address: 233.252.0.0/24  # Documentation network MCAST-TEST-NET
	# IPv6 Addresses
	private-address: ::1/128         # Loopback Localhost
	private-address: 2001:db8::/32   # Documentation network IPv6
	private-address: fc00::/8        # Unique local address (ULA) part of "fc00::/7", not defined yet
	private-address: fd00::/8        # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
	private-address: fe80::/10       # Link-local address (LLA)

	# file with root servers 
	root-hints: "/etc/unbound/root.hints"

	# custom DNS zone files
	include: "/etc/unbound/zones/*.conf"

	# DHCP leases (if configured)
	include: /etc/unbound/dhcpleases.conf

	# Blocklists
	include: "/etc/unbound/blocklists/*.conf"
# end server config

# enable remote control only on localhost
remote-control:
	control-enable: yes
	control-use-cert: yes
	control-interface: 127.0.0.1
	server-key-file: "/etc/unbound/unbound_server.key"
	server-cert-file: "/etc/unbound/unbound_server.pem"
	control-key-file: "/etc/unbound/unbound_control.key"
	control-cert-file: "/etc/unbound/unbound_control.pem"
# end remote control config

# custom DNS forward config
include: "/etc/unbound/forward.conf"
Commit	Line	Data
d0e5f71f ML	1	#
	2	# Unbound configuration file for IPFire
	3	#
	4	# The full documentation is available at:
	5	# https://www.unbound.net/documentation/unbound.conf.html
	6	#
	7
	8	server:
	9	# common server options
	10	chroot: "/etc/unbound"
	11	username: "unbound"
	12	pidfile: "/var/run/unbound.pid"
	13	num-threads: 2
	14	port: 53
	15	do-ip4: yes
	16	do-ip6: no
	17	do-udp: yes
	18	do-tcp: yes
	19	prefetch: yes
	20	so-reuseport: yes
	21	cache-min-ttl: 3600
	22	cache-max-ttl: 86400
	23	unwanted-reply-threshold: 10000
	24	do-not-query-localhost: yes
	25
	26	# logging options
	27	logfile: "log/unbound.log"
	28	use-syslog: no
	29	verbosity: 1
	30	log-queries: no
	31	log-time-ascii: yes
	32
	33	# Unbound Statistics
	34	statistics-interval: 3600
	35	statistics-cumulative: yes
	36	extended-statistics: yes
	37
	38	# privacy options
	39	hide-identity: yes
	40	hide-version: yes
	41	qname-minimisation: yes
	42	minimal-responses: yes
	43
	44	# hardening options (some experimental)
	45	harden-glue: yes
	46	harden-large-queries: yes
	47	harden-dnssec-stripped: yes
	48	harden-short-bufsize: no
	49	harden-below-nxdomain: no
	50	harden-referral-path: no
	51	harden-algo-downgrade: no
	52	use-caps-for-id: yes
	53
	54	# listen on localhost interface
	55	interface: 127.0.0.1
	56
	57	# file with ipfire interfaces
	58	include: "/etc/unbound/interfaces.conf"
	59
	60	# control which clients are allowed to make (recursive) queries
	61	access-control: 0.0.0.0/0 refuse
	62	access-control: 127.0.0.0/8 allow
	63	access-control: ::0/0 refuse
	64	access-control: ::1 allow
65	access-control: ::ffff:127.0.0.1 allow
66
67	# file with ipfire networks
68	include: "/etc/unbound/access.conf"
69
70	# dnssec main options
71	val-clean-additional: yes
72	val-log-level: 1
73	# file with ipfire dnssec configuration
74	include: "/etc/unbound/dnssec.conf"
75
76	# DNS Rebinding
77	# For DNS Rebinding prevention
78	#
79	# All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
80	# IPv4 Addresses
81	private-address: 0.0.0.0/8 # Broadcast address
82	private-address: 10.0.0.0/8
83	private-address: 127.0.0.0/8 # Loopback Localhost
84	private-address: 172.16.0.0/12
85	private-address: 192.168.0.0/16
86	private-address: 169.254.0.0/16
87	private-address: 198.18.0.0/15 # Used for testing inter-network communications
88	private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
89	private-address: 203.0.113.0/24 # Documentation network TEST-NET-3
90	private-address: 233.252.0.0/24 # Documentation network MCAST-TEST-NET
91	# IPv6 Addresses
92	private-address: ::1/128 # Loopback Localhost
93	private-address: 2001:db8::/32 # Documentation network IPv6
94	private-address: fc00::/8 # Unique local address (ULA) part of "fc00::/7", not defined yet
95	private-address: fd00::/8 # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
96	private-address: fe80::/10 # Link-local address (LLA)
97
98	# file with root servers
99	root-hints: "/etc/unbound/root.hints"
100
101	# custom DNS zone files
102	include: "/etc/unbound/zones/*.conf"
103
104	# DHCP leases (if configured)
105	include: /etc/unbound/dhcpleases.conf
106
107	# Blocklists
108	include: "/etc/unbound/blocklists/*.conf"
109	# end server config
110
111	# enable remote control only on localhost
112	remote-control:
113	control-enable: yes
114	control-use-cert: yes
115	control-interface: 127.0.0.1
116	server-key-file: "/etc/unbound/unbound_server.key"
117	server-cert-file: "/etc/unbound/unbound_server.pem"
118	control-key-file: "/etc/unbound/unbound_control.key"
119	control-cert-file: "/etc/unbound/unbound_control.pem"
120	# end remote control config
121
122	# custom DNS forward config
123	include: "/etc/unbound/forward.conf"