Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # unbound.conf for a sweet dual stack home lan
- server:
- # log verbosity
- verbosity: 1
- # specify the interfaces to answer queries from by ip-address. The default
- # is to listen to localhost (127.0.0.1 and ::1). specify 0.0.0.0 and ::0 to
- # bind to all available interfaces. specify every interface[@port] on a new
- # 'interface:' labeled line. The listen interfaces are not changed on
- # reload, only on restart.
- interface: 192.168.43.11
- # interface: 192.0.2.154@5003
- interface: fd23:54d2:456::11
- # port to answer queries from
- port: 53
- # Enable IP4, "yes" or "no".
- do-ip4: yes
- # Enable IP6, "yes" or "no".
- do-ip6: yes
- # Enable UDP, "yes" or "no".
- do-udp: yes
- # Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
- # quicker to resolve as the functions related to TCP checks are not done.
- # NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains
- # due to their size.
- do-tcp: no
- # control which client ips are allowed to make (recursive) queries to this
- # server. Specify classless netblocks with /size and action. By default
- # everything is refused, except for localhost. Choose deny (drop message),
- # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
- # and nonrecursive ok)
- access-control: 127.0.0.0/8 allow
- access-control: 192.168.12.0/27 allow # ipv4 lan with 30 hosts addr
- access-control: FD23:54D2:456::/48 allow # ipv6 ULA addr for lan
- # Read the root hints from this file. Default is nothing, using built in
- # hints for the IN class. The file has the format of zone files, with root
- # nameserver names and addresses only. The default may become outdated,
- # when servers change, therefore it is good practice to use a root-hints
- # file. get one from ftp://FTP.INTERNIC.NET/domain/named.cache
- root-hints: "/usr/local/etc/unbound/root.hints"
- # enable to not answer id.server and hostname.bind queries.
- hide-identity: yes
- # enable to not answer version.server and version.bind queries.
- hide-version: yes
- # Will trust glue only if it is within the servers authority.
- # Harden against out of zone rrsets, to avoid spoofing attempts.
- # Hardening queries multiple name servers for the same data to make
- # spoofing significantly harder and does not mandate dnssec.
- harden-glue: yes
- # Require DNSSEC data for trust-anchored zones, if such data is absent, the
- # zone becomes bogus. Harden against receiving dnssec-stripped data. If you
- # turn it off, failing to validate dnskey data for a trustanchor will trigger
- # insecure mode for that zone (like without a trustanchor). Default on,
- # which insists on dnssec data for trust-anchored zones.
- harden-dnssec-stripped: yes
- # Use 0x20-encoded random bits in the query to foil spoof attempts.
- # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
- # While upper and lower case letters are allowed in domain names, no significance
- # is attached to the case. That is, two names with the same spelling but
- # different case are to be treated as if identical. This means calomel.org is the
- # same as CaLoMeL.Org which is the same as CALOMEL.ORG.
- use-caps-for-id: yes
- # the time to live (TTL) value lower bound, in seconds. Default 0.
- # If more than an hour could easily give trouble due to stale data.
- cache-min-ttl: 3600
- # the time to live (TTL) value cap for RRsets and messages in the
- # cache. Items are not cached for longer. In seconds.
- cache-max-ttl: 86400
- # perform prefetching of close to expired message cache entries. If a client
- # requests the dns lookup and the TTL of the cached hostname is going to
- # expire in less than 10% of its TTL, unbound will (1st) return the ip of the
- # host to the client and (2nd) pre-fetch the dns request from the remote dns
- # server. This method has been shown to increase the amount of cached hits by
- # local clients by 10% on average.
- prefetch: yes
- # Increase the memory size of the cache. Use roughly twice as much rrset cache
- # memory as you use msg cache memory. Due to malloc overhead, the total memory
- # usage is likely to rise to double (or 2.5x) the total cache memory. The test
- # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
- rrset-cache-size: 256m
- msg-cache-size: 128m
- # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
- # the kernel buffer larger so that no messages are lost in spikes in the traffic.
- so-rcvbuf: 1m
- # Enforce privacy of these addresses. Strips them away from answers. It may
- # cause DNSSEC validation to additionally mark it as bogus. Protects against
- # 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain' and
- # 'local-data' names are allowed to have these private addresses. No default.
- private-address: 192.168.0.0/16
- private-address: 172.16.0.0/12
- private-address: 10.0.0.0/8
- # Allow the domain (and its subdomains) to contain private addresses.
- # local-data statements are allowed to contain private addresses too.
