SHARE
TWEET

unbound.conf

a guest Dec 11th, 2017 246 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. [root@efa ~]# cat /etc/unbound/unbound.conf
  2. #
  3. # See unbound.conf(5) man page.
  4. #
  5. # this is a comment.
  6.  
  7. #Use this to include other text into the file.
  8. #include: "otherfile.conf"
  9.  
  10. # The server clause sets the main parameters.
  11. server:
  12.         # whitespace is not necessary, but looks cleaner.
  13.  
  14.         # verbosity number, 0 is least verbose. 1 is default.
  15.         verbosity: 1
  16.  
  17.         # print statistics to the log (for every thread) every N seconds.
  18.         # Set to "" or 0 to disable. Default is disabled.
  19.         # Needed for munin plugin
  20.         statistics-interval: 0
  21.  
  22.         # enable cumulative statistics, without clearing them after printing.
  23.         # Needed for munin plugin
  24.         statistics-cumulative: no
  25.  
  26.         # enable extended statistics (query types, answer codes, status)
  27.         # printed from unbound-control. default off, because of speed.
  28.         # Needed for munin plugin
  29.         extended-statistics: yes
  30.  
  31.         # number of threads to create. 1 disables threading.
  32.         num-threads: 2
  33.  
  34.         # specify the interfaces to answer queries from by ip-address.
  35.         # The default is to listen to localhost (127.0.0.1 and ::1).
  36.         # specify 0.0.0.0 and ::0 to bind to all available interfaces.
  37.         # specify every interface on a new 'interface:' labelled line.
  38.         # The listen interfaces are not changed on reload, only on restart.
  39.         # interface: 0.0.0.0
  40.         # interface: ::0
  41.         # interface: 192.0.2.153
  42.         # interface: 192.0.2.154
  43.         # interface: 2001:DB8::5
  44.         #
  45.         # for dns over tls and raw dns over port 80
  46.         # interface: 0.0.0.0@443
  47.         # interface: ::0@443
  48.         # interface: 0.0.0.0@80
  49.         # interface: ::0@80
  50.  
  51.         # enable this feature to copy the source address of queries to reply.
  52.         # Socket options are not supported on all platforms. experimental.
  53.         # interface-automatic: yes
  54.         #
  55.         # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
  56.         # NOTE: Disabled per Fedora policy not to listen to * on default install
  57.         # NOTE: If deploying on non-default port, eg 80/443, this needs to be di                                                                                                                                                             sabled
  58.         interface-automatic: no
  59.  
  60.         # port to answer queries from
  61.         # port: 53
  62.  
  63.         # specify the interfaces to send outgoing queries to authoritative
  64.         # server from by ip-address. If none, the default (all) interface
  65.         # is used. Specify every interface on a 'outgoing-interface:' line.
  66.         # outgoing-interface: 192.0.2.153
  67.         # outgoing-interface: 2001:DB8::5
  68.         # outgoing-interface: 2001:DB8::6
  69.  
  70.         # number of ports to allocate per thread, determines the size of the
  71.         # port range that can be open simultaneously.
  72.         # outgoing-range: 4096
  73.  
  74.         # permit unbound to use this port number or port range for
  75.         # making outgoing queries, using an outgoing interface.
  76.         # outgoing-port-permit: 32768
  77.  
  78.         # deny unbound the use this of port number or port range for
  79.         # making outgoing queries, using an outgoing interface.
  80.         # Use this to make sure unbound does not grab a UDP port that some
  81.         # other server on this computer needs. The default is to avoid
  82.         # IANA-assigned port numbers.
  83.         # outgoing-port-avoid: "3200-3208"
  84.  
  85.         # number of outgoing simultaneous tcp buffers to hold per thread.
  86.         # outgoing-num-tcp: 10
  87.  
  88.         # number of incoming simultaneous tcp buffers to hold per thread.
  89.         # incoming-num-tcp: 10
  90.  
  91.         # buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
  92.         # 0 is system default.  Use 4m to catch query spikes for busy servers.
  93.         # so-rcvbuf: 0
  94.  
  95.         # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
  96.         # 0 is system default.  Use 4m to handle spikes on very busy servers.
  97.         # so-sndbuf: 0
  98.  
