projects / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| d0e5f71f ML |
1 | # |
| 2 | # Unbound configuration file for IPFire | |
| 3 | # | |
| 4 | # The full documentation is available at: | |
| 5 | # https://www.unbound.net/documentation/unbound.conf.html | |
| 6 | # | |
| 7 | ||
| 8 | server: | |
| b8f5eda8 MT |
9 | # Common Server Options |
| 10 | chroot: "" | |
| 11 | directory: "/etc/unbound" | |
| 12 | username: "nobody" | |
| d0e5f71f ML |
13 | num-threads: 2 |
| 14 | port: 53 | |
| 15 | do-ip4: yes | |
| 16 | do-ip6: no | |
| 17 | do-udp: yes | |
| 18 | do-tcp: yes | |
| d0e5f71f | 19 | so-reuseport: yes |
| d0e5f71f ML |
20 | do-not-query-localhost: yes |
| 21 | ||
| b8f5eda8 | 22 | # Logging Options |
| d0e5f71f | 23 | verbosity: 1 |
| b8f5eda8 | 24 | use-syslog: yes |
| d0e5f71f | 25 | log-time-ascii: yes |
| b8f5eda8 | 26 | log-queries: no |
| d0e5f71f ML |
27 | |
| 28 | # Unbound Statistics | |
| b8f5eda8 | 29 | statistics-interval: 0 |
| d0e5f71f ML |
30 | statistics-cumulative: yes |
| 31 | extended-statistics: yes | |
| 32 | ||
| b8f5eda8 MT |
33 | # Cache Sizes |
| 34 | msg-cache-size: 8m | |
| 35 | rrset-cache-size: 8m | |
| 36 | key-cache-size: 4m | |
| 37 | prefetch: yes | |
| 38 | prefetch-key: yes | |
| 39 | ||
| 40 | # Randomise any cached responses | |
| 41 | rrset-roundrobin: yes | |
| 42 | ||
| 43 | # Privacy Options | |
| d0e5f71f ML |
44 | hide-identity: yes |
| 45 | hide-version: yes | |
| 46 | qname-minimisation: yes | |
| 47 | minimal-responses: yes | |
| 48 | ||
| b8f5eda8 MT |
49 | # DNSSEC |
| 50 | auto-trust-anchor-file: "/var/lib/unbound/root.key" | |
| 51 | val-permissive-mode: no | |
| 52 | val-clean-additional: yes | |
| 53 | val-log-level: 1 | |
| 54 | ||
| 55 | # Hardening Options | |
| d0e5f71f | 56 | harden-glue: yes |
| b8f5eda8 | 57 | harden-short-bufsize: no |
| d0e5f71f ML |
58 | harden-large-queries: yes |
| 59 | harden-dnssec-stripped: yes | |
| b8f5eda8 MT |
60 | harden-below-nxdomain: yes |
| 61 | harden-referral-path: yes | |
| d0e5f71f | 62 | harden-algo-downgrade: no |
| b8f5eda8 | 63 | use-caps-for-id: no |
| d0e5f71f | 64 | |
| b8f5eda8 | 65 | # Deny access from everywhere |
| d0e5f71f | 66 | access-control: 0.0.0.0/0 refuse |
| d0e5f71f | 67 | |
| b8f5eda8 MT |
68 | # Listen on localhost |
| 69 | interface: 127.0.0.1 | |
| 70 | access-control: 127.0.0.0/8 allow | |
| d0e5f71f | 71 | |
| b8f5eda8 | 72 | # Bootstrap root servers |
| d0e5f71f ML |
73 | root-hints: "/etc/unbound/root.hints" |
| 74 | ||
| b8f5eda8 MT |
75 | # IPFire interface configuration |
| 76 | include: "/etc/unbound/interfaces.conf" | |
| 77 | interface-automatic: no | |
| d0e5f71f | 78 | |
| b8f5eda8 MT |
79 | # Include DHCP leases |
| 80 | include: "/etc/unbound/dhcp-leases.conf" | |
| d0e5f71f | 81 | |
| b8f5eda8 MT |
82 | # Include any forward zones |
| 83 | include: "/etc/unbound/forward.conf" | |
| d0e5f71f | 84 | |
| d0e5f71f ML |
85 | remote-control: |
| 86 | control-enable: yes | |
| 87 | control-use-cert: yes | |
| 88 | control-interface: 127.0.0.1 | |
| 89 | server-key-file: "/etc/unbound/unbound_server.key" | |
| 90 | server-cert-file: "/etc/unbound/unbound_server.pem" | |
| 91 | control-key-file: "/etc/unbound/unbound_control.key" | |
| 92 | control-cert-file: "/etc/unbound/unbound_control.pem" | |
| d0e5f71f | 93 | |
| b8f5eda8 MT |
94 | # Import any local configurations |
| 95 | include: "/etc/unbound/local.d/*.conf" |