- private-domain: "localnet.tld"
- # If nonzero, unwanted replies are not only reported in statistics, but also
- # a running total is kept per thread. If it reaches the threshold, a warning
- # is printed and a defensive action is taken, the cache is cleared to flush
- # potential poison out of it. A suggested value is 10000000, the default is
- # 0 (turned off). We think 10K is a good value.
- unwanted-reply-threshold: 10000
- # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
- # localhost you will want to allow the resolver to send queries to localhost.
- # Make sure to set do-not-query-localhost: yes . If yes, the above default
- # do-not-query-address entries are present. if no, localhost can be queried
- # (for testing and debugging).
- do-not-query-localhost: no# File with trusted keys, kept up to date using RFC5011 probes, initial file
- # like trust-anchor-file, then it stores metadata. Use several entries, one
- # per domain name, to track multiple zones. If you use forward-zone below to
- # query the Google DNS servers you MUST comment out this option or all DNS
- # queries will fail.
- #auto-trust-anchor-file: "/var/unbound/etc/root.key"
- # Should additional section of secure message also be kept clean of unsecure
- # data. Useful to shield the users of this validator from potential bogus
- # data in the additional section. All unsigned data in the additional section
- # is removed from secure messages.
- val-clean-additional: yes
- # entries for lan hosts to have DNS.
- # It is recommended that you use a random ULA address scheme for your localnet.
- # http://unique-local-ipv6.com/# will generate one for you.
- local-zone: "localnet.tld." static
- local-data: "gateway.localnet.tld. IN A 192.168.43.1"
- local-data: "gateway.localnet.tld. IN AAAA FD23:54D2:456::1"
- local-data: "dd-wrt.localnet.tld. IN A 192.168.43.2"
- local-data: "dd-wrt.localnet.tld. IN AAAA FD23:54D2:456::2"
- local-data: "daemon.localnet.tld. IN A 192.168.43.3"
- local-data: "daemon.localnet.tld. IN AAAA FD23:54D2:456::3"
- local-data: "c2960g8.localnet.tld. IN A 192.168.43.4"
- local-data: "c2960g8.localnet.tld. IN AAAA FD23:54D2:456::4"
- local-data: "c2960f24.localnet.tld. IN A 192.168.43.5"
- local-data: "c2960f24.localnet.tld. IN AAAA FD23:54D2:456::5"
- local-data: "r1841.localnet.tld. IN A 192.168.43.6"
- local-data: "r1841.localnet.tld. IN AAAA FD23:54D2:456::6"
- local-data: "beastie.localnet.tld. IN A 192.168.43.7"
- local-data: "beastie.localnet.tld. IN AAAA FD23:54D2:456::7"
- local-data: "archlin.localnet.tld. IN A 192.168.43.8"
- local-data: "archlin.localnet.tld. IN AAAA FD23:54D2:456::8"
- local-data: "cam2.localnet.tld. IN A 192.168.43.9"
- local-data: "cam2.localnet.tld. IN AAAA FD23:54D2:456::9"
- local-data: "mbp.localnet.tld. IN A 192.168.43.10"
- local-data: "mbp.localnet.tld. IN AAAA FD23:54D2:456::10"
- local-data: "rpi3.localnet.tld. IN A 192.168.43.11"
- local-data: "rpi3.localnet.tld. IN AAAA FD23:54D2:456::11"
- local-data: "macpro.localnet.tld. IN A 192.168.43.12"
- local-data: "macpro.localnet.tld. IN AAAA FD23:54D2:456::12"
- local-data: "rs-phone.localnet.tld. IN A 192.168.43.13"
- local-data: "rs-phone.localnet.tld. IN AAAA FD23:54D2:456::13"
- local-data: "cam.localnet.tld. IN A 192.168.43.14"
- local-data: "cam.localnet.tld. IN AAAA FD23:54D2:456::14"
- local-data: "ps4.localnet.tld. IN A 192.168.43.15"
- local-data: "ps4.localnet.tld. IN AAAA FD23:54D2:456::15"
- local-data: "dhcp16.localnet.tld. IN A 192.168.43.16"
