[people/pmueller/ipfire-2.x.git] / config / unbound / unbound.conf

#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
#

server:
        # Common Server Options
        chroot: ""
        directory: "/etc/unbound"
        username: "nobody"
        do-ip6: no

        # System Tuning
        include: "/etc/unbound/tuning.conf"

        # Logging Options
        use-syslog: yes
        log-time-ascii: yes

        # Unbound Statistics
        statistics-interval: 86400
        extended-statistics: yes

        # Prefetching
        prefetch: yes
        prefetch-key: yes

        # Randomise any cached responses
        rrset-roundrobin: yes

        # Privacy Options
        hide-identity: yes
        hide-version: yes

        # DNSSEC
        auto-trust-anchor-file: "/var/lib/unbound/root.key"
        val-log-level: 1
        log-servfail: yes

        # Hardening Options
        harden-large-queries: yes
        harden-referral-path: yes
        use-caps-for-id: yes
        aggressive-nsec: yes

        # TLS
        tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt

        # EDNS Buffer Size (#12240)
        edns-buffer-size: 1232

        # Harden against DNS cache poisoning
        unwanted-reply-threshold: 1000000

        # Listen on all interfaces
        interface-automatic: yes
        interface: 0.0.0.0

        # Allow access from everywhere
        access-control: 0.0.0.0/0 allow

        # Bootstrap root servers
        root-hints: "/etc/unbound/root.hints"

        # Include DHCP leases
        include: "/etc/unbound/dhcp-leases.conf"

        # Include hosts
        include: "/etc/unbound/hosts.conf"

        # Include any forward zones
        include: "/etc/unbound/forward.conf"

remote-control:
        control-enable: yes
        control-use-cert: no
        control-interface: 127.0.0.1

# Import any local configurations
include: "/etc/unbound/local.d/*.conf"