API tools faq
paste
Advertisement
trepaned

unbound.conf for dual stack local lan

trepaned
May 1st, 2017
507
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 16.30 KB | None | 0 0
raw download clone embed print report
  1. # unbound.conf for a sweet dual stack home lan
  2.  
  3. server:
  4. # log verbosity
  5.   verbosity: 1
  6.  
  7. # specify the interfaces to answer queries from by ip-address.  The default
  8. # is to listen to localhost (127.0.0.1 and ::1).  specify 0.0.0.0 and ::0 to
  9. # bind to all available interfaces.  specify every interface[@port] on a new
  10. # 'interface:' labeled line.  The listen interfaces are not changed on
  11. # reload, only on restart.
  12.   interface: 192.168.43.11
  13.   # interface: 192.0.2.154@5003
  14.   interface: fd23:54d2:456::11
  15.  
  16. # port to answer queries from
  17.   port: 53
  18.  
  19. # Enable IP4, "yes" or "no".
  20.   do-ip4: yes
  21.  
  22. # Enable IP6, "yes" or "no".
  23.   do-ip6: yes
  24.  
  25. # Enable UDP, "yes" or "no".
  26.   do-udp: yes
  27.  
  28. # Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
  29. # quicker to resolve as the functions related to TCP checks are not done.
  30. # NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains
  31. # due to their size.
  32.   do-tcp: no
  33.  
  34. # control which client ips are allowed to make (recursive) queries to this
  35. # server. Specify classless netblocks with /size and action.  By default
  36. # everything is refused, except for localhost.  Choose deny (drop message),
  37. # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
  38. # and nonrecursive ok)
  39.   access-control: 127.0.0.0/8 allow
  40.   access-control: 192.168.12.0/27 allow # ipv4 lan with 30 hosts addr
  41.   access-control: FD23:54D2:456::/48 allow # ipv6 ULA addr for lan
  42.  
  43. # Read  the  root  hints from this file. Default is nothing, using built in
  44. # hints for the IN class. The file has the format of  zone files,  with  root
  45. # nameserver  names  and  addresses  only. The default may become outdated,
  46. # when servers change,  therefore  it is good practice to use a root-hints
  47. # file.  get one from ftp://FTP.INTERNIC.NET/domain/named.cache
  48.   root-hints: "/usr/local/etc/unbound/root.hints"
  49.  
  50. # enable to not answer id.server and hostname.bind queries.
  51.   hide-identity: yes
  52.  
  53. # enable to not answer version.server and version.bind queries.
  54.   hide-version: yes
  55.  
  56. # Will trust glue only if it is within the servers authority.
  57. # Harden against out of zone rrsets, to avoid spoofing attempts.
  58. # Hardening queries multiple name servers for the same data to make
  59. # spoofing significantly harder and does not mandate dnssec.
  60.   harden-glue: yes
  61.  
  62. # Require DNSSEC data for trust-anchored zones, if such data is absent, the
  63. # zone becomes  bogus.  Harden against receiving dnssec-stripped data. If you
  64. # turn it off, failing to validate dnskey data for a trustanchor will trigger
  65. # insecure mode for that zone (like without a trustanchor).  Default on,
  66. # which insists on dnssec data for trust-anchored zones.
  67.   harden-dnssec-stripped: yes
  68. # Use 0x20-encoded random bits in the query to foil spoof attempts.
  69. # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
  70. # While upper and lower case letters are allowed in domain names, no significance
  71. # is attached to the case. That is, two names with the same spelling but
  72. # different case are to be treated as if identical. This means calomel.org is the
  73. # same as CaLoMeL.Org which is the same as CALOMEL.ORG.
  74.   use-caps-for-id: yes
  75.  
  76. # the time to live (TTL) value lower bound, in seconds. Default 0.
  77. # If more than an hour could easily give trouble due to stale data.
  78.   cache-min-ttl: 3600
  79.  
  80. # the time to live (TTL) value cap for RRsets and messages in the
  81. # cache. Items are not cached for longer. In seconds.
  82.   cache-max-ttl: 86400
  83.  
  84. # perform prefetching of close to expired message cache entries.  If a client
  85. # requests the dns lookup and the TTL of the cached hostname is going to
  86. # expire in less than 10% of its TTL, unbound will (1st) return the ip of the
  87. # host to the client and (2nd) pre-fetch the dns request from the remote dns
  88. # server. This method has been shown to increase the amount of cached hits by
  89. # local clients by 10% on average.
  90.     prefetch: yes
  91.  
  92. # Increase the memory size of the cache. Use roughly twice as much rrset cache
  93. # memory as you use msg cache memory. Due to malloc overhead, the total memory
  94. # usage is likely to rise to double (or 2.5x) the total cache memory. The test
  95. # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
  96.   rrset-cache-size: 256m
  97.   msg-cache-size: 128m
  98.  
  99. # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
  100. # the kernel buffer larger so that no messages are lost in spikes in the traffic.
  101.   so-rcvbuf: 1m
  102.  
  103. # Enforce privacy of these addresses. Strips them away from answers.  It may
  104. # cause DNSSEC validation to additionally mark it as bogus.  Protects against
  105. # 'DNS Rebinding' (uses browser as network proxy).  Only 'private-domain' and
  106. # 'local-data' names are allowed to have these private addresses. No default.
  107.   private-address: 192.168.0.0/16
  108.   private-address: 172.16.0.0/12
  109.   private-address: 10.0.0.0/8
  110.  
  111. # Allow the domain (and its subdomains) to contain private addresses.
  112. # local-data statements are allowed to contain private addresses too.
  113. private-domain: "localnet.tld"
  114.  
  115. # If nonzero, unwanted replies are not only reported in statistics, but also
  116. # a running total is kept per thread. If it reaches the threshold, a warning
  117. # is printed and a defensive action is taken, the cache is cleared to flush
  118. # potential poison out of it.  A suggested value is 10000000, the default is
  119. # 0 (turned off). We think 10K is a good value.
  120.   unwanted-reply-threshold: 10000
  121.  
  122. # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND  on
  123. # localhost you will want to allow the resolver to send queries to localhost.
  124. # Make sure to set do-not-query-localhost: yes . If yes, the above default
  125. # do-not-query-address entries are present.  if no, localhost can be queried
  126. # (for testing and debugging).
  127.   do-not-query-localhost: no# File with trusted keys, kept up to date using RFC5011 probes, initial file
  128. # like trust-anchor-file, then it stores metadata.  Use several entries, one
  129. # per domain name, to track multiple zones. If you use forward-zone below to
  130. # query the Google DNS servers you MUST comment out this option or all DNS
  131. # queries will fail.
  132. #auto-trust-anchor-file: "/var/unbound/etc/root.key"
  133.  
  134. # Should additional section of secure message also be kept clean of unsecure
  135. # data. Useful to shield the users of this validator from potential bogus
  136. # data in the additional section. All unsigned data in the additional section
  137. # is removed from secure messages.
  138. val-clean-additional: yes
  139.  
  140. # entries for lan hosts to have DNS.
  141. # It is recommended that you use a random ULA address scheme for your localnet.
  142. # http://unique-local-ipv6.com/# will generate one for you.
  143. local-zone: "localnet.tld." static
  144. local-data: "gateway.localnet.tld.      IN A 192.168.43.1"
  145. local-data: "gateway.localnet.tld.      IN AAAA FD23:54D2:456::1"
  146. local-data: "dd-wrt.localnet.tld.       IN A 192.168.43.2"
  147. local-data: "dd-wrt.localnet.tld.       IN AAAA FD23:54D2:456::2"
  148. local-data: "daemon.localnet.tld.       IN A 192.168.43.3"
  149. local-data: "daemon.localnet.tld.       IN AAAA FD23:54D2:456::3"
  150. local-data: "c2960g8.localnet.tld.      IN A 192.168.43.4"
  151. local-data: "c2960g8.localnet.tld.      IN AAAA FD23:54D2:456::4"
  152. local-data: "c2960f24.localnet.tld.     IN A 192.168.43.5"
  153. local-data: "c2960f24.localnet.tld.     IN AAAA FD23:54D2:456::5"
  154. local-data: "r1841.localnet.tld.        IN A 192.168.43.6"
  155. local-data: "r1841.localnet.tld.        IN AAAA FD23:54D2:456::6"
  156. local-data: "beastie.localnet.tld.      IN A 192.168.43.7"
  157. local-data: "beastie.localnet.tld.      IN AAAA FD23:54D2:456::7"
  158. local-data: "archlin.localnet.tld.      IN A 192.168.43.8"
  159. local-data: "archlin.localnet.tld.      IN AAAA FD23:54D2:456::8"
  160. local-data: "cam2.localnet.tld.         IN A 192.168.43.9"
  161. local-data: "cam2.localnet.tld.         IN AAAA FD23:54D2:456::9"
  162. local-data: "mbp.localnet.tld.          IN A 192.168.43.10"
  163. local-data: "mbp.localnet.tld.          IN AAAA FD23:54D2:456::10"
  164. local-data: "rpi3.localnet.tld.         IN A 192.168.43.11"
  165. local-data: "rpi3.localnet.tld.         IN AAAA FD23:54D2:456::11"
  166. local-data: "macpro.localnet.tld.       IN A 192.168.43.12"
  167. local-data: "macpro.localnet.tld.       IN AAAA FD23:54D2:456::12"
  168. local-data: "rs-phone.localnet.tld.     IN A 192.168.43.13"
  169. local-data: "rs-phone.localnet.tld.     IN AAAA FD23:54D2:456::13"
  170. local-data: "cam.localnet.tld.          IN A 192.168.43.14"
  171. local-data: "cam.localnet.tld.          IN AAAA FD23:54D2:456::14"
  172. local-data: "ps4.localnet.tld.          IN A 192.168.43.15"
  173. local-data: "ps4.localnet.tld.          IN AAAA FD23:54D2:456::15"
  174. local-data: "dhcp16.localnet.tld.       IN A 192.168.43.16"
  175. local-data: "dhcp16.localnet.tld.       IN AAAA FD23:54D2:456::16"
  176. local-data: "dhcp17.localnet.tld.       IN A 192.168.43.17"
  177. local-data: "dhcp17.localnet.tld.       IN AAAA FD23:54D2:456::17"
  178. local-data: "appletv.localnet.tld.      IN A 192.168.43.18"
  179. local-data: "appletv.localnet.tld.      IN AAAA FD23:54D2:456::18"
  180. local-data: "dhcp19.localnet.tld.       IN A 192.168.43.19"
  181. local-data: "dhcp19.localnet.tld.       IN AAAA FD23:54D2:456::19"
  182. local-data: "dhcp21.localnet.tld.       IN A 192.168.43.21"
  183. local-data: "dhcp21.localnet.tld.       IN AAAA FD23:54D2:456::21"
  184. local-data: "dhcp22.localnet.tld.       IN A 192.168.43.22"
  185. local-data: "dhcp22.localnet.tld.       IN AAAA FD23:54D2:456::22"
  186. local-data: "dchp23.localnet.tld.       IN A 192.168.43.23"
  187. local-data: "dhcp23.localnet.tld.       IN AAAA FD23:54D2:456::23"
  188. local-data: "dhcp24.localnet.tld.       IN A 192.168.43.24"
  189. local-data: "dhcp24.localnet.tld.       IN AAAA FD23:54D2:456::24"
  190. local-data: "dhcp25.localnet.tld.       IN A 192.168.43.25"
  191. local-data: "dhcp25.localnet.tld.       IN AAAA FD23:54D2:456::25"
  192. local-data: "dhcp26.localnet.tld.       IN A 192.168.43.26"
  193. local-data: "dhcp26.localnet.tld.       IN AAAA FD23:54D2:456::26"
  194. local-data: "dhcp27.localnet.tld.       IN A 192.168.43.27"
  195. local-data: "dhcp27.localnet.tld.       IN AAAA FD23:54D2:456::27"
  196. local-data: "dhcp28.localnet.tld.       IN A 192.168.43.28"
  197. local-data: "dhcp28.localnet.tld.       IN AAAA FD23:54D2:456::28"
  198. local-data: "dhcp29.localnet.tld.       IN A 192.168.43.29"
  199. local-data: "dhcp29.localnet.tld.       IN AAAA FD23:54D2:456::29"
  200. local-data: "dhcp30.localnet.tld.       IN A 192.168.43.30"
  201. local-data: "dhcp30.localnet.tld.       IN AAAA FD23:54D2:456::30"
  202.  
  203. # rev pointers
  204. local-data-ptr: "192.168.43.1           gateway.localnet.tld"
  205. local-data-ptr: "FD23:54D2:456::1       gateway.localnet.tld"
  206. local-data-ptr: "192.168.43.2           dd-wrt.localnet.tld"
  207. local-data-ptr: "FD23:54D2:456::2       dd-wrt.localnet.tld"
  208. local-data-ptr: "192.168.43.3           daemon.localnet.tld"
  209. local-data-ptr: "FD23:54D2:456::3       daemon.localnet.tld"
  210. local-data-ptr: "192.168.43.4           c2960g8.localnet.tld"
  211. local-data-ptr: "FD23:54D2:456::4       c2960g8.localnet.tld"
  212. local-data-ptr: "192.168.43.5           c2960f24.localnet.tld"
  213. local-data-ptr: "FD23:54D2:456::5       c2960f24.localnet.tld"
  214. local-data-ptr: "192.168.43.6           r1841.localnet.tld"
  215. local-data-ptr: "FD23:54D2:456::6       r1841.localnet.tld"
  216. local-data-ptr: "192.168.43.7           beastie.localnet.tld"
  217. local-data-ptr: "FD23:54D2:456::7       beastie.localnet.tld"
  218. local-data-ptr: "192.168.43.8           archlin.localnet.tld"
  219. local-data-ptr: "FD23:54D2:456::8       archlin.localnet.tld"
  220. local-data-ptr: "192.168.43.9           cam2.localnet.tld"
  221. local-data-ptr: "FD23:54D2:456::9       cam2.localnet.tld"
  222. local-data-ptr: "192.168.43.10          mbp.localnet.tld"
  223. local-data-ptr: "FD23:54D2:456::10      mbp.localnet.tld"
  224. local-data-ptr: "192.168.43.11          rpi3.localnet.tld"
  225. local-data-ptr: "FD23:54D2:456::11      rpi3.localnet.tld"
  226. local-data-ptr: "192.168.43.12          macpro.localnet.tld"
  227. local-data-ptr: "FD23:54D2:456::12      macpro.localnet.tld"
  228. local-data-ptr: "192.168.43.13          rs-phone.localnet.tld"
  229. local-data-ptr: "FD23:54D2:456::13      rs-phone.localnet.tld"
  230. local-data-ptr: "192.168.43.14          cam.localnet.tld"
  231. local-data-ptr: "FD23:54D2:456::14      cam.localnet.tld"
  232. local-data-ptr: "192.168.43.15          ps4.localnet.tld"
  233. local-data-ptr: "FD23:54D2:456::15      ps4.localnet.tld"
  234. local-data-ptr: "192.168.43.16          dhcp16.localnet.tld"
  235. local-data-ptr: "FD23:54D2:456::16      dhcp16.localnet.tld"
  236. local-data-ptr: "192.168.43.17          dhcp17.localnet.tld"
  237. local-data-ptr: "FD23:54D2:456::17      dhcp17.localnet.tld"
  238. local-data-ptr: "192.168.43.18          appletv.localnet.tld"
  239. local-data-ptr: "FD23:54D2:456::18      appletv.localnet.tld"
  240. local-data-ptr: "192.168.43.19          dhcp19.localnet.tld"
  241. local-data-ptr: "FD23:54D2:456::19      dhcp19.localnet.tld"
  242. local-data-ptr: "192.168.43.20          hp79.localnet.tld"
  243. local-data-ptr: "FD23:54D2:456::20      hp79.localnet.tld"
  244. local-data-ptr: "192.168.43.23          dhcp23.localnet.tld"
  245. local-data-ptr: "FD23:54D2:456::23      dhcp23.localnet.tld"
  246. local-data-ptr: "192.168.43.24          dhcp24.localnet.tld"
  247. local-data-ptr: "FD23:54D2:456::24      dhcp24.localnet.tld"
  248. local-data-ptr: "192.168.43.25          dhcp25.localnet.tld"
  249. local-data-ptr: "FD23:54D2:456::25      dhcp25.localnet.tld"
  250. local-data-ptr: "192.168.43.26          dhcp26.localnet.tld"
  251. local-data-ptr: "FD23:54D2:456::26      dhcp26.localnet.tld"
  252. local-data-ptr: "192.168.43.27          dhcp27.localnet.tld"
  253. local-data-ptr: "FD23:54D2:456::27      dhcp27.localnet.tld"
  254. local-data-ptr: "192.168.43.28          dhcp28.localnet.tld"
  255. local-data-ptr: "FD23:54D2:456::28      dhcp28.localnet.tld"
  256. local-data-ptr: "192.168.43.29          dhcp29.localnet.tld"
  257. local-data-ptr: "FD23:54D2:456::29      dhcp29.localnet.tld"
  258. local-data-ptr: "192.168.43.30          dhcp30.localnet.tld"
  259. local-data-ptr: "FD23:54D2:456::30      dhcp30.localnet.tld"
  260.  