  99.         # EDNS reassembly buffer to advertise to UDP peers (the actual buffer
  100.         # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
  101.         # edns-buffer-size: 4096
  102.  
  103.         # buffer size for handling DNS data. No messages larger than this
  104.         # size can be sent or received, by UDP or TCP. In bytes.
  105.         # msg-buffer-size: 65552
  106.  
  107.         # the amount of memory to use for the message cache.
  108.         # plain value in bytes or you can append k, m or G. default is "4Mb".
  109.         # msg-cache-size: 4m
  110.  
  111.         # the number of slabs to use for the message cache.
  112.         # the number of slabs must be a power of 2.
  113.         # more slabs reduce lock contention, but fragment memory usage.
  114.         # msg-cache-slabs: 4
  115.  
  116.         # the number of queries that a thread gets to service.
  117.         # num-queries-per-thread: 1024
  118.  
  119.         # if very busy, 50% queries run to completion, 50% get timeout in msec
  120.         # jostle-timeout: 200
  121.  
  122.         # the amount of memory to use for the RRset cache.
  123.         # plain value in bytes or you can append k, m or G. default is "4Mb".
  124.         # rrset-cache-size: 4m
  125.  
  126.         # the number of slabs to use for the RRset cache.
  127.         # the number of slabs must be a power of 2.
  128.         # more slabs reduce lock contention, but fragment memory usage.
  129.         # rrset-cache-slabs: 4
  130.  
  131.         # the time to live (TTL) value lower bound, in seconds. Default 0.
  132.         # If more than an hour could easily give trouble due to stale data.
  133.         # cache-min-ttl: 0
  134.  
  135.         # the time to live (TTL) value cap for RRsets and messages in the
  136.         # cache. Items are not cached for longer. In seconds.
  137.         # cache-max-ttl: 86400
  138.  
  139.         # the time to live (TTL) value for cached roundtrip times, lameness
  140.         # and EDNS version information for hosts. In seconds.
  141.         # infra-host-ttl: 900
  142.  
  143.         # the number of slabs to use for the Infrastructure cache.
  144.         # the number of slabs must be a power of 2.
  145.         # more slabs reduce lock contention, but fragment memory usage.
  146.         # infra-cache-slabs: 4
  147.  
  148.         # the maximum number of hosts that are cached (roundtrip, EDNS, lame).
  149.         # infra-cache-numhosts: 10000
  150.  
  151.         # Enable IPv4, "yes" or "no".
  152.         # do-ip4: yes
  153.  
  154.         # Enable IPv6, "yes" or "no".
  155.         do-ip6: no
  156.  
  157.         # Enable UDP, "yes" or "no".
  158.         # NOTE: if setting up an unbound on tls443 for public use, you might wan                                                                                                                                                             t to
  159.         # disable UDP to avoid being used in DNS amplification attacks.
  160.         # do-udp: yes
  161.  
  162.         # Enable TCP, "yes" or "no".
  163.         # do-tcp: yes
  164.  
  165.         # upstream connections use TCP only (and no UDP), "yes" or "no"
  166.         # useful for tunneling scenarios, default no.
  167.         # tcp-upstream: no
  168.  
  169.         # Detach from the terminal, run in background, "yes" or "no".
  170.         # do-daemonize: yes
  171.  
  172.         # control which clients are allowed to make (recursive) queries
  173.         # to this server. Specify classless netblocks with /size and action.
  174.         # By default everything is refused, except for localhost.
  175.         # Choose deny (drop message), refuse (polite error reply),
  176.         # allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
  177.         # access-control: 0.0.0.0/0 refuse
  178.         # access-control: 127.0.0.0/8 allow
  179.         # access-control: ::0/0 refuse
  180.         # access-control: ::1 allow
  181.         # access-control: ::ffff:127.0.0.1 allow
  182.  
  183.         # if given, a chroot(2) is done to the given directory.
  184.         # i.e. you can chroot to the working directory, for example,
  185.         # for extra security, but make sure all files are in that directory.
  186.         #
  187.         # If chroot is enabled, you should pass the configfile (from the
  188.         # commandline) as a full path from the original root. After the
  189.         # chroot has been performed the now defunct portion of the config
  190.         # file path is removed to be able to reread the config after a reload.
