config/unbound/unbound.conf

   1 #
   2 # Unbound configuration file for IPFire
   3 #
   4 # The full documentation is available at:
   5 # https://www.unbound.net/documentation/unbound.conf.html
   6 #
   7
   8 server:
   9         # Common Server Options
  10         chroot: ""
  11         directory: "/etc/unbound"
  12         username: "nobody"
  13         port: 53
  14         do-ip4: yes
  15         do-ip6: no
  16         do-udp: yes
  17         do-tcp: yes
  18         so-reuseport: yes
  19         do-not-query-localhost: yes
  20
  21         # System Tuning
  22         include: "/etc/unbound/tuning.conf"
  23
  24         # Logging Options
  25         verbosity: 1
  26         use-syslog: yes
  27         log-time-ascii: yes
  28         log-queries: no
  29
  30         # Unbound Statistics
  31         statistics-interval: 0
  32         statistics-cumulative: yes
  33         extended-statistics: yes
  34
  35         # Prefetching
  36         prefetch: yes
  37         prefetch-key: yes
  38
  39         # Randomise any cached responses
  40         rrset-roundrobin: yes
  41
  42         # Privacy Options
  43         hide-identity: yes
  44         hide-version: yes
  45         qname-minimisation: yes
  46         minimal-responses: yes
  47
  48         # DNSSEC
  49         auto-trust-anchor-file: "/var/lib/unbound/root.key"
  50         val-permissive-mode: no
  51         val-clean-additional: yes
  52         val-log-level: 1
  53
  54         # Hardening Options
  55         harden-glue: yes
  56         harden-short-bufsize: no
  57         harden-large-queries: yes
  58         harden-dnssec-stripped: yes
  59         harden-below-nxdomain: yes
  60         harden-referral-path: yes
  61         harden-algo-downgrade: no
  62         use-caps-for-id: no
  63
  64         # Listen on all interfaces
  65         interface: 0.0.0.0
  66
  67         # Deny access from everywhere
  68         access-control: 0.0.0.0/0 refuse
  69
  70         # Allow access from localhost
  71         access-control: 127.0.0.0/8 allow
  72
  73         # Bootstrap root servers
  74         root-hints: "/etc/unbound/root.hints"
  75
  76         # IPFire interface configuration
  77         include: "/etc/unbound/interfaces.conf"
  78         interface-automatic: no
  79
  80         # Include DHCP leases
  81         include: "/etc/unbound/dhcp-leases.conf"
  82
  83         # Include any forward zones
  84         include: "/etc/unbound/forward.conf"
  85
  86 remote-control:
  87         control-enable: yes
  88         control-use-cert: yes
  89         control-interface: 127.0.0.1
  90         server-key-file: "/etc/unbound/unbound_server.key"
  91         server-cert-file: "/etc/unbound/unbound_server.pem"
  92         control-key-file: "/etc/unbound/unbound_control.key"
  93         control-cert-file: "/etc/unbound/unbound_control.pem"
  94
  95 # Import any local configurations
  96 include: "/etc/unbound/local.d/*.conf"