- local-data: "dhcp16.localnet.tld. IN AAAA FD23:54D2:456::16"
- local-data: "dhcp17.localnet.tld. IN A 192.168.43.17"
- local-data: "dhcp17.localnet.tld. IN AAAA FD23:54D2:456::17"
- local-data: "appletv.localnet.tld. IN A 192.168.43.18"
- local-data: "appletv.localnet.tld. IN AAAA FD23:54D2:456::18"
- local-data: "dhcp19.localnet.tld. IN A 192.168.43.19"
- local-data: "dhcp19.localnet.tld. IN AAAA FD23:54D2:456::19"
- local-data: "dhcp21.localnet.tld. IN A 192.168.43.21"
- local-data: "dhcp21.localnet.tld. IN AAAA FD23:54D2:456::21"
- local-data: "dhcp22.localnet.tld. IN A 192.168.43.22"
- local-data: "dhcp22.localnet.tld. IN AAAA FD23:54D2:456::22"
- local-data: "dchp23.localnet.tld. IN A 192.168.43.23"
- local-data: "dhcp23.localnet.tld. IN AAAA FD23:54D2:456::23"
- local-data: "dhcp24.localnet.tld. IN A 192.168.43.24"
- local-data: "dhcp24.localnet.tld. IN AAAA FD23:54D2:456::24"
- local-data: "dhcp25.localnet.tld. IN A 192.168.43.25"
- local-data: "dhcp25.localnet.tld. IN AAAA FD23:54D2:456::25"
- local-data: "dhcp26.localnet.tld. IN A 192.168.43.26"
- local-data: "dhcp26.localnet.tld. IN AAAA FD23:54D2:456::26"
- local-data: "dhcp27.localnet.tld. IN A 192.168.43.27"
- local-data: "dhcp27.localnet.tld. IN AAAA FD23:54D2:456::27"
- local-data: "dhcp28.localnet.tld. IN A 192.168.43.28"
- local-data: "dhcp28.localnet.tld. IN AAAA FD23:54D2:456::28"
- local-data: "dhcp29.localnet.tld. IN A 192.168.43.29"
- local-data: "dhcp29.localnet.tld. IN AAAA FD23:54D2:456::29"
- local-data: "dhcp30.localnet.tld. IN A 192.168.43.30"
- local-data: "dhcp30.localnet.tld. IN AAAA FD23:54D2:456::30"
- # rev pointers
- local-data-ptr: "192.168.43.1 gateway.localnet.tld"
- local-data-ptr: "FD23:54D2:456::1 gateway.localnet.tld"
- local-data-ptr: "192.168.43.2 dd-wrt.localnet.tld"
- local-data-ptr: "FD23:54D2:456::2 dd-wrt.localnet.tld"
- local-data-ptr: "192.168.43.3 daemon.localnet.tld"
- local-data-ptr: "FD23:54D2:456::3 daemon.localnet.tld"
- local-data-ptr: "192.168.43.4 c2960g8.localnet.tld"
- local-data-ptr: "FD23:54D2:456::4 c2960g8.localnet.tld"
- local-data-ptr: "192.168.43.5 c2960f24.localnet.tld"
- local-data-ptr: "FD23:54D2:456::5 c2960f24.localnet.tld"
- local-data-ptr: "192.168.43.6 r1841.localnet.tld"
- local-data-ptr: "FD23:54D2:456::6 r1841.localnet.tld"
- local-data-ptr: "192.168.43.7 beastie.localnet.tld"
- local-data-ptr: "FD23:54D2:456::7 beastie.localnet.tld"
- local-data-ptr: "192.168.43.8 archlin.localnet.tld"
- local-data-ptr: "FD23:54D2:456::8 archlin.localnet.tld"
- local-data-ptr: "192.168.43.9 cam2.localnet.tld"
- local-data-ptr: "FD23:54D2:456::9 cam2.localnet.tld"
- local-data-ptr: "192.168.43.10 mbp.localnet.tld"
- local-data-ptr: "FD23:54D2:456::10 mbp.localnet.tld"
- local-data-ptr: "192.168.43.11 rpi3.localnet.tld"
- local-data-ptr: "FD23:54D2:456::11 rpi3.localnet.tld"
- local-data-ptr: "192.168.43.12 macpro.localnet.tld"
- local-data-ptr: "FD23:54D2:456::12 macpro.localnet.tld"
- local-data-ptr: "192.168.43.13 rs-phone.localnet.tld"
- local-data-ptr: "FD23:54D2:456::13 rs-phone.localnet.tld"
- local-data-ptr: "192.168.43.14 cam.localnet.tld"
- local-data-ptr: "FD23:54D2:456::14 cam.localnet.tld"
- local-data-ptr: "192.168.43.15 ps4.localnet.tld"
- local-data-ptr: "FD23:54D2:456::15 ps4.localnet.tld"
- local-data-ptr: "192.168.43.16 dhcp16.localnet.tld"
- local-data-ptr: "FD23:54D2:456::16 dhcp16.localnet.tld"
- local-data-ptr: "192.168.43.17 dhcp17.localnet.tld"
- local-data-ptr: "FD23:54D2:456::17 dhcp17.localnet.tld"
- local-data-ptr: "192.168.43.18 appletv.localnet.tld"