  191.         #
  192.         # All other file paths (working dir, logfile, roothints, and
  193.         # key files) can be specified in several ways:
  194.         #       o as an absolute path relative to the new root.
  195.         #       o as a relative path to the working directory.
  196.         #       o as an absolute path relative to the original root.
  197.         # In the last case the path is adjusted to remove the unused portion.
  198.         #
  199.         # The pid file can be absolute and outside of the chroot, it is
  200.         # written just prior to performing the chroot and dropping permissions.
  201.         #
  202.         # Additionally, unbound may need to access /dev/random (for entropy).
  203.         # How to do this is specific to your OS.
  204.         #
  205.         # If you give "" no chroot is performed. The path must not end in a /.
  206.         # chroot: "/var/lib/unbound"
  207.         chroot: ""
  208.  
  209.         # if given, user privileges are dropped (after binding port),
  210.         # and the given username is assumed. Default is user "unbound".
  211.         # If you give "" no privileges are dropped.
  212.         username: "unbound"
  213.  
  214.         # the working directory. The relative files in this config are
  215.         # relative to this directory. If you give "" the working directory
  216.         # is not changed.
  217.         directory: "/etc/unbound"
  218.  
  219.         # the log file, "" means log to stderr.
  220.         # Use of this option sets use-syslog to "no".
  221.         # logfile: ""
  222.  
  223.         # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
  224.         # log to, with identity "unbound". If yes, it overrides the logfile.
  225.         # use-syslog: yes
  226.  
  227.         # print UTC timestamp in ascii to logfile, default is epoch in seconds.
  228.         log-time-ascii: yes
  229.  
  230.         # the pid file. Can be an absolute path outside of chroot/work dir.
  231.         pidfile: "/var/run/unbound/unbound.pid"
  232.  
  233.         # file to read root hints from.
  234.         # get one from ftp://FTP.INTERNIC.NET/domain/named.cache
  235.         # root-hints: ""
  236.  
  237.         # enable to not answer id.server and hostname.bind queries.
  238.         # hide-identity: no
  239.  
  240.         # enable to not answer version.server and version.bind queries.
  241.         # hide-version: no
  242.  
  243.         # the identity to report. Leave "" or default to return hostname.
  244.         # identity: ""
  245.  
  246.         # the version to report. Leave "" or default to return package version.
  247.         # version: ""
  248.  
  249.         # the target fetch policy.
  250.         # series of integers describing the policy per dependency depth.
  251.         # The number of values in the list determines the maximum dependency
  252.         # depth the recursor will pursue before giving up. Each integer means:
  253.         #       -1 : fetch all targets opportunistically,
  254.         #       0: fetch on demand,
  255.         #       positive value: fetch that many targets opportunistically.
  256.         # Enclose the list of numbers between quotes ("").
  257.         # target-fetch-policy: "3 2 1 0 0"
  258.  
  259.         # Harden against very small EDNS buffer sizes.
  260.         # harden-short-bufsize: no
  261.  
  262.         # Harden against unseemly large queries.
  263.         # harden-large-queries: no
  264.  
  265.         # Harden against out of zone rrsets, to avoid spoofing attempts.
  266.         harden-glue: yes
  267.  
  268.         # Harden against receiving dnssec-stripped data. If you turn it
  269.         # off, failing to validate dnskey data for a trustanchor will
  270.         # trigger insecure mode for that zone (like without a trustanchor).
  271.         # Default on, which insists on dnssec data for trust-anchored zones.
  272.         harden-dnssec-stripped: yes
  273.  
  274.         # Harden against queries that fall under dnssec-signed nxdomain names.
  275.         harden-below-nxdomain: yes
  276.  
  277.         # Harden the referral path by performing additional queries for
  278.         # infrastructure data.  Validates the replies (if possible).
  279.         # Default off, because the lookups burden the server.  Experimental
  280.         # implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
  281.         harden-referral-path: yes
  282.  
  283.         # Use 0x20-encoded random bits in the query to foil spoof attempts.
  284.         # This feature is an experimental implementation of draft dns-0x20.
  285.         # (this now fails on all GoDaddy customer domains, so disabled)
  286.         use-caps-for-id: no
  287.  
  288.         # Enforce privacy of these addresses. Strips them away from answers.
  289.         # It may cause DNSSEC validation to additionally mark it as bogus.
  290.         # Protects against 'DNS Rebinding' (uses browser as network proxy).
  291.         # Only 'private-domain' and 'local-data' names are allowed to have
  292.         # these private addresses. No default.
  293.         # private-address: 10.0.0.0/8
  294.         # private-address: 172.16.0.0/12
  295.         # private-address: 192.168.0.0/16
  296.         # private-address: 192.254.0.0/16
  297.         # private-address: fd00::/8
  298.         # private-address: fe80::/10
  299.  
  300.         # Allow the domain (and its subdomains) to contain private addresses.
  301.         # local-data statements are allowed to contain private addresses too.
  302.         # private-domain: "example.com"
  303.  
  304.         # If nonzero, unwanted replies are not only reported in statistics,
  305.         # but also a running total is kept per thread. If it reaches the
  306.         # threshold, a warning is printed and a defensive action is taken,
  307.         # the cache is cleared to flush potential poison out of it.
  308.         # A suggested value is 10000000, the default is 0 (turned off).
  309.         unwanted-reply-threshold: 10000000
  310.  
  311.         # Do not query the following addresses. No DNS queries are sent there.
  312.         # List one address per entry. List classless netblocks with /size,
  313.         # do-not-query-address: 127.0.0.1/8
  314.         # do-not-query-address: ::1
  315.  
  316.         # if yes, the above default do-not-query-address entries are present.
  317.         # if no, localhost can be queried (for testing and debugging).
  318.         # do-not-query-localhost: yes
  319.  
  320.         # if yes, perform prefetching of almost expired message cache entries.
  321.         prefetch: yes
  322.  
  323.         # if yes, perform key lookups adjacent to normal lookups.
  324.         prefetch-key: yes
  325.  
  326.         # if yes, Unbound rotates RRSet order in response.
  327.         rrset-roundrobin: yes
  328.  
  329.         # if yes, Unbound doesn't insert authority/additional sections
  330.         # into response messages when those sections are not required.
  331.         minimal-responses: yes
  332.  
  333.         # module configuration of the server. A string with identifiers
  334.         # separated by spaces. "iterator" or "validator iterator"
  335.         module-config: "iterator"
  336.  
  337.         # File with DLV trusted keys. Same format as trust-anchor-file.
  338.         # There can be only one DLV configured, it is trusted from root down.
  339.         # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key
  340.         #
  341.         # ISC's DLV registry is being deprecated in the near future, therefore
  342.         # it is not used in the default configuration. The use of ISC's DLV
  343.         # registry is discouraged.
  344.         # dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
  345.  
  346.         # File with trusted keys for validation. Specify more than one file
  347.         # with several entries, one file per entry.
  348.         # Zone file format, with DS and DNSKEY entries.
  349.         # trust-anchor-file: ""
  350.  
  351.         # File with trusted keys, kept uptodate using RFC5011 probes,
  352.         # initial file like trust-anchor-file, then it stores metadata.
  353.         # Use several entries, one per domain name, to track multiple zones.
  354.         # auto-trust-anchor-file: ""
  355.  
  356.         # Trusted key for validation. DS or DNSKEY. specify the RR on a
  357.         # single line, surrounded by "". TTL is ignored. class is IN default.
  358.         # (These examples are from August 2007 and may not be valid anymore).
  359.         # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2Bi                                                                                                                                                             VmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy3                                                                                                                                                             2DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
  360.         # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A                                                                                                                                                             0BA4D17FA9B038BE4A"
  361.  
  362.         # File with trusted keys for validation. Specify more than one file
  363.         # with several entries, one file per entry. Like trust-anchor-file
  364.         # but has a different file format. Format is BIND-9 style format,
  365.         # the trusted-keys { name flag proto algo "key"; }; clauses are read.
  366.         # trusted-keys-file: ""
  367.         #
  368.         # trusted-keys-file: /etc/unbound/rootkey.bind
  369.         trusted-keys-file: /etc/unbound/keys.d/*.key
  370.         auto-trust-anchor-file: "/var/lib/unbound/root.key"
  371.  
  372.         # Ignore chain of trust. Domain is treated as insecure.
