Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ | |
| # https://man.openbsd.org/unbound.conf#MEMORY_CONTROL_EXAMPLE | |
| server: | |
| num-threads: 1 | |
| # fallback.vedetta.lan | |
| interface: 10.10.10.10@53 | |
| interface: fd80:1fe9:fcee:1337::ace:face@53 | |
| # DoH TRR https://tools.ietf.org/html/draft-ietf-doh-dns-over-https-12 | |
| interface: 10.10.10.10@853 | |
| interface: fd80:1fe9:fcee:1337::ace:face@853 | |
| #tls-cert-bundle: /etc/ssl/cert.pem | |
| ssl-service-key: /etc/ssl/unbound/private/acolyte.vedetta.lan.key | |
| ssl-service-pem: /etc/ssl/unbound/acolyte.vedetta.lan.crt # import | |
| ssl-port: 853 | |
| #udp-upstream-without-downstream: yes | |
| # Block all | |
| access-control: 0.0.0.0/0 refuse | |
| access-control: ::0/0 refuse | |
| # Allow lo0 | |
| access-control: 127.0.0.0/8 allow | |
| access-control: ::1 allow | |
| # Allow lan | |
| access-control: 192.168.0.0/16 allow | |
| access-control: 172.16.0.0/12 allow | |
| access-control: 10.0.0.0/8 allow | |
| access-control: fd80:1fe9:fcee::/48 allow | |
| # Prints one line per query to the log, making the server (significantly) slower | |
| #log-queries: no | |
| root-hints: "/var/unbound/etc/root.hints" | |
| hide-identity: yes | |
| hide-version: yes | |
| # Refuse trustanchor.unbound queries | |
| hide-trustanchor: yes | |
| outgoing-range: 60 # uses less memory, but less performance. | |
| outgoing-num-tcp: 1 # this limits TCP service, uses less buffers. | |
| incoming-num-tcp: 1 | |
| msg-buffer-size: 8192 # note this limits service, 'no huge stuff'. | |
| msg-cache-size: 100k | |
| msg-cache-slabs: 1 | |
| num-queries-per-thread: 30 | |
| rrset-cache-size: 100k | |
| rrset-cache-slabs: 1 | |
| # Less queries for min ttl | |
| cache-min-ttl: 3600 | |
| infra-cache-slabs: 1 | |
| infra-cache-numhosts: 200 | |
| target-fetch-policy: "2 1 0 0 0 0" | |
| harden-short-bufsize: yes | |
| harden-large-queries: yes | |
| # Use 0x20-encoded random bits in the query to foil spoof attempts | |
| use-caps-for-id: yes | |
| # DNSSEC bogus answers against DNS Rebinding | |
| # RFC1918 private IP address space not allowed to be returned for public internet names | |
| private-address: 192.168.0.0/16 | |
| private-address: 172.16.0.0/12 | |
| private-address: 10.0.0.0/8 | |
| private-address: 169.254.0.0/16 | |
| private-address: fd00::/8 | |
| private-address: fe80::/10 | |
| # Turning on 127.0.0.0/8 would hinder many spamblocklists as they use that | |
| #private-address: 127.0.0.0/8 | |
| # Adding ::ffff:0:0/96 stops IPv4-mapped IPv6 addresses from bypassing the filter | |
| private-address: ::ffff:0:0/96 | |
| # add | |
| private-address: 2001:470:b35c::/48 | |
| private-domain: "vedetta.lan" | |
| domain-insecure: "vedetta.lan" | |
| unwanted-reply-threshold: 10000000 | |
| do-not-query-localhost: no | |
| # Affects buffer space | |
| #prefetch: no | |
| val-clean-additional: yes | |
| key-cache-size: 100k | |
| key-cache-slabs: 1 | |
| neg-cache-size: 10k | |
| # Uncomment to enable qname minimisation. | |
| # https://tools.ietf.org/html/rfc7816 | |
| # | |
| qname-minimisation: yes | |
| # Uncomment to enable DNSSEC validation. | |
| # | |
| auto-trust-anchor-file: "/var/unbound/db/root.key" | |
| # Fetch the root.key: | |
| # /usr/local/sbin/unbound-anchor -a "/var/unbound/db/root.key" | |
| # Serve zones authoritatively from Unbound to resolver clients. | |
| # Not for external service. | |
| # | |
| local-zone: "10.in-addr.arpa." nodefault | |
| local-zone: "16.172.in-addr.arpa." nodefault | |
| local-zone: "168.192.in-addr.arpa." nodefault | |
| local-zone: "c.5.3.b.0.7.4.0.1.0.0.2.ip6.arpa." nodefault | |
| # UDP EDNS reassembly buffer advertised to peers. Default 4096. | |
| # May need lowering on broken networks with fragmentation/MTU issues, | |
| # particularly if validating DNSSEC. | |
| # | |
| #edns-buffer-size: 1480 | |
| # Use TCP for "forward-zone" requests. Useful if you are making | |
| # DNS requests over an SSH port forwarding. | |
| # | |
| #tcp-upstream: yes | |
| # DNS64 options, synthesizes AAAA records for hosts that don't have | |
| # them. For use with NAT64 (PF "af-to"). | |
| # | |
| #module-config: "dns64 validator iterator" | |
| #dns64-prefix: 64:ff9b::/96 # well-known prefix (default) | |
| #dns64-synthall: no | |
| # Map our public (dynamic) DNS name to local IPs (or use binat-to) | |
| local-zone: "freedns.afraid.org." redirect | |
| local-data: "freedns.afraid.org. CNAME relay.vedetta.lan" | |
| # Update the DNS based adblock (!) see var/cron/tabs/root | |
| include: /var/unbound/etc/dnsblock.conf | |
| # Block Netflix AAAA Records (since Netflix blocks tunnelbroker.net) | |
| include: /var/unbound/etc/netflix.conf | |
| remote-control: | |
| control-enable: yes | |
| control-use-cert: no | |
| control-interface: /var/run/unbound.sock | |
| stub-zone: | |
| name: "vedetta.lan." | |
| stub-addr: 127.0.0.1@10053 | |
| stub-zone: | |
| name: "10.in-addr.arpa." | |
| stub-addr: 127.0.0.1@10053 | |
| stub-zone: | |
| name: "16.172.in-addr.arpa." | |
| stub-addr: 127.0.0.1@10053 | |
| stub-zone: | |
| name: "168.192.in-addr.arpa." | |
| stub-addr: 127.0.0.1@10053 | |
| stub-zone: | |
| name: "c.5.3.b.0.7.4.0.1.0.0.2.ip6.arpa." | |
| stub-addr: ::1@10053 | |