-
Notifications
You must be signed in to change notification settings - Fork 80
/
unbound-example.conf
93 lines (91 loc) · 2.61 KB
/
unbound-example.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
## This is an example Unbound configuration file
## This is needed to use unbound_exporter
remote-control:
control-enable: yes
control-interface: /var/run/socket/unbound.ctl
# The rest of this file is standard Unbound configuration
# There's nothing special here.
server:
module-config: "respip validator iterator"
extended-statistics: yes
cache-max-ttl: 86400
cache-min-ttl: 300
directory: "/opt/unbound/etc/unbound"
do-ip4: yes
do-ip6: no
do-tcp: yes
do-udp: yes
edns-buffer-size: 1232
interface: 0.0.0.0
port: 1053
prefer-ip6: no
rrset-roundrobin: yes
username: "_unbound"
log-local-actions: no
log-queries: no
log-replies: no
log-servfail: yes
logfile: /opt/unbound/etc/unbound/unbound.log
verbosity: 2
infra-cache-slabs: 4
incoming-num-tcp: 10
key-cache-slabs: 4
msg-cache-size: 142768128
msg-cache-slabs: 4
num-queries-per-thread: 4096
num-threads: 3
outgoing-range: 8192
rrset-cache-size: 285536256
rrset-cache-slabs: 4
minimal-responses: yes
prefetch: yes
prefetch-key: yes
serve-expired: yes
so-reuseport: yes
aggressive-nsec: yes
delay-close: 10000
do-daemonize: no
do-not-query-localhost: no
neg-cache-size: 4M
qname-minimisation: yes
access-control: 127.0.0.1/32 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: fc00::/7 allow
access-control: ::1/128 allow
auto-trust-anchor-file: "/opt/unbound/etc/unbound/var/root.key"
chroot: ""
deny-any: yes
harden-algo-downgrade: yes
harden-below-nxdomain: yes
harden-dnssec-stripped: yes
harden-glue: yes
harden-large-queries: yes
harden-referral-path: no
harden-short-bufsize: yes
hide-http-user-agent: no
hide-identity: yes
hide-version: no
http-user-agent: "DNS"
identity: "DNS"
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
ratelimit: 1000
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
unwanted-reply-threshold: 10000
use-caps-for-id: yes
val-clean-additional: yes
include: /opt/unbound/etc/unbound/a-records.conf
include: /opt/unbound/etc/unbound/srv-records.conf
rpz:
name: unbound_exporter_cloak
zonefile: /opt/unbound/etc/unbound/droplist.zone
rpz-log: yes
rpz-log-name: unbound_exporter_cloak
rpz-action-override: nxdomain