chroot: ""
directory: "/etc/unbound"
username: "nobody"
- num-threads: 2
port: 53
do-ip4: yes
do-ip6: no
so-reuseport: yes
do-not-query-localhost: yes
+ # System Tuning
+ include: "/etc/unbound/tuning.conf"
+
# Logging Options
verbosity: 1
use-syslog: yes
log-queries: no
# Unbound Statistics
- statistics-interval: 0
+ statistics-interval: 86400
statistics-cumulative: yes
extended-statistics: yes
- # Cache Sizes
- msg-cache-size: 8m
- rrset-cache-size: 8m
- key-cache-size: 4m
+ # Prefetching
prefetch: yes
prefetch-key: yes
harden-below-nxdomain: yes
harden-referral-path: yes
harden-algo-downgrade: no
- use-caps-for-id: no
+ use-caps-for-id: yes
+ aggressive-nsec: yes
+
+ # Harden against DNS cache poisoning
+ unwanted-reply-threshold: 1000000
- # Deny access from everywhere
- access-control: 0.0.0.0/0 refuse
+ # Listen on all interfaces
+ interface-automatic: yes
+ interface: 0.0.0.0
- # Listen on localhost
- interface: 127.0.0.1
- access-control: 127.0.0.0/8 allow
+ # Allow access from everywhere
+ access-control: 0.0.0.0/0 allow
# Bootstrap root servers
root-hints: "/etc/unbound/root.hints"
- # IPFire interface configuration
- include: "/etc/unbound/interfaces.conf"
- interface-automatic: no
-
# Include DHCP leases
include: "/etc/unbound/dhcp-leases.conf"
remote-control:
control-enable: yes
- control-use-cert: yes
+ control-use-cert: no
control-interface: 127.0.0.1
- server-key-file: "/etc/unbound/unbound_server.key"
- server-cert-file: "/etc/unbound/unbound_server.pem"
- control-key-file: "/etc/unbound/unbound_control.key"
- control-cert-file: "/etc/unbound/unbound_control.pem"
# Import any local configurations
include: "/etc/unbound/local.d/*.conf"
projects / ipfire-2.x.git / blobdiff