  373.         # domain-insecure: "example.com"
  374.  
  375.         # Override the date for validation with a specific fixed date.
  376.         # Do not set this unless you are debugging signature inception
  377.         # and expiration. "" or "0" turns the feature off.
  378.         # val-override-date: ""
  379.  
  380.         # The time to live for bogus data, rrsets and messages. This avoids
  381.         # some of the revalidation, until the time interval expires. in secs.
  382.         # val-bogus-ttl: 60
  383.  
  384.         # The signature inception and expiration dates are allowed to be off
  385.         # by 10% of the lifetime of the signature from our local clock.
  386.         # This leeway is capped with a minimum and a maximum.  In seconds.
  387.         # val-sig-skew-min: 3600
  388.         # val-sig-skew-max: 86400
  389.  
  390.         # Should additional section of secure message also be kept clean of
  391.         # unsecure data. Useful to shield the users of this validator from
  392.         # potential bogus data in the additional section. All unsigned data
  393.         # in the additional section is removed from secure messages.
  394.         val-clean-additional: yes
  395.  
  396.         # Turn permissive mode on to permit bogus messages. Thus, messages
  397.         # for which security checks failed will be returned to clients,
  398.         # instead of SERVFAIL. It still performs the security checks, which
  399.         # result in interesting log files and possibly the AD bit in
  400.         # replies if the message is found secure. The default is off.
  401.         # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
  402.         val-permissive-mode: no
  403.  
  404.         # Have the validator log failed validations for your diagnosis.
  405.         # 0: off. 1: A line per failed user query. 2: With reason and bad IP.
  406.         val-log-level: 1
  407.  
  408.         # It is possible to configure NSEC3 maximum iteration counts per
  409.         # keysize. Keep this table very short, as linear search is done.
  410.         # A message with an NSEC3 with larger count is marked insecure.
  411.         # List in ascending order the keysize and count values.
  412.         # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
  413.  
  414.         # instruct the auto-trust-anchor-file probing to add anchors after ttl.
  415.         # add-holddown: 2592000 # 30 days
  416.  
  417.         # instruct the auto-trust-anchor-file probing to del anchors after ttl.
  418.         # del-holddown: 2592000 # 30 days
  419.  
  420.         # auto-trust-anchor-file probing removes missing anchors after ttl.
  421.         # If the value 0 is given, missing anchors are not removed.
  422.         # keep-missing: 31622400 # 366 days
  423.  
  424.         # the amount of memory to use for the key cache.
  425.         # plain value in bytes or you can append k, m or G. default is "4Mb".
  426.         # key-cache-size: 4m
  427.  
  428.         # the number of slabs to use for the key cache.
  429.         # the number of slabs must be a power of 2.
  430.         # more slabs reduce lock contention, but fragment memory usage.
  431.         # key-cache-slabs: 4
  432.  
  433.         # the amount of memory to use for the negative cache (used for DLV).
  434.         # plain value in bytes or you can append k, m or G. default is "1Mb".
  435.         # neg-cache-size: 1m
  436.  
  437.         # a number of locally served zones can be configured.
  438.         #       local-zone: <zone> <type>
  439.         #       local-data: "<resource record string>"
  440.         # o deny serves local data (if any), else, drops queries.
  441.         # o refuse serves local data (if any), else, replies with error.
  442.         # o static serves local data, else, nxdomain or nodata answer.
  443.         # o transparent serves local data, but resolves normally for other names
  444.         # o redirect serves the zone data for any subdomain in the zone.
  445.         # o nodefault can be used to normally resolve AS112 zones.
  446.         # o typetransparent resolves normally for other types and other names
  447.         #
  448.         # defaults are localhost address, reverse for 127.0.0.1 and ::1
  449.         # and nxdomain for AS112 zones. If you configure one of these zones
  450.         # the default content is omitted, or you can omit it with 'nodefault'.
  451.         #
  452.         # If you configure local-data without specifying local-zone, by
  453.         # default a transparent local-zone is created for the data.
