Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Version=v1.13 Martineau update (Date Loaded by unbound_manager Thu Oct 19 19:38:13 CEST 2023)
- # v1.13 jumpsmm7 - Add 'serve-expired-ttl-reset: yes'
- # - Add 'max-udp-size: 3072'
- # - Add 'outgoing-port-*' Templates
- # v1.12 Martineau - Add 'interface xxx.xxx.101.1@53/xxx.xxx.102.1@53' templates for Aimesh Guest SSID VLANs when dnsmasq disabled @juched
- # Change 'serve-expired-ttl: 3600' to 86400 @juched
- # v1.11 Martineau - Add 'private-address: ::/0' Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
- # - Add IPv6 Private Address 'fd00::/8' and 'fe80::/10'
- # - Add If 'do-ip6: yes' set 'edns-buffer-size: 1232' @Linux_Chemist
- # - Change 'cache-min-ttl:' removed
- # v1.10 Martineau - Change Incorrect CIDR for '172.16.0.0' & '192.168.0.0'
- # v1.09 Martineau - Change rpz 'zonefile:' must match @jusched's external script (see 'unbound_rpz.sh'/'rpzsites')
- # v1.08 Martineau - Change 'cache-max-ttl: 21600' and 'cache-min-ttl: 5 to 14400/1200'
- # - Change 'control-use-cert: no' "Fast Menu" ENABLED by default
- # - Add Template for bypassing dnsmasq (port=0) for LAN devices DNS requests (@juched's Extended Statistics GUI)
- # - Add '#Stubby' and '#DoT' edit markers for unbound_manager - Hack
- # - Add 'outgoing-interface:' template
- # - Add 'rpz' feature (requires respip module) introduced unbound v1.10.0 https://dnsrpz.info/ (@juched example)
- # v1.07 Martineau - Add 'control-use-cert:' "Fast Menu" template
- # v1.06 Martineau - Add 'extended-statistics:' template
- # v1.05 Martineau - Add 'DNS-Over-TLS support' & 'so-rcvbuf:' templates
- # Remove 'prefetch:' & 'prefetch-key:' duplicates - Thanks @Safemode
- # v1.04 Martineau - Change 'ip-ratelimit:'
- # v1.03 Martineau - Remove 'dns64-prefix:' and 'module-config: "dns64 ..."' from auto ENABLE if IPv6 detected
- # v1.02 Martineau - Add '#use-syslog:' '#log-local-actions:' '#log-tag-queryreply:' Option placeholders
- # v1.01 Martineau - Add 'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:' and 'module-config: "dns64 ..."'
- # Change 'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
- # Add If IPv6 detected, auto ENABLE 'dns64-prefix:' and modify to include 'module-config: "dns64 ..."'
- #-----------------------------------------------------------------------------------------------------------------------------------
- server:
- #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- port: 53535 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
- interface: 127.0.0.1@53535 # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
- #interface: 127.0.0.1@53 # v1.10 Required by router if dnsmasq 'disabled'
- #interface: xxx.xxx.10x.1@53 # v1.12 AiMesh Guest SSID VLAN TAG (dnsmasq disabled) @juched
- #access-control: 0.0.0.0/0 allow # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
- #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- #outgoing-interface: xxx.xxx.xxx.xxx # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)
- #########################################
- # integration LOG's
- #
- verbosity: 1 # v1.02 '1' is adequate to prove unbound is processing domains
- logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config (v3.06 now deletes this if size grows > 10MB)
- log-time-ascii: yes # v1.01 as per @dave14305 minimal config
- log-tag-queryreply: yes # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
- log-queries: yes
- #log-replies: yes
- #use-syslog: yes # v1.02 @Martineau Recommended to let scribe/syslog-ng handle the log(s)
- #log-local-actions: yes # v1.02 @Martineau ('yes' required for @juched's Graphical Ad Block statistics)
- log-servfail: yes # v1.01 as per @dave14305 minimal config
- #########################################
- module-config: "respip validator iterator" # v1.08 add 'respip' for rpz feature @juched
- access-control: 0.0.0.0/0 refuse
- access-control: 127.0.0.0/8 allow
- access-control: 10.0.0.0/8 allow
- access-control: 172.16.0.0/12 allow # v1.10 Martineau Fix CIDR 16->12
- access-control: 192.168.0.0/16 allow # v1.10 @dave14305 Fix CIDR 24->16
- # RFC1918 private IP address - Protects against DNS Rebinding
- private-address: 127.0.0.0/8
- private-address: 169.254.0.0/16
- private-address: 10.0.0.0/8
- private-address: 172.16.0.0/12
- private-address: 192.168.0.0/16
- private-address: fd00::/8 # v1.11 Martineau
- private-address: fe80::/10 # v1.11 Martineau
- do-ip4: yes
- do-udp: yes
- do-tcp: yes
- #########################################
- # integration IPV6
- #
- do-ip6: no
- private-address: ::/0 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
- # do-ip6: yes
- # edns-buffer-size: 1232 # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/unbound_manager-manager-installer-utility-for-unbound-recursive-dns-server.61669/page-151
- # interface: ::0
- # access-control: ::0/0 refuse
- # access-control: ::1 allow
- # private-address: fd00::/8
- # private-address: fe80::/10
- #########################################
- #module-config: "dns64 respip validator iterator" # v1.08 v1.03 v1.01 perform a query against AAAA record exists
- #dns64-prefix: 64:FF9B::/96 # v1.03 v1.01
- tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305 minimal config
- # no threads and no memory slabs for threads
- num-threads: 1
- msg-cache-slabs: 2
- rrset-cache-slabs: 2
- infra-cache-slabs: 2
- key-cache-slabs: 2
- # tiny memory cache
- extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
- key-cache-size: 8m
- msg-cache-size: 8m
- rrset-cache-size: 16m
- cache-max-ttl: 14400 # v1.08 Martineau
- cache-min-ttl: 1200 # v1.08 Martineau
- # prefetch
- prefetch: yes
- prefetch-key: yes
- minimal-responses: yes
- serve-expired: yes
- serve-expired-ttl: 86400 # v1.12 as per @juched
- serve-expired-ttl-reset: yes # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream.
