]> git.ipfire.org Git - ipfire-2.x.git/blobdiff - config/unbound/unbound.conf
projects / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
unbound: Drop certificates for local control connection
[ipfire-2.x.git] / config / unbound / unbound.conf
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 8dc72e67167f8acd04cd00819f51ca205be6f716..e20c3330d7045ac93856ee1eb2e01d7d41b62d83 100644 (file)
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -6,118 +6,85 @@
 #
 
 server:
-       # common server options
-       chroot: "/etc/unbound"
-       username: "unbound"
-       pidfile: "/var/run/unbound.pid"
-       num-threads: 2
+       # Common Server Options
+       chroot: ""
+       directory: "/etc/unbound"
+       username: "nobody"
        port: 53
        do-ip4: yes
        do-ip6: no
        do-udp: yes
        do-tcp: yes
-       prefetch: yes
        so-reuseport: yes
-       cache-min-ttl: 3600
-       cache-max-ttl: 86400
-       unwanted-reply-threshold: 10000
        do-not-query-localhost: yes
 
-       # logging options
-       logfile: "log/unbound.log"
-       use-syslog: no
+       # System Tuning
+       include: "/etc/unbound/tuning.conf"
+
+       # Logging Options
        verbosity: 1
-       log-queries: no
+       use-syslog: yes
        log-time-ascii: yes
+       log-queries: no
 
        # Unbound Statistics
-       statistics-interval: 3600
+       statistics-interval: 86400
        statistics-cumulative: yes
        extended-statistics: yes
 
-       # privacy options
+       # Prefetching
+       prefetch: yes
+       prefetch-key: yes
+
+       # Randomise any cached responses
+       rrset-roundrobin: yes
+
+       # Privacy Options
        hide-identity: yes
        hide-version: yes
        qname-minimisation: yes
        minimal-responses: yes
 
-       # hardening options (some experimental)
+       # DNSSEC
+       auto-trust-anchor-file: "/var/lib/unbound/root.key"
+       val-permissive-mode: no
+       val-clean-additional: yes
+       val-log-level: 1
+
+       # Hardening Options
        harden-glue: yes
+       harden-short-bufsize: no
        harden-large-queries: yes
        harden-dnssec-stripped: yes
-       harden-short-bufsize: no
-       harden-below-nxdomain: no
-       harden-referral-path: no
+       harden-below-nxdomain: yes
+       harden-referral-path: yes
        harden-algo-downgrade: no
        use-caps-for-id: yes
+       aggressive-nsec: yes
 
-       # listen on localhost interface
-       interface: 127.0.0.1
-
-       # file with ipfire interfaces
-       include:  "/etc/unbound/interfaces.conf"
+       # Harden against DNS cache poisoning
+       unwanted-reply-threshold: 1000000
 
-       # control which clients are allowed to make (recursive) queries
-       access-control: 0.0.0.0/0 refuse
-       access-control: 127.0.0.0/8 allow
-       access-control: ::0/0 refuse
-       access-control: ::1 allow
-       access-control: ::ffff:127.0.0.1 allow
+       # Listen on all interfaces
+       interface-automatic: yes
+       interface: 0.0.0.0
 
-       # file with ipfire networks
-       include: "/etc/unbound/access.conf"
+       # Allow access from everywhere
+       access-control: 0.0.0.0/0 allow
 
-       # dnssec main options
-       val-clean-additional: yes
-       val-log-level: 1
-       # file with ipfire dnssec configuration
-       include:  "/etc/unbound/dnssec.conf"
-
-       # DNS Rebinding
-       # For DNS Rebinding prevention
-       #
-       # All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
-       # IPv4 Addresses
-       private-address: 0.0.0.0/8       # Broadcast address
-       private-address: 10.0.0.0/8
-       private-address: 127.0.0.0/8     # Loopback Localhost
-       private-address: 172.16.0.0/12
-       private-address: 192.168.0.0/16
-       private-address: 169.254.0.0/16
-       private-address: 198.18.0.0/15   # Used for testing inter-network communications
-       private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
-       private-address: 203.0.113.0/24  # Documentation network TEST-NET-3
-       private-address: 233.252.0.0/24  # Documentation network MCAST-TEST-NET
-       # IPv6 Addresses
-       private-address: ::1/128         # Loopback Localhost
-       private-address: 2001:db8::/32   # Documentation network IPv6
-       private-address: fc00::/8        # Unique local address (ULA) part of "fc00::/7", not defined yet
-       private-address: fd00::/8        # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
-       private-address: fe80::/10       # Link-local address (LLA)
-
-       # file with root servers 
+       # Bootstrap root servers
        root-hints: "/etc/unbound/root.hints"
 
-       # custom DNS zone files
-       include: "/etc/unbound/zones/*.conf"
+       # Include DHCP leases
+       include: "/etc/unbound/dhcp-leases.conf"
 
-       # DHCP leases (if configured)
-       include: /etc/unbound/dhcpleases.conf
+       # Include any forward zones
+       include: "/etc/unbound/forward.conf"
 
-       # Blocklists
-       include: "/etc/unbound/blocklists/*.conf"
-# end server config
-
-# enable remote control only on localhost
 remote-control:
        control-enable: yes
-       control-use-cert: yes
+       control-use-cert: no
        control-interface: 127.0.0.1
-       server-key-file: "/etc/unbound/unbound_server.key"
-       server-cert-file: "/etc/unbound/unbound_server.pem"
-       control-key-file: "/etc/unbound/unbound_control.key"
-       control-cert-file: "/etc/unbound/unbound_control.pem"
-# end remote control config
-
-# custom DNS forward config
-include: "/etc/unbound/forward.conf"
+
+# Import any local configurations
+include: "/etc/unbound/local.d/*.conf"
IPFire 2.x development tree