2cc5bab8a23eab251f1256787b515c01f3139f27
[ipfire-2.x.git] / config / unbound / unbound.conf
1 #
2 # Unbound configuration file for IPFire
3 #
4 # The full documentation is available at:
5 # https://www.unbound.net/documentation/unbound.conf.html
6 #
7
8 server:
9         # Common Server Options
10         chroot: ""
11         directory: "/etc/unbound"
12         username: "nobody"
13         port: 53
14         do-ip4: yes
15         do-ip6: no
16         do-udp: yes
17         do-tcp: yes
18         so-reuseport: yes
19         do-not-query-localhost: yes
20
21         # System Tuning
22         include: "/etc/unbound/tuning.conf"
23
24         # Logging Options
25         verbosity: 1
26         use-syslog: yes
27         log-time-ascii: yes
28         log-queries: no
29
30         # Unbound Statistics
31         statistics-interval: 86400
32         statistics-cumulative: yes
33         extended-statistics: yes
34
35         # Prefetching
36         prefetch: yes
37         prefetch-key: yes
38
39         # Randomise any cached responses
40         rrset-roundrobin: yes
41
42         # Privacy Options
43         hide-identity: yes
44         hide-version: yes
45         qname-minimisation: yes
46         minimal-responses: yes
47
48         # DNSSEC
49         auto-trust-anchor-file: "/var/lib/unbound/root.key"
50         val-permissive-mode: no
51         val-clean-additional: yes
52         val-log-level: 1
53
54         # Hardening Options
55         harden-glue: yes
56         harden-short-bufsize: no
57         harden-large-queries: yes
58         harden-dnssec-stripped: yes
59         harden-below-nxdomain: yes
60         harden-referral-path: yes
61         harden-algo-downgrade: no
62         use-caps-for-id: yes
63         aggressive-nsec: yes
64
65         # Harden against DNS cache poisoning
66         unwanted-reply-threshold: 1000000
67
68         # Listen on all interfaces
69         interface-automatic: yes
70         interface: 0.0.0.0
71
72         # Allow access from everywhere
73         access-control: 0.0.0.0/0 allow
74
75         # Bootstrap root servers
76         root-hints: "/etc/unbound/root.hints"
77
78         # Include DHCP leases
79         include: "/etc/unbound/dhcp-leases.conf"
80
81         # Include any forward zones
82         include: "/etc/unbound/forward.conf"
83
84 remote-control:
85         control-enable: yes
86         control-use-cert: yes
87         control-interface: 127.0.0.1
88         server-key-file: "/etc/unbound/unbound_server.key"
89         server-cert-file: "/etc/unbound/unbound_server.pem"
90         control-key-file: "/etc/unbound/unbound_control.key"
91         control-cert-file: "/etc/unbound/unbound_control.pem"
92
93 # Import any local configurations
94 include: "/etc/unbound/local.d/*.conf"