API tools faq
paste
Advertisement
Guest User

unbound conf

a guest
Jun 25th, 2018
129
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.21 KB | None | 0 0
raw download clone embed print report
  1. server:
  2. statistics-cumulative: yes
  3. port: 53
  4.  
  5. prefer-ip6: no
  6. do-ip6: no
  7. do-ip4: yes
  8. do-udp: yes
  9. do-tcp: yes
  10. tcp-upstream: no
  11.  
  12. #threads and memory(maybe change 4->2 for android and 32->8or4)
  13. num-threads: 4
  14. so-reuseport: yes #unsure if works on android(improves multithreading port usage)
  15. msg-cache-size: 32m
  16. msg-cache-slabs: 4
  17. rrset-cache-size: 32m
  18. rrset-cache-slabs: 4
  19. infra-host-ttl: 900
  20. infra-cache-slabs: 4
  21. infra-cache-numhosts: 30000
  22. key-cache-size: 32m
  23. key-cache-slabs: 4
  24. neg-cache-size: 32m
  25.  
  26. #maybe irrelevant for android
  27. use-systemd: no
  28. do-daemonize: no
  29.  
  30. #only allow localhost requests
  31. access-control: 0.0.0.0/0 refuse
  32. access-control: 127.0.0.0/8 allow
  33.  
  34. #prevent dns rebind attacks(strip any occurances of these addresses from dns results)
  35. private-address: 192.168.0.0/16
  36. private-address: 127.0.0.0/8
  37. private-address: 10.0.0.0/8
  38. private-address: 172.16.0.0/12
  39. #block all ipv6 since not being used and can possibly circumvent above blocks
  40. private-address: ::/0
  41.  
  42. #ad block list
  43. include: /etc/unbound/adb.list
  44.  
  45. #probably change "" to "unbound" to be more contained but it wasn't important to me
  46. chroot: ""
  47. username: ""
  48. directory: "/etc/unbound"
  49. use-syslog: yes
  50.  
  51. target-fetch-policy: "3 2 1 0 0"
  52.  
  53. harden-short-bufsize: yes
  54. harden-large-queries: yes
  55. harden-glue: yes
  56. harden-dnssec-stripped: no
  57. qname-minimisation: yes
  58.  
  59. #prefetch cache entries
  60. prefetch: yes
  61. #but not dnssec keys
  62. prefetch-key: no
  63.  
  64. rrset-roundrobin: yes
  65. minimal-responses: yes
  66. disable-dnssec-lame-check: yes
  67.  
  68. #no dnssec(faster less cpu & i think cloudflare and quad9 do their own dnssec check)
  69. module-config: "iterator"
  70.  
  71. #save expired(0ttl) entries in the cache and serve the cache upon request while also updating the cache afterwards
  72. serve-expired: yes
  73.  
  74. unblock-lan-zones: no
  75.  
  76. remote-control:
  77. #unbound-control commandline usable via localhost
  78. control-enable: yes
  79. control-use-cert: no
  80.  
  81. forward-zone:
  82. name: "."
  83. forward-addr: 1.1.1.1@853 # Cloudflare primary
  84. forward-addr: 1.0.0.1@853 # Cloudflare secondary
  85. forward-addr: 9.9.9.9@853 #quad9
  86. forward-addr: 149.112.112.112@853 #quad9
  87. forward-ssl-upstream: yes
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!