API tools faq
paste
Advertisement
Guest User

service.conf

a guest
Jan 17th, 2020
202
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.09 KB | None | 0 0
raw download clone embed print report
  1.  
  2. # unbound DNS server master config
  3. #
  4. server:
  5.   # base folder, this allows to use relative paths instead of absolute
  6.   # ones and helps making the config file more compact, not mandatory
  7.   # but for sure won't hurt
  8.     directory: "%EXECUTABLE%"
  9.  
  10.   # logging, it's recommended to leave it enabled and, in case of issues
  11.   # to increase the verbosity level so that you'll have some detailed
  12.   # informations to track and possibly solve whatever problem
  13.   verbosity: 1
  14.     logfile: "unbound.log"
  15.   log-identity: "unbound"
  16.   log-time-ascii: yes
  17.  
  18.  
  19.   # listen interfaces and port, uncomment "::0" to listen on IPv6 too
  20.   interface: 0.0.0.0
  21.   #interface: ::0
  22.   port: 53
  23.  
  24.   # who can query the server, adjust for your needs
  25.   access-control: 127.0.0.0/8 allow
  26.   #access-control: 10.0.0.0/8 allow
  27.   #access-control: 172.16.0.0/12 allow
  28.   access-control: 192.168.0.0/16 allow
  29.   #access-control: 169.254.0.0/8 allow
  30.  
  31.   # private subnets, adjust for your needs
  32.   #private-address: 10.0.0.0/8
  33.   #private-address: 172.16.0.0/12
  34.   private-address: 192.168.0.0/16
  35.   #private-address: 169.254.0.0/8
  36.  
  37.   # trust anchors, this should be installed during setup, for further
  38.   # informations about such file, please see the unbound documentation
  39.   auto-trust-anchor-file: "root.key"
  40.  
  41.   # root CAs certificate list, not mandatory, but won't hurt it can be
  42.   # fetched from a number of sources, the one I used is
  43.   #https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
  44.   tls-cert-bundle: "ca-bundle.crt"
  45.  
  46.   # root hints, not mandatory since unbound has a built-in list, but it
  47.   # will be a good idea to fetch the updated list from the link below
  48.   # https://www.internic.net/domain/named.root
  49.   root-hints: "named.root"
  50.  
  51.   # security/privacy settings, the below deal with caching times and
  52.   # with some often overlooked "leakages", the values are resonable,
  53.   # but before changing them, ensure to read the manual and to have a
  54.   # grip about how the DNS TTL/caching mechanism works
  55.   aggressive-nsec: yes
  56.   cache-max-ttl: 14400
  57.   cache-min-ttl: 1200
  58.   hide-identity: yes
  59.   hide-version: yes
  60.   hide-trustanchor: yes
  61.   use-caps-for-id: yes
  62.   harden-glue: yes
  63.   harden-dnssec-stripped: yes
  64.   val-clean-additional: yes
  65.   prefetch: yes
  66.   rrset-roundrobin: yes
  67.  
  68.   # adjust to CPU cores and memory, the configuration below is ok for
  69.   # a 4 cores CPU and a system with a least 2GB of RAM, feel free to
  70.   # adjust the config, but before doing so, please read the manual
  71.   num-threads: 4
  72.   msg-cache-slabs: 8
  73.   rrset-cache-slabs: 8
  74.   infra-cache-slabs: 8
  75.   key-cache-slabs: 8
  76.   msg-cache-size: 256M
  77.   rrset-cache-size: 512M
  78.   outgoing-range: 8192
  79.   num-queries-per-thread: 4096
  80.  
  81.   # blocking zone, this may come from whatever suitable source, for
  82.   # example, a goood list is on https://pgl.yoyo.org/adservers/ just
  83.   # select and download the unbound zone format and you'll be running
  84.   #
  85.   #include: "block.zone"
  86.  
  87.   # the stuff below is only needed if you're running a LAN domain
  88.   # with a local DNS, in such a case you'll want unbound to forward
  89.   # all queries for the LAN domain and IP range to the local DNS, the
  90.   # example  below assumes a LAN using the 192.168.1.x/24 range and a
  91.   # DNS server sitting on 192.168.1.1 which is the case for a lot of
  92.   # home LANs using the router as the local resolver
  93.  
  94.   # LAN domain and IP range
  95.   # private-domain: "local.lan"
  96.   # local-zone: "1.168.192.in-addr.arpa." nodefault
  97.  
  98.   # LAN forward stub zones
  99.   # stub-zone:
  100.   #  name: "local.lan"
  101.   #  stub-no-cache: yes
  102.   #  stub-addr: 192.168.1.1@53
  103.  
  104.   # LAN reverse stub zones
  105.   #stub-zone:
  106.   #  name: "1.168.192.in-addr.arpa."
  107.   #  stub-no-cache: yes
  108.   #  stub-addr: 192.168.1.1@53
  109.  
  110.   # enable local unbound-control, the below will allow to use the
  111.   # unbound-control program to locally control the DNS and signal it
  112.   # to perform a number of operations, it's particularly useful when
  113.   # initially configuring the program but may also be useful later on
  114.   #remote-control:
  115.   #  control-enable: yes
  116.   #  control-interface: 127.0.0.1
  117.   #  control-port: 8953
  118.   #  control-use-cert: no
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!