  261. forward-zone:
  262.   name: "."
  263.  forward-addr: 127.0.0.2        # local dnscrypt proxy
  264.  #forward-addr: 8.8.4.4                         # Google
  265.  #forward-addr: 8.8.8.8i                        # Google
  266.  #forward-addr: 37.235.1.174                    # FreeDNS
  267.  #forward-addr: 37.235.1.177                    # FreeDNS
  268.  #forward-addr: 50.116.23.211                   # OpenNIC
  269.  #forward-addr: 64.6.64.6                       # Verisign
  270.  #forward-addr: 64.6.65.6                       # Verisign
  271.  #forward-addr: 84.200.69.80                    # DNS Watch
  272.  #forward-addr: 84.200.70.40                    # DNS Watch
  273.  #forward-addr: 2001:1608:10:25::1c04:b12f      # DNS Watch
  274.  #forward-addr: 2001:1608:10:25::9249:d69b      # DNS Watch
  275.  #forward-addr: 208.67.222.220                  # OpenDNS
  276.  #forward-addr: 208.67.222.222                  # OpenDNS
  277.  #forward-addr: 216.146.35.35                   # Dyn Public
  278.  #forward-addr: 216.146.36.36                   # Dyn Public
  279.  
  280. remote-control:
  281. # Enable remote control with unbound-control(8) here.
  282. # set up the keys and certificates with unbound-control-setup.
  283.  control-enable: yes
  284.  
  285. # Set to no and use an absolute path as control-interface to use
  286. # a unix local named pipe for unbound-control.
  287. control-use-cert: yes
  288.  
  289. # what interfaces are listened to for remote control.
  290. # give 0.0.0.0 and ::0 to listen to all interfaces.
  291. control-interface: 127.0.0.1
  292. # control-interface: ::1
  293.  
  294. # port number for remote control operations.
  295. control-port: 8953
  296.  
  297. # unbound server key file.
  298. server-key-file: "/usr/local/etc/unbound/unbound_server.key"
  299.  
  300. # unbound server certificate file.
  301. server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
  302.  
  303. # unbound-control key file.
  304. control-key-file: "/usr/local/etc/unbound/unbound_control.key"
  305.  
  306. # unbound-control certificate file.
  307. control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
  308.  
  309.  DNSCrypt
  310. # Caveats:
  311. # 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
  312. #   for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
  313. # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
  314. #   listen on `dnscrypt-port` with the follo0wing snippet:
  315. # server:
  316. #     interface: 0.0.0.0@443
  317. #     interface: ::0@443
  318. #
  319. # Finally, `dnscrypt` config has its own section.
  320. # dnscrypt:
  321. #     dnscrypt-enable: yes
  322. #     dnscrypt-port: 443
  323. #     dnscrypt-provider: 2.dnscrypt-cert.example.com.
  324. #     dnscrypt-secret-key: /path/unbound-conf/keys1/1.key
  325. #     dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
  326. #     dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
  327. # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!