]>
Commit | Line | Data |
---|---|---|
d0e5f71f ML |
1 | # |
2 | # Unbound configuration file for IPFire | |
3 | # | |
4 | # The full documentation is available at: | |
5 | # https://www.unbound.net/documentation/unbound.conf.html | |
6 | # | |
7 | ||
8 | server: | |
b8f5eda8 MT |
9 | # Common Server Options |
10 | chroot: "" | |
11 | directory: "/etc/unbound" | |
12 | username: "nobody" | |
d0e5f71f ML |
13 | num-threads: 2 |
14 | port: 53 | |
15 | do-ip4: yes | |
16 | do-ip6: no | |
17 | do-udp: yes | |
18 | do-tcp: yes | |
d0e5f71f | 19 | so-reuseport: yes |
d0e5f71f ML |
20 | do-not-query-localhost: yes |
21 | ||
b8f5eda8 | 22 | # Logging Options |
d0e5f71f | 23 | verbosity: 1 |
b8f5eda8 | 24 | use-syslog: yes |
d0e5f71f | 25 | log-time-ascii: yes |
b8f5eda8 | 26 | log-queries: no |
d0e5f71f ML |
27 | |
28 | # Unbound Statistics | |
b8f5eda8 | 29 | statistics-interval: 0 |
d0e5f71f ML |
30 | statistics-cumulative: yes |
31 | extended-statistics: yes | |
32 | ||
b8f5eda8 MT |
33 | # Cache Sizes |
34 | msg-cache-size: 8m | |
35 | rrset-cache-size: 8m | |
36 | key-cache-size: 4m | |
37 | prefetch: yes | |
38 | prefetch-key: yes | |
39 | ||
40 | # Randomise any cached responses | |
41 | rrset-roundrobin: yes | |
42 | ||
43 | # Privacy Options | |
d0e5f71f ML |
44 | hide-identity: yes |
45 | hide-version: yes | |
46 | qname-minimisation: yes | |
47 | minimal-responses: yes | |
48 | ||
b8f5eda8 MT |
49 | # DNSSEC |
50 | auto-trust-anchor-file: "/var/lib/unbound/root.key" | |
51 | val-permissive-mode: no | |
52 | val-clean-additional: yes | |
53 | val-log-level: 1 | |
54 | ||
55 | # Hardening Options | |
d0e5f71f | 56 | harden-glue: yes |
b8f5eda8 | 57 | harden-short-bufsize: no |
d0e5f71f ML |
58 | harden-large-queries: yes |
59 | harden-dnssec-stripped: yes | |
b8f5eda8 MT |
60 | harden-below-nxdomain: yes |
61 | harden-referral-path: yes | |
d0e5f71f | 62 | harden-algo-downgrade: no |
b8f5eda8 | 63 | use-caps-for-id: no |
d0e5f71f | 64 | |
b8f5eda8 | 65 | # Deny access from everywhere |
d0e5f71f | 66 | access-control: 0.0.0.0/0 refuse |
d0e5f71f | 67 | |
b8f5eda8 MT |
68 | # Listen on localhost |
69 | interface: 127.0.0.1 | |
70 | access-control: 127.0.0.0/8 allow | |
d0e5f71f | 71 | |
b8f5eda8 | 72 | # Bootstrap root servers |
d0e5f71f ML |
73 | root-hints: "/etc/unbound/root.hints" |
74 | ||
b8f5eda8 MT |
75 | # IPFire interface configuration |
76 | include: "/etc/unbound/interfaces.conf" | |
77 | interface-automatic: no | |
d0e5f71f | 78 | |
b8f5eda8 MT |
79 | # Include DHCP leases |
80 | include: "/etc/unbound/dhcp-leases.conf" | |
d0e5f71f | 81 | |
b8f5eda8 MT |
82 | # Include any forward zones |
83 | include: "/etc/unbound/forward.conf" | |
d0e5f71f | 84 | |
d0e5f71f ML |
85 | remote-control: |
86 | control-enable: yes | |
87 | control-use-cert: yes | |
88 | control-interface: 127.0.0.1 | |
89 | server-key-file: "/etc/unbound/unbound_server.key" | |
90 | server-cert-file: "/etc/unbound/unbound_server.pem" | |
91 | control-key-file: "/etc/unbound/unbound_control.key" | |
92 | control-cert-file: "/etc/unbound/unbound_control.pem" | |
d0e5f71f | 93 | |
b8f5eda8 MT |
94 | # Import any local configurations |
95 | include: "/etc/unbound/local.d/*.conf" |