mirror of
https://github.com/JamesTurland/JimsGarage.git
synced 2024-11-21 23:40:19 +00:00
387 lines
No EOL
16 KiB
Text
387 lines
No EOL
16 KiB
Text
server:
|
||
###########################################################################
|
||
# BASIC SETTINGS
|
||
###########################################################################
|
||
# Time to live maximum for RRsets and messages in the cache. If the maximum
|
||
# kicks in, responses to clients still get decrementing TTLs based on the
|
||
# original (larger) values. When the internal TTL expires, the cache item
|
||
# has expired. Can be set lower to force the resolver to query for data
|
||
# often, and not trust (very large) TTL values.
|
||
cache-max-ttl: 86400
|
||
|
||
# Time to live minimum for RRsets and messages in the cache. If the minimum
|
||
# kicks in, the data is cached for longer than the domain owner intended,
|
||
# and thus less queries are made to look up the data. Zero makes sure the
|
||
# data in the cache is as the domain owner intended, higher values,
|
||
# especially more than an hour or so, can lead to trouble as the data in
|
||
# the cache does not match up with the actual data any more.
|
||
cache-min-ttl: 300
|
||
|
||
# Set the working directory for the program.
|
||
directory: "/opt/unbound/etc/unbound"
|
||
|
||
# Enable or disable whether IPv4 queries are answered or issued.
|
||
# Default: yes
|
||
do-ip4: yes
|
||
|
||
# Enable or disable whether IPv6 queries are answered or issued.
|
||
# If disabled, queries are not answered on IPv6, and queries are not sent
|
||
# on IPv6 to the internet nameservers. With this option you can disable the
|
||
# IPv6 transport for sending DNS traffic, it does not impact the contents
|
||
# of the DNS traffic, which may have IPv4 (A) and IPv6 (AAAA) addresses in
|
||
# it.
|
||
# Default: yes
|
||
# May be set to yes if you have IPv6 connectivity
|
||
do-ip6: yes
|
||
|
||
# Enable or disable whether TCP queries are answered or issued.
|
||
# Default: yes
|
||
do-tcp: yes
|
||
|
||
# Enable or disable whether UDP queries are answered or issued.
|
||
# Default: yes
|
||
do-udp: yes
|
||
|
||
# RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer
|
||
# size. This is the value put into datagrams over UDP towards peers.
|
||
# The actual buffer size is determined by msg-buffer-size (both for TCP and
|
||
# UDP). Do not set higher than that value.
|
||
# Default is 1232 which is the DNS Flag Day 2020 recommendation.
|
||
# Setting to 512 bypasses even the most stringent path MTU problems, but
|
||
# is seen as extreme, since the amount of TCP fallback generated is
|
||
# excessive (probably also for this resolver, consider tuning the outgoing
|
||
# tcp number).
|
||
edns-buffer-size: 1232
|
||
|
||
# Listen to for queries from clients and answer from this network interface
|
||
# and port.
|
||
interface: 0.0.0.0@5053
|
||
# interface: ::0
|
||
port: 53
|
||
|
||
# If enabled, prefer IPv6 transport for sending DNS queries to internet
|
||
# nameservers.
|
||
# Default: yes
|
||
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
|
||
# Terredo tunnels your web browser should favor IPv4 for the same reasons
|
||
prefer-ip6: no
|
||
|
||
# Rotates RRSet order in response (the pseudo-random number is taken from
|
||
# the query ID, for speed and thread safety).
|
||
rrset-roundrobin: yes
|
||
|
||
# Drop user privileges after binding the port.
|
||
username: "_unbound"
|
||
|
||
###########################################################################
|
||
# LOGGING
|
||
###########################################################################
|
||
|
||
# Do not print log lines to inform about local zone actions
|
||
log-local-actions: no
|
||
|
||
# Do not print one line per query to the log
|
||
log-queries: no
|
||
|
||
# Do not print one line per reply to the log
|
||
log-replies: no
|
||
|
||
# Do not print log lines that say why queries return SERVFAIL to clients
|
||
log-servfail: no
|
||
|
||
# If you want to log to a file, use:
|
||
# logfile: /opt/unbound/etc/unbound/unbound.log
|
||
# Set log location (using /dev/null further limits logging)
|
||
logfile: /dev/null
|
||
|
||
# Set logging level
|
||
# Level 0: No verbosity, only errors.
|
||
# Level 1: Gives operational information.
|
||
# Level 2: Gives detailed operational information including short information per query.
|
||
# Level 3: Gives query level information, output per query.
|
||
# Level 4: Gives algorithm level information.
|
||
# Level 5: Logs client identification for cache misses.
|
||
verbosity: 0
|
||
|
||
###########################################################################
|
||
# PERFORMANCE SETTINGS
|
||
###########################################################################
|
||
# https://nlnetlabs.nl/documentation/unbound/howto-optimise/
|
||
# https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/
|
||
|
||
# Number of slabs in the infrastructure cache. Slabs reduce lock contention
|
||
# by threads. Must be set to a power of 2.
|
||
infra-cache-slabs: 4
|
||
|
||
# Number of incoming TCP buffers to allocate per thread. Default
|
||
# is 10. If set to 0, or if do-tcp is "no", no TCP queries from
|
||
# clients are accepted. For larger installations increasing this
|
||
# value is a good idea.
|
||
incoming-num-tcp: 10
|
||
|
||
# Number of slabs in the key cache. Slabs reduce lock contention by
|
||
# threads. Must be set to a power of 2. Setting (close) to the number
|
||
# of cpus is a reasonable guess.
|
||
key-cache-slabs: 4
|
||
|
||
# Number of bytes size of the message cache.
|
||
# Unbound recommendation is to Use roughly twice as much rrset cache memory
|
||
# as you use msg cache memory.
|
||
msg-cache-size: 142768128
|
||
|
||
# Number of slabs in the message cache. Slabs reduce lock contention by
|
||
# threads. Must be set to a power of 2. Setting (close) to the number of
|
||
# cpus is a reasonable guess.
|
||
msg-cache-slabs: 4
|
||
|
||
# The number of queries that every thread will service simultaneously. If
|
||
# more queries arrive that need servicing, and no queries can be jostled
|
||
# out (see jostle-timeout), then the queries are dropped.
|
||
# This is best set at half the number of the outgoing-range.
|
||
# This Unbound instance was compiled with libevent so it can efficiently
|
||
# use more than 1024 file descriptors.
|
||
num-queries-per-thread: 4096
|
||
|
||
# The number of threads to create to serve clients.
|
||
# This is set dynamically at run time to effectively use available CPUs
|
||
# resources
|
||
num-threads: 3
|
||
|
||
# Number of ports to open. This number of file descriptors can be opened
|
||
# per thread.
|
||
# This Unbound instance was compiled with libevent so it can efficiently
|
||
# use more than 1024 file descriptors.
|
||
outgoing-range: 8192
|
||
|
||
# Number of bytes size of the RRset cache.
|
||
# Use roughly twice as much rrset cache memory as msg cache memory
|
||
rrset-cache-size: 285536256
|
||
|
||
# Number of slabs in the RRset cache. Slabs reduce lock contention by
|
||
# threads. Must be set to a power of 2.
|
||
rrset-cache-slabs: 4
|
||
|
||
# Do no insert authority/additional sections into response messages when
|
||
# those sections are not required. This reduces response size
|
||
# significantly, and may avoid TCP fallback for some responses. This may
|
||
# cause a slight speedup.
|
||
minimal-responses: yes
|
||
|
||
# # Fetch the DNSKEYs earlier in the validation process, when a DS record
|
||
# is encountered. This lowers the latency of requests at the expense of
|
||
# little more CPU usage.
|
||
prefetch: yes
|
||
|
||
# Fetch the DNSKEYs earlier in the validation process, when a DS record is
|
||
# encountered. This lowers the latency of requests at the expense of little
|
||
