| 1 | ## Authoritative, validating, recursive caching DNS
|
|---|
| 2 | ## unbound.conf -- https://calomel.org
|
|---|
| 3 | #
|
|---|
| 4 | server:
|
|---|
| 5 | # log verbosity
|
|---|
| 6 | verbosity: 1
|
|---|
| 7 |
|
|---|
| 8 | # specify the interfaces to answer queries from by ip-address. The default
|
|---|
| 9 | # is to listen to localhost (127.0.0.1 and ::1). specify 0.0.0.0 and ::0 to
|
|---|
| 10 | # bind to all available interfaces. specify every interface[@port] on a new
|
|---|
| 11 | # 'interface:' labeled line. The listen interfaces are not changed on
|
|---|
| 12 | # reload, only on restart.
|
|---|
| 13 | interface: 0.0.0.0
|
|---|
| 14 |
|
|---|
| 15 | # port to answer queries from
|
|---|
| 16 | port: 53
|
|---|
| 17 |
|
|---|
| 18 | # Enable IPv4, "yes" or "no".
|
|---|
| 19 | do-ip4: yes
|
|---|
| 20 |
|
|---|
| 21 | # Enable IPv6, "yes" or "no".
|
|---|
| 22 | do-ip6: no
|
|---|
| 23 |
|
|---|
| 24 | # Enable UDP, "yes" or "no".
|
|---|
| 25 | do-udp: yes
|
|---|
| 26 |
|
|---|
| 27 | # Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
|
|---|
| 28 | # quicker to resolve as the functions related to TCP checks are not done.i
|
|---|
| 29 | # NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains
|
|---|
| 30 | # due to their size.
|
|---|
| 31 | do-tcp: yes
|
|---|
| 32 |
|
|---|
| 33 | # control which client ips are allowed to make (recursive) queries to this
|
|---|
| 34 | # server. Specify classless netblocks with /size and action. By default
|
|---|
| 35 | # everything is refused, except for localhost. Choose deny (drop message),
|
|---|
| 36 | # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
|
|---|
| 37 | # and nonrecursive ok)
|
|---|
| 38 | access-control: 127.0.0.0/8 allow
|
|---|
| 39 | access-control: 172.16.0.0/12 allow
|
|---|
| 40 |
|
|---|
| 41 | # Read the root hints from this file. Default is nothing, using built in
|
|---|
| 42 | # hints for the IN class. The file has the format of zone files, with root
|
|---|
| 43 | # nameserver names and addresses only. The default may become outdated,
|
|---|
| 44 | # when servers change, therefore it is good practice to use a root-hints
|
|---|
| 45 | # file. get one from ftp://FTP.INTERNIC.NET/domain/named.cache
|
|---|
| 46 | root-hints: "/var/unbound/root.hints"
|
|---|
| 47 |
|
|---|
| 48 | # enable to not answer id.server and hostname.bind queries.
|
|---|
| 49 | hide-identity: yes
|
|---|
| 50 |
|
|---|
| 51 | # enable to not answer version.server and version.bind queries.
|
|---|
| 52 | hide-version: yes
|
|---|
| 53 |
|
|---|
| 54 | # Will trust glue only if it is within the servers authority.
|
|---|
| 55 | # Harden against out of zone rrsets, to avoid spoofing attempts.
|
|---|
| 56 | # Hardening queries multiple name servers for the same data to make
|
|---|
| 57 | # spoofing significantly harder and does not mandate dnssec.
|
|---|
| 58 | harden-glue: yes
|
|---|
| 59 |
|
|---|
| 60 | # Require DNSSEC data for trust-anchored zones, if such data is absent, the
|
|---|
| 61 | # zone becomes bogus. Harden against receiving dnssec-stripped data. If you
|
|---|
| 62 | # turn it off, failing to validate dnskey data for a trustanchor will trigger
|
|---|
| 63 | # insecure mode for that zone (like without a trustanchor). Default on,
|
|---|
| 64 | # which insists on dnssec data for trust-anchored zones.
|
|---|
| 65 | harden-dnssec-stripped: yes
|
|---|
| 66 |
|
|---|
| 67 | # Use 0x20-encoded random bits in the query to foil spoof attempts.
