Permalink
Branch: master
Find file Copy path
58ee868 Dec 4, 2018
1 contributor

Users who have contributed to this file

321 lines (309 sloc) 10.3 KB
# See unbound.conf(5) man page.
# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
# https://raw.githubusercontent.com/NLnetLabs/unbound/master/doc/example.conf.in
#
# Use this to include other text into the file.
# include: "otherfile.conf"
server:
#### Options already enabled by default:
## https://tools.ietf.org/html/rfc7816
# qname-minimisation: yes
### Enabled in v1.8.0
# so-reuseport: yes
# minimal-responses: yes
## https://tools.ietf.org/html/rfc8020
# harden-below-nxdomain: yes
####
## new option in v1.7.3
# https://tools.ietf.org/html/rfc7828
edns-tcp-keepalive: yes
# edns-tcp-keepalive-timeout: 120000 # 2min
# tcp-idle-timeout: 30000 # 30 sec
## New Options in v1.8.0
serve-expired-ttl: 86400 # max 1 day
#serve-expired-ttl-reset: no
#log-servfail: no
## new option in v1.8.2
# This responds with an empty message to queries of type ANY.
deny-any: yes
# unknown-server-time-limit: 376
# min-client-subnet-ipv6: 0
# min-client-subnet-ipv4: 0
# max-ecs-tree-size-ipv4: 100
# max-ecs-tree-size-ipv6 : 100
# unknown-server-time-limit: 376
# fast-server-permil: 0
# fast-server-num: 3
# http://unbound.nlnetlabs.nl/documentation/howto_optimise.html
# https://unbound.net/pipermail/unbound-users/2010-March/001083.html
# https://github.com/jedisct1/dnscrypt-server-docker/blob/master/unbound.sh
num-threads: 1
msg-cache-slabs: 1
rrset-cache-slabs: 1
key-cache-slabs: 1
infra-cache-slabs: 1
# dnscrypt-shared-secret-cache-slabs: 1
# dnscrypt-nonce-cache-slabs:1
msg-cache-size: 54m # default 4m
rrset-cache-size: 108m # rrset=msg*2 # default 4m
key-cache-size: 54m # default 4m
neg-cache-size: 27m # default 1m
infra-cache-numhosts: 50000
# dnscrypt-shared-secret-cache-size: 13m # default 4m
# dnscrypt-nonce-cache-size: 13m # default 4m
## if--with-libevent
# outgoing-range: 8192.0
# num-queries-per-thread: 4096.0
## else
# outgoing-range: 974.0
# num-queries-per-thread: 487.0
## Larger socket buffer. OS may need config.
# so-rcvbuf: 4m
# so-sndbuf: 4m
domain-insecure: "dns.opennic.glue"
domain-insecure: "bbs"
domain-insecure: "bit"
domain-insecure: "chan"
domain-insecure: "cyb"
domain-insecure: "dyn"
domain-insecure: "fur"
domain-insecure: "geek"
domain-insecure: "gopher"
domain-insecure: "indy"
domain-insecure: "libre"
domain-insecure: "neo"
domain-insecure: "null"
domain-insecure: "o"
domain-insecure: "opennic.glue"
domain-insecure: "oss"
domain-insecure: "oz"
domain-insecure: "parody"
domain-insecure: "pirate"
domain-insecure: "glue"
domain-insecure: "baza"
domain-insecure: "coin"
domain-insecure: "emc"
domain-insecure: "lib"
domain-insecure: "ku"
domain-insecure: "te"
domain-insecure: "ti"
domain-insecure: "uu"
verbosity: 0
do-ip6: no
logfile: run/unbound.log
auto-trust-anchor-file: run/root.key
root-hints: root.hints
pidfile: run/unbound.pid
username: _unbound
directory: /etc/unbound
chroot: /etc/unbound
# use-syslog: yes
log-time-ascii: yes
# val-log-level: 0
# statistics-interval: 0
# extended-statistics: yes
# statistics-cumulative: no
interface: 0.0.0.0
# interface: 127.0.0.1
# interface: ::1 # Docker ipv6 -> can't bind socket: Address not available for ::1
# interface: 10.19.96.4
# interface: 0.0.0.0@853
# interface: ::0@853
port: 53
# ssl-service-key: /etc/unbound/private.key
# ssl-service-pem: /etc/unbound/certificate.pem
# ssl-port: 853
access-control: 0.0.0.0/0 allow
access-control: ::/0 allow
# qname-minimisation-strict : yes
# https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
# use-caps-for-id: yes
# caps-whitelist: example.com
# https://tools.ietf.org/html/draft-ietf-dnsop-nsec-aggressiveuse
aggressive-nsec: yes
local-zone: example. static
local-zone: local. static
local-zone: i2p. static
local-zone: home. static
local-zone: zghjccbob3n0. static
local-zone: dhcp. static
local-zone: lan. static
local-zone: localdomain. static
local-zone: ip. static
local-zone: internal. static
local-zone: openstacklocal. static
local-zone: dlink. static
local-zone: gw==. static
local-zone: gateway. static
local-zone: corp. static
local-zone: workgroup. static
local-zone: belkin. static
local-zone: davolink. static
local-zone: z. static
local-zone: domain. static
local-zone: virtualmin. static
serve-expired: yes
prefetch: yes
prefetch-key: yes
rrset-roundrobin: yes
num-queries-per-thread: 2048
# outgoing-range: 32767
outgoing-range: 4096
incoming-num-tcp: 100
outgoing-num-tcp: 100
jostle-timeout: 325 # average roundtrip time from AU (myserver) to US + a tiny bit extra
neg-cache-size: 25m
cache-min-ttl: 120
cache-max-ttl: 86400
infra-host-ttl: 3600
# cache-max-negative-ttl: 3600
val-bogus-ttl: 120
hide-identity: yes
hide-version: yes
hide-trustanchor: yes
unwanted-reply-threshold: 10000000
## Simple DNS rebinding protection
## refer to RFC1918, RFC5735, RFC5156 and https://en.wikipedia.org/wiki/Reserved_IP_addresses
## IPv4
private-address: 0.0.0.0/8 # Should not be on the Internet (only valid as source address)
private-address: 10.0.0.0/8 # Private networks
private-address: 127.0.0.0/8 # Loopback, spam-blocklists (RBL) (https://www.dnsbl.info/) e.g. "dig +short 0.0.0.0.zen.spamhaus.org" will stop working (https://www.spamhaus.org/zen/, https://www.spamhaus.org/faq/section/DNSBL%20Usage#202)
private-address: 169.254.0.0/16 # link-local (networks without DHCP)
private-address: 172.16.0.0/12 # Private networks
private-address: 192.168.0.0/16 # Private networks
private-address: 255.255.255.255/32 # Broadcast destination
## IPv6
private-address: ::/128 # Unspecified addresses (only valid as source address)
private-address: ::1/128 # Loopback
private-address: 2001:db8::/32 # Documentation addresses used for documentation purposes such as user manuals, RFCs, etc. (RFC3849)
# private-address: ::ffff:0:0/96 # IPv4-mapped IPv6 addresses (depreciated and should not be on the public internet) (blocks potentially valid addresses / gives wrong result from DNS Benchmark)
private-address: fe80::/10 # IP address autoconfiguration (link-local unicast, Private network)
private-address: fc00::/7 # Unique Local Addresses (Private network)
# private-address: fec0::/10 # Depreciated site networks
# private-address: 2002::/16 # 6to4 (deprecated)
# private-address: 64:ff9b::/96 # 6to4 "Well-Known" Prefix
# private-address: 2001::/32 # Teredo
private-address: 2001:10::/28 # ORCHID
# private-address: ff00::/8 # Multicast
## Selected IPv4 mapped addresses from IPv4 above (fixes potentially wrong result from DNS Benchmark if blocking all of ::ffff:0:0/96)
private-address: ::ffff:0.0.0.0/120 # Private IPv4-mapped addresses
private-address: ::ffff:10.0.0.0/120 # Private IPv4-mapped addresses
private-address: ::ffff:127.0.0.1/120 # Loopback IPv4-mapped addresses, spam-blocklists (RBL)
private-address: ::ffff:169.254.0.0/112 # Link-local IPv4-mapped addresses
private-address: ::ffff:172.16.0.0/116 # Private IPv4-mapped addresses
private-address: ::ffff:192.168.0.0/112 # Private IPv4-mapped addresses
private-address: ::ffff:255.255.255.255/128 # Broadcast IPv4-mapped addresses
##
do-not-query-localhost: yes # ::1 and 127.0.0.1/8
do-not-query-address: 127.0.0.0/8
# do-not-query-address: 10.0.0.0/8 # kube/docker ips, needed for nsd
do-not-query-address: 172.16.0.0/12
do-not-query-address: 192.168.0.0/16
# ratelimit: 500
# ip-ratelimit: 50
### harden-large-queries: yes
### harden-short-bufsize: yes
## harden-algo-downgrade: yes
### harden-referral-path: yes
## prefer-ip6: yes
# delay-close: 1500
remote-control:
control-enable: yes
control-interface: 127.0.0.1
stub-zone:
name: "dns.opennic.glue"
stub-addr: "127.0.0.1@552" # Authorative Slave DNS server
stub-zone:
name: "bbs"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "bit"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "chan"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "cyb"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "dyn"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "free"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "fur"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "geek"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "gopher"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "indy"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "libre"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "neo"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "null"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "o"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "opennic.glue"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "oss"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "oz"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "parody"
stub-addr: "127.0.0.1@552"
stub-zone:
name: "pirate"
stub-addr: "127.0.0.1@552"
# OpenNIC Peers:
stub-zone:
name: "baza"
stub-host: "seed1.emercoin.com"
stub-host: "seed2.emercoin.com"
stub-zone:
name: "coin"
stub-host: "seed1.emercoin.com"
stub-host: "seed2.emercoin.com"
stub-zone:
name: "emc"
stub-host: "seed1.emercoin.com"
stub-host: "seed2.emercoin.com"
stub-zone:
name: "lib"
stub-host: "seed1.emercoin.com"
stub-host: "seed2.emercoin.com"
stub-zone:
name: "ku"
stub-addr: "127.0.0.1@552"
stub-addr: "5.45.96.220" # ns1.new-nations.ku
stub-addr: "185.82.22.133" # ns2.new-nations.ku
stub-zone:
name: "te"
stub-addr: "127.0.0.1@552"
stub-addr: "5.45.96.220" # ns1.new-nations.te
stub-addr: "185.82.22.133" # ns2.new-nations.te
stub-zone:
name: "ti"
stub-addr: "127.0.0.1@552"
stub-addr: "5.45.96.220" # ns1.new-nations.ti
stub-addr: "185.82.22.133" # ns2.new-nations.ti
stub-zone:
name: "uu"
stub-addr: "127.0.0.1@552"
stub-addr: "5.45.96.220" # ns1.new-nations.uu
stub-addr: "185.82.22.133" # ns2.new-nations.uu