Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##########################
- # Unbound Configuration
- ##########################
- ##
- # Server configuration
- ##
- server:
- # Basic paths and settings
- chroot: /var/unbound
- username: unbound
- directory: /var/unbound
- pidfile: /var/run/unbound.pid
- root-hints: /var/unbound/root.hints
- use-syslog: yes
- port: 5555
- include: /var/unbound/advanced.conf
- auto-trust-anchor-file: /var/unbound/root.key
- # Interfaces
- interface: 127.0.0.1
- interface: ::1
- # Access control
- access-control: 192.168.0.0/16 allow
- access-control: 169.254.0.0/16 allow
- access-control: 127.0.0.1/32 allow
- access-control: fc00::/7 allow
- access-control: fd80::/7 allow
- access-control: fe80::/7 allow
- access-control: ::1/128 allow
- # Protocol settings
- do-ip4: yes
- do-ip6: yes
- do-udp: yes
- do-tcp: yes
- prefer-ip6: yes
- so-reuseport: yes
- module-config: "validator iterator"
- # Logging
- log-queries: no
- log-replies: no
- log-tag-queryreply: no
- log-servfail: no
- log-local-actions: no
- logfile: /var/log/unbound.log
- verbosity: 1
- # Cache
- cache-min-ttl: 0
- cache-max-ttl: 86400
- msg-cache-size: 4m
- rrset-cache-size: 8m
- key-cache-size: 2m
- msg-cache-slabs: 8
- rrset-cache-slabs: 8
- key-cache-slabs: 8
- infra-cache-size: 8m
- infra-cache-slabs: 8
- infra-cache-numhosts: 100000
- infra-cache-min-rtt: 10
- # Prefetch and serving expired data
- prefetch: yes
- prefetch-key: yes
- serve-expired: yes
- serve-expired-ttl: 86400 # Use a reasonable default TTL for expired data
- serve-expired-reply-ttl: 30 # Set a short reply TTL for clients
- serve-expired-client-timeout: 500 # Timeout in milliseconds for clients
- # DNS rebinding protection
- private-address: 192.168.0.0/16
- private-address: 198.18.0.0/15
- private-address: 169.254.0.0/16
- private-address: 172.16.0.0/12
- private-address: 10.0.0.0/8
- private-address: 2001:db8::/32
- private-address: fc00::/8
- private-address: fd00::/8
- private-address: fe80::/10
- # Security and privacy
- hide-identity: yes
- hide-version: yes
- identity: "DNS"
- http-user-agent: "DNS"
- qname-minimisation: yes
- deny-any: no
- minimal-responses: yes
- use-caps-for-id: yes
- harden-glue: yes
- harden-large-queries: yes
- harden-dnssec-stripped: yes
- harden-below-nxdomain: yes
- harden-algo-downgrade: yes
- harden-short-bufsize: yes
- harden-referral-path: no
- aggressive-nsec: yes
- # Performance
- target-fetch-policy: "1 1 0 0 0"
- edns-buffer-size: 1232
- rrset-roundrobin: yes
- val-clean-additional: yes
- num-threads: 4
- so-rcvbuf: 8m
- so-sndbuf: 8m
- unwanted-reply-threshold: 100000
- # Additional includes
- include: /var/unbound/private_domains.conf
- include: /var/unbound/host_entries.conf
- include: /var/unbound/dhcpleases.conf
- include: /var/unbound/etc/*.conf
- ##
- # Remote-Control
- ##
- remote-control:
- control-enable: yes
- control-interface: 127.0.0.1
- control-port: 953
- server-key-file: /var/unbound/unbound_server.key
- server-cert-file: /var/unbound/unbound_server.pem
- control-key-file: /var/unbound/unbound_control.key
- control-cert-file: /var/unbound/unbound_control.pem
- ##
- # Forward Zones
- ##
- forward-zone:
- name: "."
- forward-tls-upstream: yes
- forward-addr: 1.1.1.1@853 # Cloudflare IPv4
- forward-addr: 1.0.0.1@853 # Cloudflare IPv4
- forward-addr: 2606:4700:4700::1111@853 # Cloudflare IPv6
- forward-addr: 2606:4700:4700::1001@853 # Cloudflare IPv6
- forward-addr: 8.8.8.8@853 # Google IPv4
- forward-addr: 8.8.4.4@853 # Google IPv4
- forward-addr: 2001:4860:4860::8888@853 # Google IPv6
- forward-addr: 2001:4860:4860::8844@853 # Google IPv6
- forward-addr: 9.9.9.9@853 # Quad9 IPv4
- forward-addr: 149.112.112.112@853 # Quad9 IPv4
- forward-addr: 2620:fe::fe@853 # Quad9 IPv6
- forward-addr: 2620:fe::9@853 # Quad9 IPv6
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