- incoming-num-tcp: 600
- outgoing-num-tcp: 100
- ip-ratelimit: 0 # v1.04 as per @L&LD as it impacts ipleak.net?
- edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config
- max-udp-size: 3072 # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
- #outgoing-port-avoid: 0-32767 # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
- #outgoing-port-permit: 32768-65535 # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.
- # Ensure kernel buffer is large enough to not lose messages in traffic spikes
- #so-rcvbuf: 1m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default
- #########################################
- # Options for integration with TCP/TLS Stubby
- # udp-upstream-without-downstream: yes
- #########################################
- # gentle on recursion
- hide-identity: yes
- hide-version: yes
- do-not-query-localhost: no
- qname-minimisation: yes
- harden-glue: yes
- harden-below-nxdomain: yes
- rrset-roundrobin: yes
- aggressive-nsec: yes
- deny-any: yes
- # Self jail Unbound with user "nobody" to /var/lib/unbound
- username: "nobody"
- directory: "/opt/var/lib/unbound"
- chroot: "/opt/var/lib/unbound"
- # The pid file
- pidfile: "/opt/var/run/unbound.pid"
- # ROOT Server's
- root-hints: "/opt/var/lib/unbound/root.hints"
- # DNSSEC
- auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
- #########################################
- # Adblock blacklist
- #include: /opt/var/lib/unbound/adblock/adservers
- include: /opt/var/lib/unbound/adblock/firefox_DOH
- #########################################
- remote-control:
- control-enable: yes
- control-use-cert: no # v1.08 Default "Fast Menu" ENABLED v1.07 Martineau "Fast Menu"
- control-interface: 127.0.0.1
- control-port: 953
- server-key-file: "/opt/var/lib/unbound/unbound_server.key"
- server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
- control-key-file: "/opt/var/lib/unbound/unbound_control.key"
- control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"
- ##########################################
- #forward-zone:#Stubby # v1.08 Add #Stubby edit marker
- #name: "."
- #forward-addr: 127.0.1.1@5453
- #forward-addr: 0::1@5453 # integration IPV6
- #########################################
- #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ # v1.05 Martineau
- #forward-zone:#DoT # v1.08 Add #DoT edit marker v1.05 DNS-Over-TLS support
- #name: "."
- #forward-tls-upstream: yes
- #forward-addr: 1.1.1.1@853#cloudflare-dns.com
- #forward-addr: 1.0.0.1@853#cloudflare-dns.com
- #forward-addr: 9.9.9.9@853#dns.quad9.net
- #forward-addr: 149.112.112.112@853#dns.quad9.net
- #forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
- #forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
- #forward-addr: 2620:fe::fe@853#dns.quad9.net
- #forward-addr: 2620:fe::9@853#dns.quad9.net
- #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- # v1.01 Added the following
- auth-zone:
- name: "."
- url: "https://www.internic.net/domain/root.zone"
- fallback-enabled: yes
- for-downstream: no
- for-upstream: yes
- zonefile: root.zone
- #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- # v1.08 Example rpz ( see https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26)
- # Uses @juched's script so until NLLabs fix the 'url:' download issue - assume the zonefile will be downloaded externally
- # and an external cron job will update the DNS Firewall every 00:15 minutes
- #
- #rpz:#RPZ # v1.08 DNS Firewall
- #name: rpz.urlhaus.abuse.ch
- #url: "http://urlhaus.abuse.ch/downloads/rpz/"
- #zonefile: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone # v1.09 Match @juched's 'rpzsites'
- #rpz-log: yes
- #rpz-log-name: "rpz.urlhaus.abuse.ch"
- #rpz-action-override: nxdomain
- #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement