2023-10-20_inmtn_unbound.conf_1

1. # Version=v1.13 Martineau update (Date Loaded by unbound_manager Thu Oct 19 19:38:13 CEST 2023)
2. # v1.13 jumpsmm7  - Add     'serve-expired-ttl-reset: yes'
3. #                 - Add     'max-udp-size: 3072'
4. #                 - Add     'outgoing-port-*' Templates
5. # v1.12 Martineau - Add     'interface xxx.xxx.101.1@53/xxx.xxx.102.1@53' templates for Aimesh Guest SSID VLANs when dnsmasq disabled @juched
6. #                   Change  'serve-expired-ttl: 3600' to 86400 @juched
7. # v1.11 Martineau - Add     'private-address: ::/0' Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
8. #                 - Add     IPv6 Private Address 'fd00::/8' and 'fe80::/10'
9. #                 - Add     If 'do-ip6: yes' set 'edns-buffer-size: 1232' @Linux_Chemist
10. #                 - Change  'cache-min-ttl:' removed
11. # v1.10 Martineau - Change  Incorrect CIDR for '172.16.0.0' & '192.168.0.0'
12. # v1.09 Martineau - Change  rpz 'zonefile:' must match @jusched's external script (see 'unbound_rpz.sh'/'rpzsites')
13. # v1.08 Martineau - Change  'cache-max-ttl: 21600' and 'cache-min-ttl: 5 to 14400/1200'
14. #                 - Change  'control-use-cert: no' "Fast Menu" ENABLED by default
15. #                 - Add     Template for bypassing dnsmasq (port=0) for LAN devices DNS requests (@juched's Extended Statistics GUI)
16. #                 - Add     '#Stubby' and '#DoT' edit markers for unbound_manager - Hack
17. #                 - Add     'outgoing-interface:' template
18. #                 - Add     'rpz' feature (requires respip module) introduced unbound v1.10.0 https://dnsrpz.info/ (@juched example)
19. # v1.07 Martineau - Add     'control-use-cert:' "Fast Menu" template
20. # v1.06 Martineau - Add     'extended-statistics:' template
21. # v1.05 Martineau - Add     'DNS-Over-TLS support' & 'so-rcvbuf:' templates
22. #                   Remove  'prefetch:' & 'prefetch-key:' duplicates - Thanks @Safemode
23. # v1.04 Martineau - Change  'ip-ratelimit:'
24. # v1.03 Martineau - Remove  'dns64-prefix:' and 'module-config: "dns64 ..."' from auto ENABLE if IPv6 detected
25. # v1.02 Martineau - Add     '#use-syslog:' '#log-local-actions:' '#log-tag-queryreply:' Option placeholders
26. # v1.01 Martineau - Add     'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:' and 'module-config: "dns64 ..."'
27. #                   Change  'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
28. #                   Add     If IPv6 detected, auto ENABLE 'dns64-prefix:' and modify to include 'module-config: "dns64 ..."'
29. #-----------------------------------------------------------------------------------------------------------------------------------
30.  
31. server:
32.  
33. #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
34. port: 53535                                 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
35. interface: 127.0.0.1@53535                  # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
36. #interface: 127.0.0.1@53                    # v1.10 Required by router if dnsmasq 'disabled'
37. #interface: xxx.xxx.10x.1@53                # v1.12 AiMesh Guest SSID VLAN TAG (dnsmasq disabled) @juched
38. #access-control: 0.0.0.0/0 allow            # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
39. #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
40.  
41. #outgoing-interface: xxx.xxx.xxx.xxx        # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)
42.  
43. #########################################
44. # integration LOG's
45. #
46. verbosity: 1                               # v1.02 '1' is adequate to prove unbound is processing domains
47. logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config (v3.06 now deletes this if size grows > 10MB)
48. log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
49. log-tag-queryreply: yes                     # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
50. log-queries: yes
51. #log-replies: yes
52. #use-syslog: yes                            # v1.02 @Martineau Recommended to let scribe/syslog-ng handle the log(s)
53. #log-local-actions: yes                     # v1.02 @Martineau ('yes' required for @juched's Graphical Ad Block statistics)
54. log-servfail: yes                           # v1.01 as per @dave14305 minimal config
55. #########################################
56.  
57. module-config: "respip validator iterator"  # v1.08 add 'respip' for rpz feature @juched
58.  
59. access-control: 0.0.0.0/0 refuse
60. access-control: 127.0.0.0/8 allow
61. access-control: 10.0.0.0/8 allow
62. access-control: 172.16.0.0/12 allow         # v1.10 Martineau  Fix CIDR 16->12
63. access-control: 192.168.0.0/16 allow        # v1.10 @dave14305 Fix CIDR 24->16
64.  
65. # RFC1918 private IP address - Protects against DNS Rebinding
66. private-address: 127.0.0.0/8
67. private-address: 169.254.0.0/16
68. private-address: 10.0.0.0/8
69. private-address: 172.16.0.0/12
70. private-address: 192.168.0.0/16
71. private-address: fd00::/8                   # v1.11 Martineau
72. private-address: fe80::/10                  # v1.11 Martineau
73. do-ip4: yes
74. do-udp: yes
75. do-tcp: yes
76.  
