[people/pmueller/ipfire-2.x.git] / config / unbound / unbound.conf

#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://www.unbound.net/documentation/unbound.conf.html
#

server:
	# Common Server Options
	chroot: ""
	directory: "/etc/unbound"
	username: "nobody"
	port: 53
	do-ip4: yes
	do-ip6: no
	do-udp: yes
	do-tcp: yes
	so-reuseport: yes
	do-not-query-localhost: yes

	# System Tuning
	include: "/etc/unbound/tuning.conf"

	# Logging Options
	verbosity: 1
	use-syslog: yes
	log-time-ascii: yes
	log-queries: no

	# Unbound Statistics
	statistics-interval: 86400
	statistics-cumulative: yes
	extended-statistics: yes

	# Prefetching
	prefetch: yes
	prefetch-key: yes

	# Randomise any cached responses
	rrset-roundrobin: yes

	# Privacy Options
	hide-identity: yes
	hide-version: yes
	qname-minimisation: yes
	minimal-responses: yes

	# DNSSEC
	auto-trust-anchor-file: "/var/lib/unbound/root.key"
	val-permissive-mode: no
	val-clean-additional: yes
	val-log-level: 1

	# Hardening Options
	harden-glue: yes
	harden-short-bufsize: no
	harden-large-queries: yes
	harden-dnssec-stripped: yes
	harden-below-nxdomain: yes
	harden-referral-path: yes
	harden-algo-downgrade: no
	use-caps-for-id: yes
	aggressive-nsec: yes
	qname-minimisation: yes

	# TLS
	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt

	# EDNS Buffer Size (#12240)
	edns-buffer-size: 1232

	# Harden against DNS cache poisoning
	unwanted-reply-threshold: 1000000

	# Listen on all interfaces
	interface-automatic: yes
	interface: 0.0.0.0

	# Allow access from everywhere
	access-control: 0.0.0.0/0 allow

	# Bootstrap root servers
	root-hints: "/etc/unbound/root.hints"

	# Include DHCP leases
	include: "/etc/unbound/dhcp-leases.conf"

	# Include hosts
	include: "/etc/unbound/hosts.conf"

	# Include any forward zones
	include: "/etc/unbound/forward.conf"

remote-control:
	control-enable: yes
	control-use-cert: no
	control-interface: 127.0.0.1

# Import any local configurations
include: "/etc/unbound/local.d/*.conf"
Commit	Line	Data
d0e5f71f ML	1	#
	2	# Unbound configuration file for IPFire
	3	#
	4	# The full documentation is available at:
	5	# https://www.unbound.net/documentation/unbound.conf.html
	6	#
	7
	8	server:
b8f5eda8 MT	9	# Common Server Options
	10	chroot: ""
	11	directory: "/etc/unbound"
	12	username: "nobody"
d0e5f71f ML	13	port: 53
	14	do-ip4: yes
	15	do-ip6: no
	16	do-udp: yes
	17	do-tcp: yes
d0e5f71f	18	so-reuseport: yes
d0e5f71f ML	19	do-not-query-localhost: yes
d0e5f71f ML	20
b658a451 MT	21	# System Tuning
	22	include: "/etc/unbound/tuning.conf"
	23
b8f5eda8	24	# Logging Options
d0e5f71f	25	verbosity: 1
b8f5eda8	26	use-syslog: yes
d0e5f71f	27	log-time-ascii: yes
b8f5eda8	28	log-queries: no
d0e5f71f ML	29
d0e5f71f ML	30	# Unbound Statistics
2e0660f9	31	statistics-interval: 86400
d0e5f71f ML	32	statistics-cumulative: yes
	33	extended-statistics: yes
	34
b658a451	35	# Prefetching
b8f5eda8 MT	36	prefetch: yes
	37	prefetch-key: yes
	38
	39	# Randomise any cached responses
	40	rrset-roundrobin: yes
	41
	42	# Privacy Options
d0e5f71f ML	43	hide-identity: yes
d0e5f71f ML	44	hide-version: yes
c2adb460	45	qname-minimisation: yes
d0e5f71f ML	46	minimal-responses: yes
d0e5f71f ML	47
b8f5eda8 MT	48	# DNSSEC
	49	auto-trust-anchor-file: "/var/lib/unbound/root.key"
	50	val-permissive-mode: no
	51	val-clean-additional: yes
	52	val-log-level: 1
	53
	54	# Hardening Options
d0e5f71f	55	harden-glue: yes
b8f5eda8	56	harden-short-bufsize: no
d0e5f71f ML	57	harden-large-queries: yes
d0e5f71f ML	58	harden-dnssec-stripped: yes
c2adb460	59	harden-below-nxdomain: yes
b8f5eda8	60	harden-referral-path: yes
d0e5f71f	61	harden-algo-downgrade: no
4e4128fa	62	use-caps-for-id: yes
8a058583	63	aggressive-nsec: yes
beebf925	64	qname-minimisation: yes
d0e5f71f	65
ffc46751 MT	66	# TLS
	67	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
	68
372576e0 MT	69	# EDNS Buffer Size (#12240)
372576e0 MT	70	edns-buffer-size: 1232
d0e5f71f	71
ffba3c98 PM	72	# Harden against DNS cache poisoning
	73	unwanted-reply-threshold: 1000000
	74
1b4d5ad9	75	# Listen on all interfaces
d4af85f2	76	interface-automatic: yes
1b4d5ad9 MT	77	interface: 0.0.0.0
1b4d5ad9 MT	78
3ddad158 MT	79	# Allow access from everywhere
3ddad158 MT	80	access-control: 0.0.0.0/0 allow
d0e5f71f	81
b8f5eda8	82	# Bootstrap root servers
d0e5f71f ML	83	root-hints: "/etc/unbound/root.hints"
d0e5f71f ML	84
b8f5eda8 MT	85	# Include DHCP leases
b8f5eda8 MT	86	include: "/etc/unbound/dhcp-leases.conf"
d0e5f71f	87
6137797c MT	88	# Include hosts
	89	include: "/etc/unbound/hosts.conf"
	90
b8f5eda8 MT	91	# Include any forward zones
b8f5eda8 MT	92	include: "/etc/unbound/forward.conf"
d0e5f71f	93
d0e5f71f ML	94	remote-control:
d0e5f71f ML	95	control-enable: yes
9bc17600	96	control-use-cert: no
d0e5f71f	97	control-interface: 127.0.0.1
d0e5f71f	98
b8f5eda8 MT	99	# Import any local configurations
b8f5eda8 MT	100	include: "/etc/unbound/local.d/*.conf"