# more CPU usage.
|
||
prefetch-key: yes
|
||
|
||
# Have unbound attempt to serve old responses from cache with a TTL of 0 in
|
||
# the response without waiting for the actual resolution to finish. The
|
||
# actual resolution answer ends up in the cache later on.
|
||
serve-expired: yes
|
||
|
||
# If not 0, then set the SO_RCVBUF socket option to get more buffer space on
|
||
# UDP port 53 incoming queries. So that short spikes on busy servers do not
|
||
# drop packets (see counter in netstat -su). Otherwise, the number of bytes
|
||
# to ask for, try <20>4m<34> on a busy server.
|
||
# The OS caps it at a maximum, on linux Unbound needs root permission to
|
||
# bypass the limit, or the admin can use sysctl net.core.rmem_max.
|
||
# Default: 0 (use system value)
|
||
# For example: sysctl -w net.core.rmem_max=4194304
|
||
# To persist reboots, edit /etc/sysctl.conf to include:
|
||
# net.core.rmem_max=4194304
|
||
# Larger socket buffer. OS may need config.
|
||
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
|
||
#so-rcvbuf: 4m
|
||
|
||
# Open dedicated listening sockets for incoming queries for each thread and
|
||
# try to set the SO_REUSEPORT socket option on each socket. May distribute
|
||
# incoming queries to threads more evenly.
|
||
so-reuseport: yes
|
||
|
||
# If not 0, then set the SO_SNDBUF socket option to get more buffer space
|
||
# on UDP port 53 outgoing queries.
|
||
# Specify the number of bytes to ask for, try <20>4m<34> on a very busy server.
|
||
# The OS caps it at a maximum, on linux Unbound needs root permission to
|
||
# bypass the limit, or the admin can use sysctl net.core.wmem_max.
|
||
# For example: sysctl -w net.core.wmem_max=4194304
|
||
# To persist reboots, edit /etc/sysctl.conf to include:
|
||
# net.core.wmem_max=4194304
|
||
# Default: 0 (use system value)
|
||
# Larger socket buffer. OS may need config.
|
||
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
|
||
#so-sndbuf: 4m
|
||
|
||
###########################################################################
|
||
# PRIVACY SETTINGS
|
||
###########################################################################
|
||
|
||
# RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
|
||
# denials, using information from previous NXDO-MAINs answers. In other
|
||
# words, use cached NSEC records to generate negative answers within a
|
||
# range and positive answers from wildcards. This increases performance,
|
||
# decreases latency and resource utilization on both authoritative and
|
||
# recursive servers, and increases privacy. Also, it may help increase
|
||
# resilience to certain DoS attacks in some circumstances.
|
||
aggressive-nsec: yes
|
||
|
||
# Extra delay for timeouted UDP ports before they are closed, in msec.
|
||
# This prevents very delayed answer packets from the upstream (recursive)
|
||
# servers from bouncing against closed ports and setting off all sort of
|
||
# close-port counters, with eg. 1500 msec. When timeouts happen you need
|
||
# extra sockets, it checks the ID and remote IP of packets, and unwanted
|
||
# packets are added to the unwanted packet counter.
|
||
delay-close: 10000
|
||
|
||
# Prevent the unbound server from forking into the background as a daemon
|
||
do-daemonize: no
|
||
|
||
# Add localhost to the do-not-query-address list.
|
||
do-not-query-localhost: no
|
||
|
||
# Number of bytes size of the aggressive negative cache.
|
||
neg-cache-size: 4M
|
||
|
||
# Send minimum amount of information to upstream servers to enhance
|
||
# privacy (best privacy).
|
||
qname-minimisation: yes
|
||
|
||
###########################################################################
|
||
# SECURITY SETTINGS
|
||
###########################################################################
|
||
# Only give access to recursion clients from LAN IPs
|
||
access-control: 127.0.0.1/32 allow
|
||
access-control: 192.168.0.0/16 allow
|
||
access-control: 172.16.0.0/12 allow
|
||
access-control: 10.0.0.0/8 allow
|
||
access-control: fc00::/7 allow
|
||
access-control: ::1/128 allow
|
||
|
||
# File with trust anchor for one zone, which is tracked with RFC5011
|
||
# probes.
|
||
auto-trust-anchor-file: "var/root.key"
|
||
|
||
# Enable chroot (i.e, change apparent root directory for the current
|
||
# running process and its children)
|
||
chroot: "/opt/unbound/etc/unbound"
|
||
|
||
# Deny queries of type ANY with an empty response.
|
||
deny-any: yes
|
||
|
||
# Harden against algorithm downgrade when multiple algorithms are
|
||
# advertised in the DS record.
|
||
harden-algo-downgrade: yes
|
||
|
||
# RFC 8020. returns nxdomain to queries for a name below another name that
|
||
# is already known to be nxdomain.
|
||
harden-below-nxdomain: yes
|
||
|
||
# Require DNSSEC data for trust-anchored zones, if such data is absent, the
|
||
# zone becomes bogus. If turned off you run the risk of a downgrade attack
|
||
# that disables security for a zone.
|
||
harden-dnssec-stripped: yes
|
||
|
||
# Only trust glue if it is within the servers authority.
|
||
harden-glue: yes
|
||
|
||
# Ignore very large queries.
|
||
harden-large-queries: yes
|
||
|
||
# Perform additional queries for infrastructure data to harden the referral
|
||
# path. Validates the replies if trust anchors are configured and the zones
|
||
# are signed. This enforces DNSSEC validation on nameserver NS sets and the
|
||
# nameserver addresses that are encountered on the referral path to the
|
||
# answer. Experimental option.
|
||
harden-referral-path: no
|
||
|
||
# Ignore very small EDNS buffer sizes from queries.
|
||
harden-short-bufsize: yes
|
||
|
||
# If enabled the HTTP header User-Agent is not set. Use with caution
|
||
# as some webserver configurations may reject HTTP requests lacking
|
||
# this header. If needed, it is better to explicitly set the
|
||
# the http-user-agent.
|
||
hide-http-user-agent: no
|
||
|
||
# Refuse id.server and hostname.bind queries
|
||
hide-identity: yes
|
||
|
||
# Refuse version.server and version.bind queries
|
||
hide-version: yes
|
||
|
||
# Set the HTTP User-Agent header for outgoing HTTP requests. If
|
||
# set to "", the default, then the package name and version are
|
||
# used.
|
||
http-user-agent: "DNS"
|
||
|
||
# Report this identity rather than the hostname of the server.
|
||
identity: "DNS"
|
||
|
||
# These private network addresses are not allowed to be returned for public
|
||
# internet names. Any occurrence of such addresses are removed from DNS
|
||
# answers. Additionally, the DNSSEC validator may mark the answers bogus.
|
||
# This protects against DNS Rebinding
|
||
private-address: 10.0.0.0/8
|
||
private-address: 172.16.0.0/12
|
||
private-address: 192.168.0.0/16
|
||
private-address: 169.254.0.0/16
|
||
private-address: fd00::/8
|
||
private-address: fe80::/10
|
||
private-address: ::ffff:0:0/96
|
||
|
||
# Enable ratelimiting of queries (per second) sent to nameserver for
|
||
# performing recursion. More queries are turned away with an error
|
||
# (servfail). This stops recursive floods (e.g., random query names), but
|
||
# not spoofed reflection floods. Cached responses are not rate limited by
|
||
# this setting. Experimental option.
|
||
ratelimit: 1000
|
||
|
||
# Use this certificate bundle for authenticating connections made to
|
||
# outside peers (e.g., auth-zone urls, DNS over TLS connections).
|
||
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||
|
||
# Set the total number of unwanted replies to eep track of in every thread.
|
||
# When it reaches the threshold, a defensive action of clearing the rrset
|
||
# and message caches is taken, hopefully flushing away any poison.
|
||
# Unbound suggests a value of 10 million.
|
||
unwanted-reply-threshold: 10000
|
||
|
||
# Use 0x20-encoded random bits in the query to foil spoof attempts. This
|
||
# perturbs the lowercase and uppercase of query names sent to authority
|
||
# servers and checks if the reply still has the correct casing.
|
||
# This feature is an experimental implementation of draft dns-0x20.
|
||
# Experimental option.
|
||
# Don't use Capitalization randomization as it known to cause DNSSEC issues
|
||
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378
|
||
use-caps-for-id: yes
|
||
|
||
# Help protect users that rely on this validator for authentication from
|
||
# potentially bad data in the additional section. Instruct the validator to
|
||
# remove data from the additional section of secure messages that are not
|
||
# signed properly. Messages that are insecure, bogus, indeterminate or
|
||
# unchecked are not affected.
|
||
val-clean-additional: yes
|
||
|
||
###########################################################################
|
||
# FORWARD ZONE
|
||
###########################################################################
|
||
|
||
#include: /opt/unbound/etc/unbound/forward-records.conf
|
||
|
||
###########################################################################
|
||
# LOCAL ZONE
|
||
###########################################################################
|
||
|
||
# Include file for local-data and local-data-ptr
|
||
#include: /opt/unbound/etc/unbound/a-records.conf
|
||
#include: /opt/unbound/etc/unbound/srv-records.conf
|
||
|
||
###########################################################################
|
||
# WILDCARD INCLUDE
|
||
###########################################################################
|
||
#include: "/opt/unbound/etc/unbound/*.conf"
|
||
|
||
remote-control:
|
||
control-enable: no |