API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 30th, 2015
399
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.31 KB | None | 0 0
raw download clone embed print report
  1. ## Authoritative, validating, recursive caching DNS
  2. ## unbound.conf -- https://calomel.org
  3. #
  4. server:
  5. # Working directory
  6. directory: "/unbound"
  7.  
  8. # log verbosity
  9. verbosity: 3
  10. use-syslog: no
  11.  
  12. # specify the interfaces to answer queries from by ip-address. The default
  13. # is to listen to localhost (127.0.0.1 and ::1). specify 0.0.0.0 and ::0 to
  14. # bind to all available interfaces. specify every interface[@port] on a new
  15. # 'interface:' labeled line. The listen interfaces are not changed on
  16. # reload, only on restart.
  17. interface: 0.0.0.0
  18.  
  19. # port to answer queries from
  20. port: 53
  21.  
  22. # Enable IPv4, "yes" or "no".
  23. do-ip4: yes
  24.  
  25. # Enable IPv6, "yes" or "no".
  26. do-ip6: no
  27.  
  28. # Enable UDP, "yes" or "no".
  29. do-udp: yes
  30.  
  31. # Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
  32. # quicker to resolve as the functions related to TCP checks are not done.i
  33. # NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains
  34. # due to their size.
  35. do-tcp: yes
  36.  
  37. # control which client ips are allowed to make (recursive) queries to this
  38. # server. Specify classless netblocks with /size and action. By default
  39. # everything is refused, except for localhost. Choose deny (drop message),
  40. # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
  41. # and nonrecursive ok)
  42. access-control: 127.0.0.0/8 allow
  43. access-control: 172.17.0.0/12 allow
  44. access-control: 10.0.0.0/16 allow
  45. #access-control: 192.168.0.0/16 allow
  46.  
  47. # Read the root hints from this file. Default is nothing, using built in
  48. # hints for the IN class. The file has the format of zone files, with root
  49. # nameserver names and addresses only. The default may become outdated,
  50. # when servers change, therefore it is good practice to use a root-hints
  51. # file. get one from ftp://FTP.INTERNIC.NET/domain/named.cache
  52. root-hints: "/unbound/root.hints"
  53.  
  54. # enable to not answer id.server and hostname.bind queries.
  55. hide-identity: yes
  56.  
  57. # enable to not answer version.server and version.bind queries.
  58. hide-version: yes
  59.  
  60. # Will trust glue only if it is within the servers authority.
  61. # Harden against out of zone rrsets, to avoid spoofing attempts.
  62. # Hardening queries multiple name servers for the same data to make
  63. # spoofing significantly harder and does not mandate dnssec.
  64. harden-glue: yes
  65.  
  66. # Require DNSSEC data for trust-anchored zones, if such data is absent, the
  67. # zone becomes bogus. Harden against receiving dnssec-stripped data. If you
  68. # turn it off, failing to validate dnskey data for a trustanchor will trigger
  69. # insecure mode for that zone (like without a trustanchor). Default on,
  70. # which insists on dnssec data for trust-anchored zones.
  71. harden-dnssec-stripped: yes
  72.  
  73. # Use 0x20-encoded random bits in the query to foil spoof attempts.
  74. # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
  75. # While upper and lower case letters are allowed in domain names, no significance
  76. # is attached to the case. That is, two names with the same spelling but
  77. # different case are to be treated as if identical. This means calomel.org is the
  78. # same as CaLoMeL.Org which is the same as CALOMEL.ORG.
  79. use-caps-for-id: yes
  80.  
  81. # the time to live (TTL) value lower bound, in seconds. Default 0.
  82. # If more than an hour could easily give trouble due to stale data.
  83. cache-min-ttl: 1800
  84.  
  85. # the time to live (TTL) value cap for RRsets and messages in the
  86. # cache. Items are not cached for longer. In seconds.
  87. cache-max-ttl: 86400
  88.  
  89. # perform prefetching of close to expired message cache entries. If a client
  90. # requests the dns lookup and the TTL of the cached hostname is going to
  91. # expire in less than 10% of its TTL, unbound will (1st) return the ip of the
  92. # host to the client and (2nd) pre-fetch the dns request from the remote dns
  93. # server. This method has been shown to increase the amount of cached hits by
  94. # local clients by 10% on average.
  95. prefetch: yes
  96.  
  97. # number of threads to create. 1 disables threading. This should equal the number
  98. # of CPU cores in the machine. Our example machine has 4 CPU cores.
  99. num-threads: 2
  100.  
  101.  
  102. ## Unbound Optimization and Speed Tweaks ###
  103.  
  104. # the number of slabs to use for cache and must be a power of 2 times the
  105. # number of num-threads set above. more slabs reduce lock contention, but
  106. # fragment memory usage.
  107. msg-cache-slabs: 8
  108. rrset-cache-slabs: 8
  109. infra-cache-slabs: 8
  110. key-cache-slabs: 8
  111.  
  112. # Increase the memory size of the cache. Use roughly twice as much rrset cache
  113. # memory as you use msg cache memory. Due to malloc overhead, the total memory
  114. # usage is likely to rise to double (or 2.5x) the total cache memory. The test
  115. # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
  116. rrset-cache-size: 256m
  117. msg-cache-size: 128m
  118.  
  119. # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
  120. # the kernel buffer larger so that no messages are lost in spikes in the traffic.
  121. so-rcvbuf: 396k
  122.  
  123. ## Unbound Optimization and Speed Tweaks ###
  124.  
  125.  
  126. # Enforce privacy of these addresses. Strips them away from answers. It may
  127. # cause DNSSEC validation to additionally mark it as bogus. Protects against
  128. # 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain' and
  129. # 'local-data' names are allowed to have these private addresses. No default.
  130. #private-address: 192.168.0.0/16
  131. #private-address: 172.16.0.0/12
  132. private-address: 10.0.0.0/16
  133. private-address: 172.17.0.0/12
  134.  
  135. # Allow the domain (and its subdomains) to contain private addresses.
  136. # local-data statements are allowed to contain private addresses too.
  137. private-domain: "test.lan"
  138.  
  139. # If nonzero, unwanted replies are not only reported in statistics, but also
  140. # a running total is kept per thread. If it reaches the threshold, a warning
  141. # is printed and a defensive action is taken, the cache is cleared to flush
  142. # potential poison out of it. A suggested value is 10000000, the default is
  143. # 0 (turned off). We think 10K is a good value.
  144. unwanted-reply-threshold: 10000
  145.  
  146. # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
  147. # localhost you will want to allow the resolver to send queries to localhost.
  148. # Make sure to set do-not-query-localhost: yes . If yes, the above default
  149. # do-not-query-address entries are present. if no, localhost can be queried
  150. # (for testing and debugging).
  151. do-not-query-localhost: no
  152.  
  153.  
  154. # Unbound can query your NSD or BIND server for private domain queries too.
  155. # On our NSD page we have NSD configured to serve the private domain,
  156. # "home.lan". Here we can tell Unbound to connect to the NSD server when it
  157. # needs to resolve a *.home.lan hostname or IP.
  158. #
  159. private-domain: "test.lan"
  160. local-zone: "0.0.10.in-addr.arpa." nodefault
  161. stub-zone:
  162. name: "test.lan"
  163. stub-host: unsd_nsd3
  164. #stub-addr: 172.17.0.5
  165.  
  166. # If you have an internal or private DNS names the external DNS servers can
  167. # not resolve, then you can assign domain name strings to be redirected to a
  168. # seperate dns server. For example, our comapny has the domain
  169. # organization.com and the domain name internal.organization.com can not be
  170. # resolved by Google's public DNS, but can be resolved by our private DNS
  171. # server located at 1.1.1.1. The following tells Unbound that any
  172. # organization.com domain, i.e. *.organization.com be dns resolved by 1.1.1.1
  173. # instead of the public dns servers.
  174. #
  175. # forward-zone:
  176. # name: "organization.com"
  177. # forward-addr: 1.1.1.1 # Internal or private DNS
  178.  
  179. # Use the following forward-zone to forward all queries to Google DNS,
  180. # OpenDNS.com or your local ISP's dns servers for example. To test resolution
  181. # speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in
  182. # milliseconds.
  183. #
  184. forward-zone:
  185. name: "."
  186. forward-addr: 8.8.8.8 # Google Public DNS
  187. forward-addr: 74.82.42.42 # Hurricane Electric
  188. forward-addr: 4.2.2.4 # Level3 Verizon
  189.  
  190.  
  191. remote-control:
  192. # Disable remote control
  193. control-enable: no
  194.  
  195. #
  196. #
  197. ## Authoritative, validating, recursive caching DNS
  198. ## unbound.conf -- https://calomel.org
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!