|
|---|
| 68 | # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
|
|---|
| 69 | # While upper and lower case letters are allowed in domain names, no significance
|
|---|
| 70 | # is attached to the case. That is, two names with the same spelling but
|
|---|
| 71 | # different case are to be treated as if identical. This means calomel.org is the
|
|---|
| 72 | # same as CaLoMeL.Org which is the same as CALOMEL.ORG.
|
|---|
| 73 | use-caps-for-id: yes
|
|---|
| 74 |
|
|---|
| 75 | # the time to live (TTL) value lower bound, in seconds. Default 0.
|
|---|
| 76 | # If more than an hour could easily give trouble due to stale data.
|
|---|
| 77 | cache-min-ttl: 3600
|
|---|
| 78 |
|
|---|
| 79 | # the time to live (TTL) value cap for RRsets and messages in the
|
|---|
| 80 | # cache. Items are not cached for longer. In seconds.
|
|---|
| 81 | cache-max-ttl: 86400
|
|---|
| 82 |
|
|---|
| 83 | # perform prefetching of close to expired message cache entries. If a client
|
|---|
| 84 | # requests the dns lookup and the TTL of the cached hostname is going to
|
|---|
| 85 | # expire in less than 10% of its TTL, unbound will (1st) return the ip of the
|
|---|
| 86 | # host to the client and (2nd) pre-fetch the dns request from the remote dns
|
|---|
| 87 | # server. This method has been shown to increase the amount of cached hits by
|
|---|
| 88 | # local clients by 10% on average.
|
|---|
| 89 | prefetch: yes
|
|---|
| 90 |
|
|---|
| 91 | # number of threads to create. 1 disables threading. This should equal the number
|
|---|
| 92 | # of CPU cores in the machine. Our example machine has 4 CPU cores.
|
|---|
| 93 | num-threads: 1
|
|---|
| 94 |
|
|---|
| 95 |
|
|---|
| 96 | ## Unbound Optimization and Speed Tweaks ###
|
|---|
| 97 |
|
|---|
| 98 | # the number of slabs to use for cache and must be a power of 2 times the
|
|---|
| 99 | # number of num-threads set above. more slabs reduce lock contention, but
|
|---|
| 100 | # fragment memory usage.
|
|---|
| 101 | msg-cache-slabs: 8
|
|---|
| 102 | rrset-cache-slabs: 8
|
|---|
| 103 | infra-cache-slabs: 8
|
|---|
| 104 | key-cache-slabs: 8
|
|---|
| 105 |
|
|---|
| 106 | # Increase the memory size of the cache. Use roughly twice as much rrset cache
|
|---|
| 107 | # memory as you use msg cache memory. Due to malloc overhead, the total memory
|
|---|
| 108 | # usage is likely to rise to double (or 2.5x) the total cache memory. The test
|
|---|
| 109 | # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
|
|---|
| 110 | rrset-cache-size: 64m
|
|---|
| 111 | msg-cache-size: 32m
|
|---|
| 112 |
|
|---|
| 113 | # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
|
|---|
| 114 | # the kernel buffer larger so that no messages are lost in spikes in the traffic.
|
|---|
| 115 | so-rcvbuf: 1m
|
|---|
| 116 |
|
|---|
| 117 | ## Unbound Optimization and Speed Tweaks ###
|
|---|
| 118 |
|
|---|
| 119 |
|
|---|
| 120 | # Enforce privacy of these addresses. Strips them away from answers. It may
|
|---|
| 121 | # cause DNSSEC validation to additionally mark it as bogus. Protects against
|
|---|
| 122 | # 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain' and
|
|---|
| 123 | # 'local-data' names are allowed to have these private addresses. No default.
|
|---|
| 124 | private-address: 10.0.0.0/8
|
|---|
| 125 | # private-address: 172.16.0.0/12
|
|---|
| 126 | private-address: 10.0.0.0/16
|
|---|
| 127 | private-address: 192.254.0.0/16
|
|---|
| 128 |
|
|---|
| 129 | # Allow the domain (and its subdomains) to contain private addresses.
|
|---|
| 130 | # local-data statements are allowed to contain private addresses too.
|
|---|
| 131 | # private-domain: "wleiden.net"
|
|---|
| 132 |
|
|---|
| 133 | # If nonzero, unwanted replies are not only reported in statistics, but also
|
|---|
| 134 | # a running total is kept per thread. If it reaches the threshold, a warning
|
|---|
| 135 | # is printed and a defensive action is taken, the cache is cleared to flush
|
|---|
| 136 | # potential poison out of it. A suggested value is 10000000, the default is
|
|---|
| 137 | # 0 (turned off). We think 10K is a good value.
|
|---|
| 138 | unwanted-reply-threshold: 10000
|
|---|
| 139 |
|
|---|
| 140 | # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
|
|---|
| 141 | # localhost you will want to allow the resolver to send queries to localhost.
|
|---|
| 142 | # Make sure to set do-not-query-localhost: yes . If yes, the above default
|
|---|
| 143 | # do-not-query-address entries are present. if no, localhost can be queried
|
|---|
| 144 | # (for testing and debugging).
|
|---|
| 145 | do-not-query-localhost: no
|
|---|
| 146 |
|
|---|
| 147 | # File with trusted keys, kept up to date using RFC5011 probes, initial file
|
|---|
| 148 | # like trust-anchor-file, then it stores metadata. Use several entries, one
|
|---|
| 149 | # per domain name, to track multiple zones. If you use forward-zone below to
|
|---|
| 150 | # query the Google DNS servers you MUST comment out this option or all DNS
|
|---|
| 151 | # queries will fail.
|
|---|
| 152 |
|
|---|
| 153 | auto-trust-anchor-file: "/var/unbound/root.key"
|
|---|
| 154 |
|
|---|
| 155 | # Should additional section of secure message also be kept clean of unsecure
|
|---|
| 156 | # data. Useful to shield the users of this validator from potential bogus
|
|---|
| 157 | # data in the additional section. All unsigned data in the additional section
|
|---|
| 158 | # is removed from secure messages.
|
|---|
| 159 | val-clean-additional: yes
|
|---|
| 160 |
|
|---|
| 161 | # Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo
|
|---|
| 162 | # account for a 70 percent share of all advertising traffic. Block them.
|
|---|
| 163 | local-zone: "doubleclick.net" redirect
|
|---|
| 164 | local-data: "doubleclick.net A 127.0.0.1"
|
|---|
| 165 | local-zone: "googlesyndication.com" redirect
|
|---|
| 166 | local-data: "googlesyndication.com A 127.0.0.1"
|
|---|
| 167 | local-zone: "googleadservices.com" redirect
|
|---|
| 168 | local-data: "googleadservices.com A 127.0.0.1"
|
|---|
| 169 | local-zone: "google-analytics.com" redirect
|
|---|
| 170 | local-data: "google-analytics.com A 127.0.0.1"
|
|---|
| 171 | local-zone: "ads.youtube.com" redirect
|
|---|
| 172 | local-data: "ads.youtube.com A 127.0.0.1"
|
|---|
| 173 | local-zone: "adserver.yahoo.com" redirect
|
|---|
| 174 | local-data: "adserver.yahoo.com A 127.0.0.1"
|
|---|
| 175 |
|
|---|
| 176 |
|
|---|
| 177 | # Unbound will not load if you specify the same local-zone and local-data
|
|---|
| 178 | # servers in the main configuration as well as in this "include:" file. We
|
|---|
| 179 | # suggest commenting out any of the local-zone and local-data lines above if
|
|---|
| 180 | # you suspect they could be included in the unbound_ad_servers servers file.
|
|---|
| 181 | #include: "/var/unbound/unbound_ad_servers"
|
|---|
| 182 |
|
|---|
| 183 | # locally served zones can be configured for the machines on the LAN.