77. #########################################
78. # integration IPV6
79. #
80. do-ip6: no
81. private-address: ::/0                                 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
82. # do-ip6: yes
83. # edns-buffer-size: 1232                           # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/unbound_manager-manager-installer-utility-for-unbound-recursive-dns-server.61669/page-151
84. # interface: ::0
85. # access-control: ::0/0 refuse
86. # access-control: ::1 allow
87. # private-address: fd00::/8
88. # private-address: fe80::/10
89. #########################################
90. #module-config: "dns64 respip validator iterator"      # v1.08 v1.03 v1.01 perform a query against AAAA record exists
91. #dns64-prefix: 64:FF9B::/96                            # v1.03 v1.01
92.  
93. tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"  # v1.01 as per @dave14305 minimal config
94.  
95. # no threads and no memory slabs for threads
96. num-threads: 1
97. msg-cache-slabs: 2
98. rrset-cache-slabs: 2
99. infra-cache-slabs: 2
100. key-cache-slabs: 2
101.  
102. # tiny memory cache
103. extended-statistics: yes                        # v1.06 Martineau for @juched GUI TAB
104. key-cache-size: 8m
105. msg-cache-size: 8m
106. rrset-cache-size: 16m
107. cache-max-ttl: 14400                            # v1.08 Martineau
108. cache-min-ttl: 1200                             # v1.08 Martineau
109. # prefetch
110. prefetch: yes
111. prefetch-key: yes
112. minimal-responses: yes
113. serve-expired: yes
114. serve-expired-ttl: 86400                         # v1.12 as per @juched
115. serve-expired-ttl-reset: yes                     # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream.
116. incoming-num-tcp: 600
117. outgoing-num-tcp: 100
118. ip-ratelimit: 0                                  # v1.04 as per @L&LD as it impacts ipleak.net?
119. edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config
120. max-udp-size: 3072                               # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
121. #outgoing-port-avoid: 0-32767                    # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
122. #outgoing-port-permit: 32768-65535               # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.
123.  
124. # Ensure kernel buffer is large enough to not lose messages in traffic spikes
125. #so-rcvbuf: 1m                                   # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default
126.  
127. #########################################
128. # Options for integration with TCP/TLS Stubby
129. # udp-upstream-without-downstream: yes
130. #########################################
131.  
132. # gentle on recursion
133. hide-identity: yes
134. hide-version: yes
135. do-not-query-localhost: no
136. qname-minimisation: yes
137. harden-glue: yes
138. harden-below-nxdomain: yes
139. rrset-roundrobin: yes
140. aggressive-nsec: yes
141. deny-any: yes
142.  
143. # Self jail Unbound with user "nobody" to /var/lib/unbound
144. username: "nobody"
145. directory: "/opt/var/lib/unbound"
146. chroot: "/opt/var/lib/unbound"
147.  
148. # The pid file
149. pidfile: "/opt/var/run/unbound.pid"
150.  
151. # ROOT Server's
152. root-hints: "/opt/var/lib/unbound/root.hints"
153.  
154. # DNSSEC
155. auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
156.  
157. #########################################
158. # Adblock blacklist
159. #include: /opt/var/lib/unbound/adblock/adservers
160. include: /opt/var/lib/unbound/adblock/firefox_DOH
161. #########################################
162.  
163. remote-control:
164. control-enable: yes
165. control-use-cert: no                            # v1.08 Default "Fast Menu" ENABLED v1.07 Martineau "Fast Menu"
166. control-interface: 127.0.0.1
167. control-port: 953
168. server-key-file: "/opt/var/lib/unbound/unbound_server.key"
169. server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
170. control-key-file: "/opt/var/lib/unbound/unbound_control.key"
171. control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"
172.  
173. ##########################################
174. #forward-zone:#Stubby                         # v1.08 Add #Stubby edit marker
175. #name: "."
176. #forward-addr: 127.0.1.1@5453
177. #forward-addr: 0::1@5453 # integration IPV6
178. #########################################
179.  
180. #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ # v1.05 Martineau
181. #forward-zone:#DoT                                                    # v1.08 Add #DoT edit marker v1.05 DNS-Over-TLS support
182. #name: "."
183. #forward-tls-upstream: yes
184. #forward-addr: 1.1.1.1@853#cloudflare-dns.com
185. #forward-addr: 1.0.0.1@853#cloudflare-dns.com
186. #forward-addr: 9.9.9.9@853#dns.quad9.net
187. #forward-addr: 149.112.112.112@853#dns.quad9.net
188. #forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
189. #forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
190. #forward-addr: 2620:fe::fe@853#dns.quad9.net
191. #forward-addr: 2620:fe::9@853#dns.quad9.net
192. #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
193.  
194.  
195. # v1.01 Added the following
196. auth-zone:
197.        name: "."
198.        url: "https://www.internic.net/domain/root.zone"
199.        fallback-enabled: yes
200.        for-downstream: no
201.        for-upstream: yes
202.        zonefile: root.zone
203.  
204. #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
205. # v1.08 Example rpz ( see https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26)
206. # Uses @juched's script so until NLLabs fix the 'url:' download issue - assume the zonefile will be downloaded externally
207. #      and an external cron job will update the DNS Firewall every 00:15 minutes
208. #
209. #rpz:#RPZ                                                             # v1.08 DNS Firewall
210. #name: rpz.urlhaus.abuse.ch
211. #url: "http://urlhaus.abuse.ch/downloads/rpz/"
212. #zonefile: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone             # v1.09 Match @juched's 'rpzsites'
213. #rpz-log: yes
214. #rpz-log-name: "rpz.urlhaus.abuse.ch"
215. #rpz-action-override: nxdomain
216. #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@