This repository has been archived by the owner on Jul 13, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
Examples
Sebastian Schmidt edited this page Sep 5, 2018
·
41 revisions
The examples assume that the default variables are merged with the examples here. This can be done manually by copying the variables or automatically by setting
Since version 2.1.2 it is no longer needed. The role will now merge the default hash_behaviour = merge in your /ansible.conf._unbound_config: with unbound: and with unbound_host:.
I recommend setting the common variables in a /group_vars/all file and in /group_vars/<your-group name> for your specific group variables. For more details: Ansible best practices. Another tip, you can create multiple files in /group_vars/all e.g. /group_vars/all/configs and /group_vars/all/secrets.
unbound_optimise: true
unbound_optimise_memory: 80 # modify to suit
unbound:
server:
so_reuseport: yes # check that your kernel has support
hide_identity: yes
hide_version: yes
hide_trustanchor: yes # only available in later versions
minimal_responses: yes
aggressive_nsec: yes # needs valid dnssec in authoritative zones to work
prefetch: yes
prefetch_key: yes
qname_minimisation: yes # only available in newer unbound versions
# so_reuseport: yes # if kernel supports it
# so_rcvbuf: 4m # increase receive UDP buffer
# so_sndbuf: 4m # increase send UDP buffer
# Don't send local queries out further, send NXDOMAIN instead, protect bad configured clients (rfc6761)
# RFC6761: https://tools.ietf.org/html/rfc6761
# valid TLDs https://www.iana.org/domains/root/db
# popular undelegated TLDs hitting L-root http://stats.dns.icann.org/hedgehog/
# ^ https://seby.io/files/Lroot-undelegateTLDs-2018-09.png
# ^ http://mm.icann.org/pipermail/gnso-newgtld-wg-wt4/2017-May/000070.html
local_zone:
- example. static # reserved
# - invalid. static # reserved configured by default
- local. static # reserved
# - localhost. static # localhost and AS112 zone are configured by default
# - onion. static # Tor Project configured by default
# - test. static # reserved configured by default
- i2p. static # I2P Anonymous Network
- glue. static # OpenNIC - disable if you run an OpenNIC server
- home. static
- zghjccbob3n0. static
- dhcp. static
- lan. static
- localdomain. static
- ip. static
- internal. static
- openstacklocal. static
- dlink. static
- gw==. static
- gateway. static
- corp. static
- workgroup. static
- belkin. static
- davolink. static
- z. static
# These are addresses on your private network, (used in DNS Rebinding attacks)
# and are not allowed to be returned for public internet names.
# Turning on 127.0.0.0/8 would hinder many spam blocklists
# as they use that. Adding ::ffff:0:0/96 stops IPv4-mapped
# IPv6 addresses from bypassing the filter.
## Also see https://tools.ietf.org/html/rfc6761
## https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml
private_address:
- 127.0.0.0/8
- 10.0.0.0/8 # private networks (RFC 1918)
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16 # link-local network (RFC 3927)
- fd00::/8
- fe80::/10
## Performance
# outgoing_range: 8192 # modify to suit
# num_queries_per_thread: 4096 # modify to suit
# outgoing_num_tcp: 100 # modify to suit
# incoming_num_tcp: 100 # modify to suit
# cache_min_ttl: 300 # modify to suit
# infra_cache_numhosts: 50000 # modify to suit
# edns_buffer_size: 4096 # only modify if you have fragmentation reassembly problems
### Security options - please read the documentation first -> https://unbound.net/documentation/unbound.conf.html
## unwanted_reply_threshold: 10000000 # try to clear poisoned cache, clears the rrset and message caches
## use_caps_for_id: yes # experimental - add more randomness, some servers don't handle this properly resulting in SERVFAIL
## caps_whitelist: # domain whitelist for dns-0x20
## harden_below_nxdomain: yes # stricter DNSSEC, may result in more validation failures
## harden_algo_downgrade: yes # stricter DNSSEC, may result in more validation failures
## harden_short_bufsize: yes # if suffering from DDoS this might reduce it, rejects queries
## harden_large_queries: yes # if suffering from DDoS this might reduce it, rejects queries
## ip_ratelimit: 100 # experimental - drop queries if X queries per second (qps) per ip is reached. useful for mitigating amplification attacks.
## ratelimit: 1000 # experimental - ratelimit queries send to nameservers, in qps, stops overloading a single server
## ratelimit_for_domain: example.com 10 # ratelimit for a single domain
## ratelimit_below_domain: example.com 10 # ratelimit for subdomains
unbound_tls_domain: example.com
unbound_tls_cert_provider: selfsigned
unbound:
server:
# listen on all interfaces on port 853, answer queries from the local subnet.
interface: [0.0.0.0@853, '::0@853']
access_control: 0.0.0.0/0 allow # This is for an open resolver. Change to your needs.
ssl_service_key: "private.key"
ssl_service_pem: "certificate.pem"
ssl_port: 853
incoming_num_tcp: 100 # Number of simultaneous incoming TCP connections per thread to allow
# Listen on UDP but still issues queries upstream over UDP.
# Only available in 1.6.7 and later
udp_upstream_without_downstream: yes
qname_minimisation: yes # Enable QNAME minimisation to increase client privacy
hide_identity: yes
hide_version: yes
hide_trustanchor: yes # only available in 1.6.2 and later
so_reuseport: yes # check that your kernel has supportRefer to https://dnsprivacy.org/wiki/display/DP/Using+Unbound+as+a+DNS+Privacy+server for more information
Certificates are issued with asme.sh
## Domain name
unbound_tls_domain: example.com
## Choose between self-signed or ACME (Let's Encrypt) issued certificate
unbound_tls_cert_provider: acme
## Automatically update acme.sh
unbound_tls_acme_auto_upgrade: 1
## Choose a domain validation method. For other DNS APIs please look at:
## https://github.com/Neilpang/acme.sh/tree/master/dnsapi#how-to-use-dns-api
unbound_tls_acme_mode: dns dns_cf
unbound_tls_acme_dns_acc:
CF_Email: cloudflare-account@email.com
CF_Key: xxxxxxxx
## Whether to use Lets's Encrypt staging server
# unbound_tls_acme_staging: false
## Force certificate re-issue (must be used when switching between staging and production)
# unbound_tls_acme_force: false
## For all available command options see: https://github.com/Neilpang/acme.sh/wiki/Options-and-Params
# unbound_tls_acme_custom: --dnssleep 10
unbound:
server:
# [same as above]For other DNS APIs please look at: https://github.com/Neilpang/acme.sh/tree/master/dnsapi#how-to-use-dns-api
unbound:
server:
interface: 127.0.0.1
cache_max_ttl: 86400 # 14400=4h 86400=1day (default)
cache_min_ttl: 600 # 86400=1day 43200=12h 3600=1h 1800=30m 1200=20m 900=15m 600=10m 300=5m=standard, 0 (default)
cache_max_negative-ttl: 3600 # 1h (default)
# serve_expired: yes
prefetch: yes
prefetch_key: yes
forward_zone: # https://gist.github.com/roge-/e7d926a3b3551a0f3769 https://gist.github.com/kometchtech/8c1b91ec427b264fbe97
name: "." # https://public-dns.info/
forward_addr:
- 1.1.1.1 # Cloudflare (https://cloudflare-dns.com)
- 9.9.9.9 # Quad9(https://www.quad9.net/) - blocklist
- 2620:fe::fe # Quad9(https://www.quad9.net/) - blocklist
- 9.9.9.10 # Quad9(https://www.quad9.net/) - no blocklist
- 2620:fe::10 # Quad9(https://www.quad9.net/) - no blocklist
- 8.8.4.4 # Google(https://developers.google.com/speed/public-dns/)
- 8.8.8.8 # Google(https://developers.google.com/speed/public-dns/)
- 2001:4860:4860::8888 # Google(https://developers.google.com/speed/public-dns/)
- 2001:4860:4860::8844 # Google(https://developers.google.com/speed/public-dns/)
- 208.67.222.220 # OpenDNS(https://www.opendns.com/ https://umbrella.cisco.com/)
- 208.67.222.222 # OpenDNS(https://www.opendns.com/ https://umbrella.cisco.com/)
- 185.121.177.177 # OpenNIC(https://www.opennic.org/)
- 64.6.64.6 # Verisign(https://www.verisign.com/en_US/security-services/public-dns/index.xhtml)
- 64.6.65.6 # Verisign(https://www.verisign.com/en_US/security-services/public-dns/index.xhtml)
- 37.235.1.174 # FreeDNS(https://freedns.zone/)
- 37.235.1.177 # FreeDNS(https://freedns.zone/)
- 84.200.69.80 # DNS Watch(https://dns.watch/index)
- 84.200.70.40 # DNS Watch(https://dns.watch/index)
- 2001:1608:10:25::1c04:b12f # DNS Watch(https://dns.watch/index)
- 2001:1608:10:25::9249:d69 # DNS Watch(https://dns.watch/index)
- 91.239.100.100 # UncensoredDNS(https://blog.uncensoreddns.org/)
- '2001:67c:28a4::' # UncensoredDNS(https://blog.uncensoreddns.org/)