|
|---|
| 184 |
|
|---|
| 185 | # local-zone: "wleiden.net" static
|
|---|
| 186 |
|
|---|
| 187 | # local-data: "firewall.home.lan. IN A 10.0.0.1"
|
|---|
| 188 | # local-data: "laptop.home.lan. IN A 10.0.0.2"
|
|---|
| 189 | # local-data: "xboxone.home.lan. IN A 10.0.0.3"
|
|---|
| 190 | # local-data: "ps4.home.lan. IN A 10.0.0.4"
|
|---|
| 191 | # local-data: "dhcp5.home.lan. IN A 10.0.0.5"
|
|---|
| 192 | # local-data: "dhcp6.home.lan. IN A 10.0.0.6"
|
|---|
| 193 | # local-data: "dhcp7.home.lan. IN A 10.0.0.7"
|
|---|
| 194 |
|
|---|
| 195 | # local-data-ptr: "10.0.0.1 firewall.home.lan"
|
|---|
| 196 | # local-data-ptr: "10.0.0.2 laptop.home.lan"
|
|---|
| 197 | # local-data-ptr: "10.0.0.3 xboxone.home.lan"
|
|---|
| 198 | # local-data-ptr: "10.0.0.4 ps4.home.lan"
|
|---|
| 199 | # local-data-ptr: "10.0.0.5 dhcp5.home.lan"
|
|---|
| 200 | # local-data-ptr: "10.0.0.6 dhcp6.home.lan"
|
|---|
| 201 | # local-data-ptr: "10.0.0.7 dhcp7.home.lan"
|
|---|
| 202 |
|
|---|
| 203 | # Unbound can query your NSD or BIND server for private domain queries too.
|
|---|
| 204 | # On our NSD page we have NSD configured to serve the private domain,
|
|---|
| 205 | # "home.lan". Here we can tell Unbound to connect to the NSD server when it
|
|---|
| 206 | # needs to resolve a *.home.lan hostname or IP.
|
|---|
| 207 | #
|
|---|
| 208 | # private-domain: "home.lan"
|
|---|
| 209 | # local-zone: "0.0.10.in-addr.arpa." nodefault
|
|---|
| 210 | # stub-zone:
|
|---|
| 211 | # name: "home.lan"
|
|---|
| 212 | # stub-addr: 10.0.0.111@53
|
|---|
| 213 |
|
|---|
| 214 | #
|
|---|
| 215 | # include: stub-zone ?????
|
|---|
| 216 | #
|
|---|
| 217 |
|
|---|
| 218 |
|
|---|
| 219 | # If you have an internal or private DNS names the external DNS servers can
|
|---|
| 220 | # not resolve, then you can assign domain name strings to be redirected to a
|
|---|
| 221 | # seperate dns server. For example, our comapny has the domain
|
|---|
| 222 | # organization.com and the domain name internal.organization.com can not be
|
|---|
| 223 | # resolved by Google's public DNS, but can be resolved by our private DNS
|
|---|
| 224 | # server located at 1.1.1.1. The following tells Unbound that any
|
|---|
| 225 | # organization.com domain, i.e. *.organization.com be dns resolved by 1.1.1.1
|
|---|
| 226 | # instead of the public dns servers.
|
|---|
| 227 | #
|
|---|
| 228 | # forward-zone:
|
|---|
| 229 | # name: "organization.com"
|
|---|
| 230 | # forward-addr: 1.1.1.1 # Internal or private DNS
|
|---|
| 231 |
|
|---|
| 232 | # Use the following forward-zone to forward all queries to Google DNS,
|
|---|
| 233 | # OpenDNS.com or your local ISP's dns servers for example. To test resolution
|
|---|
| 234 | # speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in
|
|---|
| 235 | # milliseconds.
|
|---|
| 236 | #
|
|---|
| 237 | # forward-zone:
|
|---|
| 238 | # name: "."
|
|---|
| 239 | # forward-addr: 8.8.8.8 # Google Public DNS
|
|---|
| 240 | # forward-addr: 74.82.42.42 # Hurricane Electric
|
|---|
| 241 | # forward-addr: 4.2.2.4 # Level3 Verizon
|
|---|
| 242 |
|
|---|
| 243 |
|
|---|
| 244 | include: /var/unbound/forward-zone
|
|---|
| 245 |
|
|---|
| 246 | #
|
|---|
| 247 | ## Authoritative, validating, recursive caching DNS
|
|---|
| 248 | ## unbound.conf -- https://calomel.org
|
|---|
| 249 |
|
|---|
