Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # unbound DNS server master config
- #
- server:
- # base folder, this allows to use relative paths instead of absolute
- # ones and helps making the config file more compact, not mandatory
- # but for sure won't hurt
- directory: "%EXECUTABLE%"
- # logging, it's recommended to leave it enabled and, in case of issues
- # to increase the verbosity level so that you'll have some detailed
- # informations to track and possibly solve whatever problem
- verbosity: 1
- logfile: "unbound.log"
- log-identity: "unbound"
- log-time-ascii: yes
- # listen interfaces and port, uncomment "::0" to listen on IPv6 too
- interface: 0.0.0.0
- #interface: ::0
- port: 53
- # who can query the server, adjust for your needs
- access-control: 127.0.0.0/8 allow
- #access-control: 10.0.0.0/8 allow
- #access-control: 172.16.0.0/12 allow
- access-control: 192.168.0.0/16 allow
- #access-control: 169.254.0.0/8 allow
- # private subnets, adjust for your needs
- #private-address: 10.0.0.0/8
- #private-address: 172.16.0.0/12
- private-address: 192.168.0.0/16
- #private-address: 169.254.0.0/8
- # trust anchors, this should be installed during setup, for further
- # informations about such file, please see the unbound documentation
- auto-trust-anchor-file: "root.key"
- # root CAs certificate list, not mandatory, but won't hurt it can be
- # fetched from a number of sources, the one I used is
- #https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
- tls-cert-bundle: "ca-bundle.crt"
- # root hints, not mandatory since unbound has a built-in list, but it
- # will be a good idea to fetch the updated list from the link below
- # https://www.internic.net/domain/named.root
- root-hints: "named.root"
- # security/privacy settings, the below deal with caching times and
- # with some often overlooked "leakages", the values are resonable,
- # but before changing them, ensure to read the manual and to have a
- # grip about how the DNS TTL/caching mechanism works
- aggressive-nsec: yes
- cache-max-ttl: 14400
- cache-min-ttl: 1200
- hide-identity: yes
- hide-version: yes
- hide-trustanchor: yes
- use-caps-for-id: yes
- harden-glue: yes
- harden-dnssec-stripped: yes
- val-clean-additional: yes
- prefetch: yes
- rrset-roundrobin: yes
- # adjust to CPU cores and memory, the configuration below is ok for
- # a 4 cores CPU and a system with a least 2GB of RAM, feel free to
- # adjust the config, but before doing so, please read the manual
- num-threads: 4
- msg-cache-slabs: 8
- rrset-cache-slabs: 8
- infra-cache-slabs: 8
- key-cache-slabs: 8
- msg-cache-size: 256M
- rrset-cache-size: 512M
- outgoing-range: 8192
- num-queries-per-thread: 4096
- # blocking zone, this may come from whatever suitable source, for
- # example, a goood list is on https://pgl.yoyo.org/adservers/ just
- # select and download the unbound zone format and you'll be running
- #
- #include: "block.zone"
- # the stuff below is only needed if you're running a LAN domain
- # with a local DNS, in such a case you'll want unbound to forward
- # all queries for the LAN domain and IP range to the local DNS, the
- # example below assumes a LAN using the 192.168.1.x/24 range and a
- # DNS server sitting on 192.168.1.1 which is the case for a lot of
- # home LANs using the router as the local resolver
- # LAN domain and IP range
- # private-domain: "local.lan"
- # local-zone: "1.168.192.in-addr.arpa." nodefault
- # LAN forward stub zones
- # stub-zone:
- # name: "local.lan"
- # stub-no-cache: yes
- # stub-addr: 192.168.1.1@53
- # LAN reverse stub zones
- #stub-zone:
- # name: "1.168.192.in-addr.arpa."
- # stub-no-cache: yes
- # stub-addr: 192.168.1.1@53
- # enable local unbound-control, the below will allow to use the
- # unbound-control program to locally control the DNS and signal it
- # to perform a number of operations, it's particularly useful when
- # initially configuring the program but may also be useful later on
- #remote-control:
- # control-enable: yes
- # control-interface: 127.0.0.1
- # control-port: 8953
- # control-use-cert: no
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement