unbound: Drop certificates for local control connection

[ipfire-2.x.git] / config / unbound / unbound.conf

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index c9b01b8f47c3745545b41fc3e51d580bb8853a77..e20c3330d7045ac93856ee1eb2e01d7d41b62d83 100644 (file)
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -28,7 +28,7 @@ server:
        log-queries: no
 
        # Unbound Statistics
-       statistics-interval: 0
+       statistics-interval: 86400
        statistics-cumulative: yes
        extended-statistics: yes
 
@@ -42,6 +42,7 @@ server:
        # Privacy Options
        hide-identity: yes
        hide-version: yes
+       qname-minimisation: yes
        minimal-responses: yes
 
        # DNSSEC
@@ -55,9 +56,14 @@ server:
        harden-short-bufsize: no
        harden-large-queries: yes
        harden-dnssec-stripped: yes
+       harden-below-nxdomain: yes
        harden-referral-path: yes
        harden-algo-downgrade: no
-       use-caps-for-id: no
+       use-caps-for-id: yes
+       aggressive-nsec: yes
+
+       # Harden against DNS cache poisoning
+       unwanted-reply-threshold: 1000000
 
        # Listen on all interfaces
        interface-automatic: yes
@@ -77,12 +83,8 @@ server:
 
 remote-control:
        control-enable: yes
-       control-use-cert: yes
+       control-use-cert: no
        control-interface: 127.0.0.1
-       server-key-file: "/etc/unbound/unbound_server.key"
-       server-cert-file: "/etc/unbound/unbound_server.pem"
-       control-key-file: "/etc/unbound/unbound_control.key"
-       control-cert-file: "/etc/unbound/unbound_control.pem"
 
 # Import any local configurations
 include: "/etc/unbound/local.d/*.conf"