# # Unbound configuration file for IPFire # # The full documentation is available at: # https://www.unbound.net/documentation/unbound.conf.html # server: # Common Server Options chroot: "" directory: "/etc/unbound" username: "nobody" port: 53 do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes so-reuseport: yes do-not-query-localhost: yes # System Tuning include: "/etc/unbound/tuning.conf" # Logging Options verbosity: 1 use-syslog: yes log-time-ascii: yes log-queries: no # Unbound Statistics statistics-interval: 86400 statistics-cumulative: yes extended-statistics: yes # Prefetching prefetch: yes prefetch-key: yes # Randomise any cached responses rrset-roundrobin: yes # Privacy Options hide-identity: yes hide-version: yes qname-minimisation: yes minimal-responses: yes # DNSSEC auto-trust-anchor-file: "/var/lib/unbound/root.key" val-permissive-mode: no val-clean-additional: yes val-log-level: 1 # Hardening Options harden-glue: yes harden-short-bufsize: no harden-large-queries: yes harden-dnssec-stripped: yes harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: no use-caps-for-id: yes aggressive-nsec: yes # Harden against DNS cache poisoning unwanted-reply-threshold: 1000000 # Listen on all interfaces interface-automatic: yes interface: 0.0.0.0 # Allow access from everywhere access-control: 0.0.0.0/0 allow # Bootstrap root servers root-hints: "/etc/unbound/root.hints" # Include DHCP leases include: "/etc/unbound/dhcp-leases.conf" # Include any forward zones include: "/etc/unbound/forward.conf" remote-control: control-enable: yes control-use-cert: yes control-interface: 127.0.0.1 server-key-file: "/etc/unbound/unbound_server.key" server-cert-file: "/etc/unbound/unbound_server.pem" control-key-file: "/etc/unbound/unbound_control.key" control-cert-file: "/etc/unbound/unbound_control.pem" # Import any local configurations include: "/etc/unbound/local.d/*.conf"