This repository has been archived by the owner on Aug 27, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathunbound.conf
105 lines (102 loc) · 2.93 KB
/
unbound.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#Use this to include other text into the file.
#include: "otherfile.conf"
# The server clause sets the main parameters.
server:
verbosity: 3
num-threads: 1
interface: 0.0.0.0
port: 53
outgoing-range: 8192
num-queries-per-thread: 4096
so-rcvbuf: 8m
so-sndbuf: 8m
so-reuseport: yes
edns-buffer-size: 8192
max-udp-size: 8192
msg-buffer-size: 65552
msg-cache-size: 50m
msg-cache-slabs: 1
num-queries-per-thread: 1024
jostle-timeout: 200
delay-close: 0
rrset-cache-size: 100m
rrset-cache-slabs: 1
cache-min-ttl: 900
cache-max-ttl: 14400
cache-max-negative-ttl: 3600
infra-host-ttl: 900
infra-cache-min-rtt: 50
infra-cache-slabs: 1
infra-cache-numhosts: 10000
key-cache-slabs: 1
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: no
access-control: 0.0.0.0/0 allow
##################################
# Usage in a LAN behind firewall #
##################################
# access-control: 0.0.0.0/0 refuse
# access-control: 127.0.0.0/8 allow
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
## Add your internal network below
# access-control: 172.16.10.0/24 allow
## Add docker network
# access-control: 172.17.0.0/16 allow
####################################
logfile: ""
use-syslog: no
log-time-ascii: yes
root-hints: /etc/unbound/root.hints
hide-identity: yes
hide-version: yes
identity: "Dreams"
version: "2.0"
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
qname-minimisation: yes
use-caps-for-id: yes
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
unwanted-reply-threshold: 10000000
do-not-query-address: 127.0.0.1/8
do-not-query-address: ::1
do-not-query-localhost: no
prefetch: yes
minimal-responses: yes
module-config: "validator iterator"
# File with trusted keys, kept up to date using RFC5011 probes, initial file
# like trust-anchor-file, then it stores metadata. Use several entries, one
# per domain name, to track multiple zones. If you use forward-zone below to
# query the Google DNS servers you MUST comment out this option or all DNS
# queries will fail.
# auto-trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
val-bogus-ttl: 60
val-sig-skew-min: 3600
val-sig-skew-max: 86400
val-clean-additional: yes
val-log-level: 2
key-cache-size: 20m
key-cache-slabs: 4
neg-cache-size: 1m
forward-zone:
name: "."
forward-addr: 8.8.4.4 # Google
# forward-addr: 8.8.8.8 # Google
# forward-addr: 208.67.222.220 # OpenDNS
# forward-addr: 208.67.222.222 # OpenDNS
forward-addr: 1.1.1.1 # CloudFlare
forward-first: yes