#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://www.unbound.net/documentation/unbound.conf.html
#

server:
	# common server options
	chroot: "/etc/unbound"
	username: "unbound"
	pidfile: "/var/run/unbound.pid"
	num-threads: 2
	port: 53
	do-ip4: yes
	do-ip6: no
	do-udp: yes
	do-tcp: yes
	prefetch: yes
	so-reuseport: yes
	cache-min-ttl: 3600
	cache-max-ttl: 86400
	unwanted-reply-threshold: 10000
	do-not-query-localhost: yes

	# logging options
	logfile: "log/unbound.log"
	use-syslog: no
	verbosity: 1
	log-queries: no
	log-time-ascii: yes

	# Unbound Statistics
	statistics-interval: 3600
	statistics-cumulative: yes
	extended-statistics: yes

	# privacy options
	hide-identity: yes
	hide-version: yes
	qname-minimisation: yes
	minimal-responses: yes

	# hardening options (some experimental)
	harden-glue: yes
	harden-large-queries: yes
	harden-dnssec-stripped: yes
	harden-short-bufsize: no
	harden-below-nxdomain: no
	harden-referral-path: no
	harden-algo-downgrade: no
	use-caps-for-id: yes

	# listen on localhost interface
	interface: 127.0.0.1

	# file with ipfire interfaces
	include:  "/etc/unbound/interfaces.conf"

	# control which clients are allowed to make (recursive) queries
	access-control: 0.0.0.0/0 refuse
	access-control: 127.0.0.0/8 allow
	access-control: ::0/0 refuse
	access-control: ::1 allow
	access-control: ::ffff:127.0.0.1 allow

	# file with ipfire networks
	include: "/etc/unbound/access.conf"

	# dnssec main options
	val-clean-additional: yes
	val-log-level: 1
	# file with ipfire dnssec configuration
	include:  "/etc/unbound/dnssec.conf"

	# DNS Rebinding
	# For DNS Rebinding prevention
	#
	# All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
	# IPv4 Addresses
	private-address: 0.0.0.0/8       # Broadcast address
	private-address: 10.0.0.0/8
	private-address: 127.0.0.0/8     # Loopback Localhost
	private-address: 172.16.0.0/12
	private-address: 192.168.0.0/16
	private-address: 169.254.0.0/16
	private-address: 198.18.0.0/15   # Used for testing inter-network communications
	private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
	private-address: 203.0.113.0/24  # Documentation network TEST-NET-3
	private-address: 233.252.0.0/24  # Documentation network MCAST-TEST-NET
	# IPv6 Addresses
	private-address: ::1/128         # Loopback Localhost
	private-address: 2001:db8::/32   # Documentation network IPv6
	private-address: fc00::/8        # Unique local address (ULA) part of "fc00::/7", not defined yet
	private-address: fd00::/8        # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
	private-address: fe80::/10       # Link-local address (LLA)

	# file with root servers 
	root-hints: "/etc/unbound/root.hints"

	# custom DNS zone files
	include: "/etc/unbound/zones/*.conf"

	# DHCP leases (if configured)
	include: /etc/unbound/dhcpleases.conf

	# Blocklists
	include: "/etc/unbound/blocklists/*.conf"
# end server config

# enable remote control only on localhost
remote-control:
	control-enable: yes
	control-use-cert: yes
	control-interface: 127.0.0.1
	server-key-file: "/etc/unbound/unbound_server.key"
	server-cert-file: "/etc/unbound/unbound_server.pem"
	control-key-file: "/etc/unbound/unbound_control.key"
	control-cert-file: "/etc/unbound/unbound_control.pem"
# end remote control config

# custom DNS forward config
include: "/etc/unbound/forward.conf"