# Unbound configuration file for IPFire
#
# The full documentation is available at:
-# https://www.unbound.net/documentation/unbound.conf.html
+# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
#
server:
chroot: ""
directory: "/etc/unbound"
username: "nobody"
- port: 53
- do-ip4: yes
do-ip6: no
- do-udp: yes
- do-tcp: yes
- so-reuseport: yes
- do-not-query-localhost: yes
# System Tuning
include: "/etc/unbound/tuning.conf"
# Logging Options
- verbosity: 1
use-syslog: yes
log-time-ascii: yes
- log-queries: no
# Unbound Statistics
statistics-interval: 86400
- statistics-cumulative: yes
extended-statistics: yes
# Prefetching
prefetch: yes
prefetch-key: yes
- # Randomise any cached responses
- rrset-roundrobin: yes
-
# Privacy Options
hide-identity: yes
hide-version: yes
- qname-minimisation: yes
- minimal-responses: yes
# DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
- val-permissive-mode: no
- val-clean-additional: yes
val-log-level: 1
+ log-servfail: yes
# Hardening Options
- harden-glue: yes
- harden-short-bufsize: no
harden-large-queries: yes
- harden-dnssec-stripped: yes
- harden-below-nxdomain: yes
harden-referral-path: yes
- harden-algo-downgrade: no
- use-caps-for-id: yes
aggressive-nsec: yes
+ # TLS
+ tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
+
# Harden against DNS cache poisoning
unwanted-reply-threshold: 1000000
# Allow access from everywhere
access-control: 0.0.0.0/0 allow
+ # Timeout behaviour
+ infra-keep-probing: yes
+
# Bootstrap root servers
root-hints: "/etc/unbound/root.hints"
# Include DHCP leases
include: "/etc/unbound/dhcp-leases.conf"
+ # Include hosts
+ include: "/etc/unbound/hosts.conf"
+
# Include any forward zones
include: "/etc/unbound/forward.conf"
projects / ipfire-2.x.git / blobdiff