  454.         #
  455.         # You can add locally served data with
  456.         # local-zone: "local." static
  457.         # local-data: "mycomputer.local. IN A 192.0.2.51"
  458.         # local-data: 'mytext.local TXT "content of text record"'
  459.         #
  460.         # You can override certain queries with
  461.         # local-data: "adserver.example.com A 127.0.0.1"
  462.         #
  463.         # You can redirect a domain to a fixed address with
  464.         # (this makes example.com, www.example.com, etc, all go to 192.0.2.3)
  465.         # local-zone: "example.com" redirect
  466.         # local-data: "example.com A 192.0.2.3"
  467.         #
  468.         # Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
  469.         # You can also add PTR records using local-data directly, but then
  470.         # you need to do the reverse notation yourself.
  471.         # local-data-ptr: "192.0.2.3 www.example.com"
  472.  
  473.         include: /etc/unbound/local.d/*.conf
  474.  
  475.         # service clients over SSL (on the TCP sockets), with plain DNS inside
  476.         # the SSL stream.  Give the certificate to use and private key.
  477.         # default is "" (disabled).  requires restart to take effect.
  478.         # ssl-service-key: "/etc/unbound/unbound_server.key"
  479.         # ssl-service-pem: "/etc/unbound/unbound_server.pem"
  480.         # ssl-port: 443
  481.  
  482.         # request upstream over SSL (with plain DNS inside the SSL stream).
  483.         # Default is no.  Can be turned on and off with unbound-control.
  484.         # ssl-upstream: no
  485.  
  486. ## Python config section. To enable:
  487. ## o use --with-pythonmodule to configure before compiling.
  488. ## o list python in the module-config string (above) to enable.
  489. ## o and give a python-script to run.
  490. #python:
  491. #       # Script file to load
  492. #       # python-script: "/etc/unbound/ubmodule-tst.py"
  493.  
  494.  
  495. # Remote control config section.
  496. remote-control:
  497.         # Enable remote control with unbound-control(8) here.
  498.         # set up the keys and certificates with unbound-control-setup.
  499.         # Note: required for unbound-munin package
  500.         control-enable: yes
  501.  
  502.         # what interfaces are listened to for remote control.
  503.         # give 0.0.0.0 and ::0 to listen to all interfaces.
  504.         # control-interface: 127.0.0.1
  505.         # control-interface: ::1
  506.  
  507.         # port number for remote control operations.
  508.         # control-port: 953
  509.  
  510.         # unbound server key file.
  511.         server-key-file: "/etc/unbound/unbound_server.key"
  512.  
  513.         # unbound server certificate file.
  514.         server-cert-file: "/etc/unbound/unbound_server.pem"
  515.  
  516.         # unbound-control key file.
  517.         control-key-file: "/etc/unbound/unbound_control.key"
  518.  
  519.         # unbound-control certificate file.
  520.         control-cert-file: "/etc/unbound/unbound_control.pem"
  521.  
  522. # Stub and Forward zones
  523.  
  524. include: /etc/unbound/conf.d/*.conf
  525.  
  526. # Stub zones.
  527. # Create entries like below, to make all queries for 'example.com' and
  528. # 'example.org' go to the given list of nameservers. list zero or more
  529. # nameservers by hostname or by ipaddress. If you set stub-prime to yes,
  530. # the list is treated as priming hints (default is no).
  531. # stub-zone:
  532. #       name: "example.com"
  533. #       stub-addr: 192.0.2.68
  534. #       stub-prime: "no"
  535. # stub-zone:
  536. #       name: "example.org"
  537. #       stub-host: ns.example.com.
  538. # You can now also dynamically create and delete stub-zone's using
  539. # unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
  540. # unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
  541.  
  542. # Forward zones
  543. # Create entries like below, to make all queries for 'example.com' and
  544. # 'example.org' go to the given list of servers. These servers have to handle
  545. # recursion to other nameservers. List zero or more nameservers by hostname
  546. # or by ipaddress. Use an entry with name "." to forward all queries.
  547. # If you enable forward-first, it attempts without the forward if it fails.
  548. # forward-zone:
  549. #       name: "example.com"
  550. #       forward-addr: 192.0.2.68
  551. #       forward-addr: 192.0.2.73@5355  # forward to port 5355.
  552. #       forward-first: no
  553. # forward-zone:
  554. #       name: "example.org"
  555. #       forward-host: fwd.example.com
  556. #
  557. # You can now also dynamically create and delete forward-zone's using
  558. # unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
  559. # unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top