#
server:
- # common server options
- chroot: "/etc/unbound"
- username: "unbound"
- pidfile: "/var/run/unbound.pid"
- num-threads: 2
+ # Common Server Options
+ chroot: ""
+ directory: "/etc/unbound"
+ username: "nobody"
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
- prefetch: yes
so-reuseport: yes
- cache-min-ttl: 3600
- cache-max-ttl: 86400
- unwanted-reply-threshold: 10000
do-not-query-localhost: yes
- # logging options
- logfile: "log/unbound.log"
- use-syslog: no
+ # System Tuning
+ include: "/etc/unbound/tuning.conf"
+
+ # Logging Options
verbosity: 1
- log-queries: no
+ use-syslog: yes
log-time-ascii: yes
+ log-queries: no
# Unbound Statistics
- statistics-interval: 3600
+ statistics-interval: 86400
statistics-cumulative: yes
extended-statistics: yes
- # privacy options
+ # Prefetching
+ prefetch: yes
+ prefetch-key: yes
+
+ # Randomise any cached responses
+ rrset-roundrobin: yes
+
+ # Privacy Options
hide-identity: yes
hide-version: yes
qname-minimisation: yes
minimal-responses: yes
- # hardening options (some experimental)
+ # DNSSEC
+ auto-trust-anchor-file: "/var/lib/unbound/root.key"
+ val-permissive-mode: no
+ val-clean-additional: yes
+ val-log-level: 1
+
+ # Hardening Options
harden-glue: yes
+ harden-short-bufsize: no
harden-large-queries: yes
harden-dnssec-stripped: yes
- harden-short-bufsize: no
- harden-below-nxdomain: no
- harden-referral-path: no
+ harden-below-nxdomain: yes
+ harden-referral-path: yes
harden-algo-downgrade: no
use-caps-for-id: yes
+ aggressive-nsec: yes
- # listen on localhost interface
- interface: 127.0.0.1
-
- # file with ipfire interfaces
- include: "/etc/unbound/interfaces.conf"
+ # Harden against DNS cache poisoning
+ unwanted-reply-threshold: 1000000
- # control which clients are allowed to make (recursive) queries
- access-control: 0.0.0.0/0 refuse
- access-control: 127.0.0.0/8 allow
- access-control: ::0/0 refuse
- access-control: ::1 allow
- access-control: ::ffff:127.0.0.1 allow
+ # Listen on all interfaces
+ interface-automatic: yes
+ interface: 0.0.0.0
- # file with ipfire networks
- include: "/etc/unbound/access.conf"
+ # Allow access from everywhere
+ access-control: 0.0.0.0/0 allow
- # dnssec main options
- val-clean-additional: yes
- val-log-level: 1
- # file with ipfire dnssec configuration
- include: "/etc/unbound/dnssec.conf"
-
- # DNS Rebinding
- # For DNS Rebinding prevention
- #
- # All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
- # IPv4 Addresses
- private-address: 0.0.0.0/8 # Broadcast address
- private-address: 10.0.0.0/8
- private-address: 127.0.0.0/8 # Loopback Localhost
- private-address: 172.16.0.0/12
- private-address: 192.168.0.0/16
- private-address: 169.254.0.0/16
- private-address: 198.18.0.0/15 # Used for testing inter-network communications
- private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
- private-address: 203.0.113.0/24 # Documentation network TEST-NET-3
- private-address: 233.252.0.0/24 # Documentation network MCAST-TEST-NET
- # IPv6 Addresses
- private-address: ::1/128 # Loopback Localhost
- private-address: 2001:db8::/32 # Documentation network IPv6
- private-address: fc00::/8 # Unique local address (ULA) part of "fc00::/7", not defined yet
- private-address: fd00::/8 # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
- private-address: fe80::/10 # Link-local address (LLA)
-
- # file with root servers
+ # Bootstrap root servers
root-hints: "/etc/unbound/root.hints"
- # custom DNS zone files
- include: "/etc/unbound/zones/*.conf"
+ # Include DHCP leases
+ include: "/etc/unbound/dhcp-leases.conf"
- # DHCP leases (if configured)
- include: /etc/unbound/dhcpleases.conf
+ # Include any forward zones
+ include: "/etc/unbound/forward.conf"
- # Blocklists
- include: "/etc/unbound/blocklists/*.conf"
-# end server config
-
-# enable remote control only on localhost
remote-control:
control-enable: yes
- control-use-cert: yes
+ control-use-cert: no
control-interface: 127.0.0.1
- server-key-file: "/etc/unbound/unbound_server.key"
- server-cert-file: "/etc/unbound/unbound_server.pem"
- control-key-file: "/etc/unbound/unbound_control.key"
- control-cert-file: "/etc/unbound/unbound_control.pem"
-# end remote control config
-
-# custom DNS forward config
-include: "/etc/unbound/forward.conf"
+
+# Import any local configurations
+include: "/etc/unbound/local.d/*.conf"