Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Authoritative, validating, recursive caching DNS
- ## unbound.conf -- https://calomel.org
- #
- server:
- # Working directory
- directory: "/unbound"
- # log verbosity
- verbosity: 3
- use-syslog: no
- # specify the interfaces to answer queries from by ip-address. The default
- # is to listen to localhost (127.0.0.1 and ::1). specify 0.0.0.0 and ::0 to
- # bind to all available interfaces. specify every interface[@port] on a new
- # 'interface:' labeled line. The listen interfaces are not changed on
- # reload, only on restart.
- interface: 0.0.0.0
- # port to answer queries from
- port: 53
- # Enable IPv4, "yes" or "no".
- do-ip4: yes
- # Enable IPv6, "yes" or "no".
- do-ip6: no
- # Enable UDP, "yes" or "no".
- do-udp: yes
- # Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
- # quicker to resolve as the functions related to TCP checks are not done.i
- # NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains
- # due to their size.
- do-tcp: yes
- # control which client ips are allowed to make (recursive) queries to this
- # server. Specify classless netblocks with /size and action. By default
- # everything is refused, except for localhost. Choose deny (drop message),
- # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
- # and nonrecursive ok)
- access-control: 127.0.0.0/8 allow
- access-control: 172.17.0.0/12 allow
- access-control: 10.0.0.0/16 allow
- #access-control: 192.168.0.0/16 allow
- # Read the root hints from this file. Default is nothing, using built in
- # hints for the IN class. The file has the format of zone files, with root
- # nameserver names and addresses only. The default may become outdated,
- # when servers change, therefore it is good practice to use a root-hints
- # file. get one from ftp://FTP.INTERNIC.NET/domain/named.cache
- root-hints: "/unbound/root.hints"
- # enable to not answer id.server and hostname.bind queries.
- hide-identity: yes
- # enable to not answer version.server and version.bind queries.
- hide-version: yes
- # Will trust glue only if it is within the servers authority.
- # Harden against out of zone rrsets, to avoid spoofing attempts.
- # Hardening queries multiple name servers for the same data to make
- # spoofing significantly harder and does not mandate dnssec.
- harden-glue: yes
- # Require DNSSEC data for trust-anchored zones, if such data is absent, the
- # zone becomes bogus. Harden against receiving dnssec-stripped data. If you
- # turn it off, failing to validate dnskey data for a trustanchor will trigger
- # insecure mode for that zone (like without a trustanchor). Default on,
- # which insists on dnssec data for trust-anchored zones.
- harden-dnssec-stripped: yes
- # Use 0x20-encoded random bits in the query to foil spoof attempts.
- # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
- # While upper and lower case letters are allowed in domain names, no significance
- # is attached to the case. That is, two names with the same spelling but
- # different case are to be treated as if identical. This means calomel.org is the
- # same as CaLoMeL.Org which is the same as CALOMEL.ORG.
- use-caps-for-id: yes
- # the time to live (TTL) value lower bound, in seconds. Default 0.
- # If more than an hour could easily give trouble due to stale data.
- cache-min-ttl: 1800
- # the time to live (TTL) value cap for RRsets and messages in the
- # cache. Items are not cached for longer. In seconds.
- cache-max-ttl: 86400
- # perform prefetching of close to expired message cache entries. If a client
- # requests the dns lookup and the TTL of the cached hostname is going to
- # expire in less than 10% of its TTL, unbound will (1st) return the ip of the
- # host to the client and (2nd) pre-fetch the dns request from the remote dns
- # server. This method has been shown to increase the amount of cached hits by
- # local clients by 10% on average.
- prefetch: yes
- # number of threads to create. 1 disables threading. This should equal the number
- # of CPU cores in the machine. Our example machine has 4 CPU cores.
- num-threads: 2
- ## Unbound Optimization and Speed Tweaks ###
- # the number of slabs to use for cache and must be a power of 2 times the
- # number of num-threads set above. more slabs reduce lock contention, but
- # fragment memory usage.
- msg-cache-slabs: 8
- rrset-cache-slabs: 8
- infra-cache-slabs: 8
- key-cache-slabs: 8
- # Increase the memory size of the cache. Use roughly twice as much rrset cache
- # memory as you use msg cache memory. Due to malloc overhead, the total memory
- # usage is likely to rise to double (or 2.5x) the total cache memory. The test
- # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
- rrset-cache-size: 256m
- msg-cache-size: 128m
- # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
- # the kernel buffer larger so that no messages are lost in spikes in the traffic.
- so-rcvbuf: 396k
- ## Unbound Optimization and Speed Tweaks ###
- # Enforce privacy of these addresses. Strips them away from answers. It may
- # cause DNSSEC validation to additionally mark it as bogus. Protects against
- # 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain' and
- # 'local-data' names are allowed to have these private addresses. No default.
- #private-address: 192.168.0.0/16
- #private-address: 172.16.0.0/12
- private-address: 10.0.0.0/16
- private-address: 172.17.0.0/12
- # Allow the domain (and its subdomains) to contain private addresses.
- # local-data statements are allowed to contain private addresses too.
- private-domain: "test.lan"
- # If nonzero, unwanted replies are not only reported in statistics, but also
- # a running total is kept per thread. If it reaches the threshold, a warning
- # is printed and a defensive action is taken, the cache is cleared to flush
- # potential poison out of it. A suggested value is 10000000, the default is
- # 0 (turned off). We think 10K is a good value.
- unwanted-reply-threshold: 10000
- # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
- # localhost you will want to allow the resolver to send queries to localhost.
- # Make sure to set do-not-query-localhost: yes . If yes, the above default
- # do-not-query-address entries are present. if no, localhost can be queried
- # (for testing and debugging).
- do-not-query-localhost: no
- # Unbound can query your NSD or BIND server for private domain queries too.
- # On our NSD page we have NSD configured to serve the private domain,
- # "home.lan". Here we can tell Unbound to connect to the NSD server when it
- # needs to resolve a *.home.lan hostname or IP.
- #
- private-domain: "test.lan"
- local-zone: "0.0.10.in-addr.arpa." nodefault
- stub-zone:
- name: "test.lan"
- stub-host: unsd_nsd3
- #stub-addr: 172.17.0.5
- # If you have an internal or private DNS names the external DNS servers can
- # not resolve, then you can assign domain name strings to be redirected to a
- # seperate dns server. For example, our comapny has the domain
- # organization.com and the domain name internal.organization.com can not be
- # resolved by Google's public DNS, but can be resolved by our private DNS
- # server located at 1.1.1.1. The following tells Unbound that any
- # organization.com domain, i.e. *.organization.com be dns resolved by 1.1.1.1
- # instead of the public dns servers.
- #
- # forward-zone:
- # name: "organization.com"
- # forward-addr: 1.1.1.1 # Internal or private DNS
- # Use the following forward-zone to forward all queries to Google DNS,
- # OpenDNS.com or your local ISP's dns servers for example. To test resolution
- # speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in
- # milliseconds.
- #
- forward-zone:
- name: "."
- forward-addr: 8.8.8.8 # Google Public DNS
- forward-addr: 74.82.42.42 # Hurricane Electric
- forward-addr: 4.2.2.4 # Level3 Verizon
- remote-control:
- # Disable remote control
- control-enable: no
- #
- #
- ## Authoritative, validating, recursive caching DNS
- ## unbound.conf -- https://calomel.org
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement