]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blobdiff - config/unbound/unbound.conf
Unbound: Use aggressive NSEC
[people/pmueller/ipfire-2.x.git] / config / unbound / unbound.conf
index 6d8a7f29c30e402d35ac3c17626f7abf02c9db2e..cda591dab4dd862f00f06aa010486ac2f0c181d0 100644 (file)
@@ -59,22 +59,22 @@ server:
        harden-below-nxdomain: yes
        harden-referral-path: yes
        harden-algo-downgrade: no
-       use-caps-for-id: no
+       use-caps-for-id: yes
+       aggressive-nsec: yes
 
-       # Deny access from everywhere
-       access-control: 0.0.0.0/0 refuse
+       # Harden against DNS cache poisoning
+       unwanted-reply-threshold: 1000000
 
-       # Listen on localhost
-       interface: 127.0.0.1
-       access-control: 127.0.0.0/8 allow
+       # Listen on all interfaces
+       interface-automatic: yes
+       interface: 0.0.0.0
+
+       # Allow access from everywhere
+       access-control: 0.0.0.0/0 allow
 
        # Bootstrap root servers
        root-hints: "/etc/unbound/root.hints"
 
-       # IPFire interface configuration
-       include: "/etc/unbound/interfaces.conf"
-       interface-automatic: no
-
        # Include DHCP leases
        include: "/etc/unbound/dhcp-leases.conf"