- local-data-ptr: "FD23:54D2:456::18 appletv.localnet.tld"
- local-data-ptr: "192.168.43.19 dhcp19.localnet.tld"
- local-data-ptr: "FD23:54D2:456::19 dhcp19.localnet.tld"
- local-data-ptr: "192.168.43.20 hp79.localnet.tld"
- local-data-ptr: "FD23:54D2:456::20 hp79.localnet.tld"
- local-data-ptr: "192.168.43.23 dhcp23.localnet.tld"
- local-data-ptr: "FD23:54D2:456::23 dhcp23.localnet.tld"
- local-data-ptr: "192.168.43.24 dhcp24.localnet.tld"
- local-data-ptr: "FD23:54D2:456::24 dhcp24.localnet.tld"
- local-data-ptr: "192.168.43.25 dhcp25.localnet.tld"
- local-data-ptr: "FD23:54D2:456::25 dhcp25.localnet.tld"
- local-data-ptr: "192.168.43.26 dhcp26.localnet.tld"
- local-data-ptr: "FD23:54D2:456::26 dhcp26.localnet.tld"
- local-data-ptr: "192.168.43.27 dhcp27.localnet.tld"
- local-data-ptr: "FD23:54D2:456::27 dhcp27.localnet.tld"
- local-data-ptr: "192.168.43.28 dhcp28.localnet.tld"
- local-data-ptr: "FD23:54D2:456::28 dhcp28.localnet.tld"
- local-data-ptr: "192.168.43.29 dhcp29.localnet.tld"
- local-data-ptr: "FD23:54D2:456::29 dhcp29.localnet.tld"
- local-data-ptr: "192.168.43.30 dhcp30.localnet.tld"
- local-data-ptr: "FD23:54D2:456::30 dhcp30.localnet.tld"
- forward-zone:
- name: "."
- forward-addr: 127.0.0.2 # local dnscrypt proxy
- #forward-addr: 8.8.4.4 # Google
- #forward-addr: 8.8.8.8i # Google
- #forward-addr: 37.235.1.174 # FreeDNS
- #forward-addr: 37.235.1.177 # FreeDNS
- #forward-addr: 50.116.23.211 # OpenNIC
- #forward-addr: 64.6.64.6 # Verisign
- #forward-addr: 64.6.65.6 # Verisign
- #forward-addr: 84.200.69.80 # DNS Watch
- #forward-addr: 84.200.70.40 # DNS Watch
- #forward-addr: 2001:1608:10:25::1c04:b12f # DNS Watch
- #forward-addr: 2001:1608:10:25::9249:d69b # DNS Watch
- #forward-addr: 208.67.222.220 # OpenDNS
- #forward-addr: 208.67.222.222 # OpenDNS
- #forward-addr: 216.146.35.35 # Dyn Public
- #forward-addr: 216.146.36.36 # Dyn Public
- remote-control:
- # Enable remote control with unbound-control(8) here.
- # set up the keys and certificates with unbound-control-setup.
- control-enable: yes
- # Set to no and use an absolute path as control-interface to use
- # a unix local named pipe for unbound-control.
- control-use-cert: yes
- # what interfaces are listened to for remote control.
- # give 0.0.0.0 and ::0 to listen to all interfaces.
- control-interface: 127.0.0.1
- # control-interface: ::1
- # port number for remote control operations.
- control-port: 8953
- # unbound server key file.
- server-key-file: "/usr/local/etc/unbound/unbound_server.key"
- # unbound server certificate file.
- server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
- # unbound-control key file.
- control-key-file: "/usr/local/etc/unbound/unbound_control.key"
- # unbound-control certificate file.
- control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
- DNSCrypt
- # Caveats:
- # 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
- # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
- # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
- # listen on `dnscrypt-port` with the follo0wing snippet:
- # server:
- # interface: 0.0.0.0@443
- # interface: ::0@443
- #
- # Finally, `dnscrypt` config has its own section.
- # dnscrypt:
- # dnscrypt-enable: yes
- # dnscrypt-port: 443
- # dnscrypt-provider: 2.dnscrypt-cert.example.com.
- # dnscrypt-secret-key: /path/unbound-conf/keys1/1.key
- # dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
- # dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
- # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement