source: hybrid/branches/releng-10/nanobsd/files/var/unbound/unbound.conf@ 13010

Last change on this file since 13010 was 13010, checked in by huub, 8 years ago

een unbound.conf versie die werkende reverse lookup geeft met sunny als lokaal domein server

File size: 13.1 KB
Line 
1## Authoritative, validating, recursive caching DNS
2## unbound.conf -- https://calomel.org
3#
4server:
5 # log verbosity
6 verbosity: 3
7
8 use-syslog: no
9
10 # specify the interfaces to answer queries from by ip-address. The default
11 # is to listen to localhost (127.0.0.1 and ::1). specify 0.0.0.0 and ::0 to
12 # bind to all available interfaces. specify every interface[@port] on a new
13 # 'interface:' labeled line. The listen interfaces are not changed on
14 # reload, only on restart.
15 interface: 127.0.0.1
16 interface: 172.17.16.129
17 interface: 172.17.65.1
18 interface: 172.16.4.124
19 interface: 172.16.4.28
20 interface: 172.16.3.21
21 interface: 172.16.3.85
22 interface: 172.17.16.1
23
24 # interface: 0.0.0.0
25
26 # port to answer queries from
27 port: 53
28
29 # Enable IPv4, "yes" or "no".
30 do-ip4: yes
31
32 # Enable IPv6, "yes" or "no".
33 do-ip6: no
34
35 # Enable UDP, "yes" or "no".
36 do-udp: yes
37
38 # Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
39 # quicker to resolve as the functions related to TCP checks are not done.i
40 # NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains
41 # due to their size.
42 do-tcp: yes
43
44 # control which client ips are allowed to make (recursive) queries to this
45 # server. Specify classless netblocks with /size and action. By default
46 # everything is refused, except for localhost. Choose deny (drop message),
47 # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
48 # and nonrecursive ok)
49 access-control: 127.0.0.0/8 allow
50 access-control: 172.16.0.0/12 allow
51
52 # Read the root hints from this file. Default is nothing, using built in
53 # hints for the IN class. The file has the format of zone files, with root
54 # nameserver names and addresses only. The default may become outdated,
55 # when servers change, therefore it is good practice to use a root-hints
56 # file. get one from ftp://FTP.INTERNIC.NET/domain/named.cache
57 root-hints: "/var/unbound/root.hints"
58
59 # enable to not answer id.server and hostname.bind queries.
60 hide-identity: yes
61
62 # enable to not answer version.server and version.bind queries.
63 hide-version: yes
64
65 # Will trust glue only if it is within the servers authority.
66 # Harden against out of zone rrsets, to avoid spoofing attempts.
67 # Hardening queries multiple name servers for the same data to make
68 # spoofing significantly harder and does not mandate dnssec.
69 harden-glue: yes
70
71 # Require DNSSEC data for trust-anchored zones, if such data is absent, the
72 # zone becomes bogus. Harden against receiving dnssec-stripped data. If you
73 # turn it off, failing to validate dnskey data for a trustanchor will trigger
74 # insecure mode for that zone (like without a trustanchor). Default on,
75 # which insists on dnssec data for trust-anchored zones.
76 harden-dnssec-stripped: yes
77
78 # Use 0x20-encoded random bits in the query to foil spoof attempts.
79 # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
80 # While upper and lower case letters are allowed in domain names, no significance
81 # is attached to the case. That is, two names with the same spelling but
82 # different case are to be treated as if identical. This means calomel.org is the
83 # same as CaLoMeL.Org which is the same as CALOMEL.ORG.
84 use-caps-for-id: yes
85
86 # the time to live (TTL) value lower bound, in seconds. Default 0.
87 # If more than an hour could easily give trouble due to stale data.
88 cache-min-ttl: 3600
89
90 # the time to live (TTL) value cap for RRsets and messages in the
91 # cache. Items are not cached for longer. In seconds.
92 cache-max-ttl: 86400
93
94 # perform prefetching of close to expired message cache entries. If a client
95 # requests the dns lookup and the TTL of the cached hostname is going to
96 # expire in less than 10% of its TTL, unbound will (1st) return the ip of the
97 # host to the client and (2nd) pre-fetch the dns request from the remote dns
98 # server. This method has been shown to increase the amount of cached hits by
99 # local clients by 10% on average.
100 prefetch: yes
101
102 # number of threads to create. 1 disables threading. This should equal the number
103 # of CPU cores in the machine. Our example machine has 4 CPU cores.
104 num-threads: 1
105
106
107 ## Unbound Optimization and Speed Tweaks ###
108
109 # the number of slabs to use for cache and must be a power of 2 times the
110 # number of num-threads set above. more slabs reduce lock contention, but
111 # fragment memory usage.
112 msg-cache-slabs: 8
113 rrset-cache-slabs: 8
114 infra-cache-slabs: 8
115 key-cache-slabs: 8
116
117 # Increase the memory size of the cache. Use roughly twice as much rrset cache
118 # memory as you use msg cache memory. Due to malloc overhead, the total memory
119 # usage is likely to rise to double (or 2.5x) the total cache memory. The test
120 # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
121 rrset-cache-size: 64m
122 msg-cache-size: 32m
123
124 # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
125 # the kernel buffer larger so that no messages are lost in spikes in the traffic.
126 so-rcvbuf: 1m
127
128 ## Unbound Optimization and Speed Tweaks ###
129
130
131 # Enforce privacy of these addresses. Strips them away from answers. It may
132 # cause DNSSEC validation to additionally mark it as bogus. Protects against
133 # 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain' and
134 # 'local-data' names are allowed to have these private addresses. No default.
135 private-address: 10.0.0.0/8
136# private-address: 172.16.0.0/12
137 private-address: 10.0.0.0/16
138 private-address: 192.254.0.0/16
139
140 # Allow the domain (and its subdomains) to contain private addresses.
141 # local-data statements are allowed to contain private addresses too.
142 private-domain: "wleiden.net"
143
144 # If nonzero, unwanted replies are not only reported in statistics, but also
145 # a running total is kept per thread. If it reaches the threshold, a warning
146 # is printed and a defensive action is taken, the cache is cleared to flush
147 # potential poison out of it. A suggested value is 10000000, the default is
148 # 0 (turned off). We think 10K is a good value.
149 unwanted-reply-threshold: 10000
150
151 # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
152 # localhost you will want to allow the resolver to send queries to localhost.
153 # Make sure to set do-not-query-localhost: yes . If yes, the above default
154 # do-not-query-address entries are present. if no, localhost can be queried
155 # (for testing and debugging).
156 do-not-query-localhost: no
157
158 # File with trusted keys, kept up to date using RFC5011 probes, initial file
159 # like trust-anchor-file, then it stores metadata. Use several entries, one
160 # per domain name, to track multiple zones. If you use forward-zone below to
161 # query the Google DNS servers you MUST comment out this option or all DNS
162 # queries will fail.
163
164 auto-trust-anchor-file: "/var/unbound/root.key"
165
166 # Should additional section of secure message also be kept clean of unsecure
167 # data. Useful to shield the users of this validator from potential bogus
168 # data in the additional section. All unsigned data in the additional section
169 # is removed from secure messages.
170 val-clean-additional: yes
171
172 # Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo
173 # account for a 70 percent share of all advertising traffic. Block them.
174 local-zone: "doubleclick.net" redirect
175 local-data: "doubleclick.net A 127.0.0.1"
176 local-zone: "googlesyndication.com" redirect
177 local-data: "googlesyndication.com A 127.0.0.1"
178 local-zone: "googleadservices.com" redirect
179 local-data: "googleadservices.com A 127.0.0.1"
180 local-zone: "google-analytics.com" redirect
181 local-data: "google-analytics.com A 127.0.0.1"
182 local-zone: "ads.youtube.com" redirect
183 local-data: "ads.youtube.com A 127.0.0.1"
184 local-zone: "adserver.yahoo.com" redirect
185 local-data: "adserver.yahoo.com A 127.0.0.1"
186
187
188
189 # Unbound will not load if you specify the same local-zone and local-data
190 # servers in the main configuration as well as in this "include:" file. We
191 # suggest commenting out any of the local-zone and local-data lines above if
192 # you suspect they could be included in the unbound_ad_servers servers file.
193 #include: "/var/unbound/unbound_ad_servers"
194
195 # locally served zones can be configured for the machines on the LAN.
196
197 # local-zone: "wleiden.net" static
198 # local-zone: "16.172.in-addr.arpa" transparent
199
200 # include: /var/unbound/local-data
201
202# local-data: "cetim2.wleiden.net. IN A 172.17.137.1"
203# local-data: "vosko2.wleiden.net. IN A 172.17.93.1"
204# local-data: "sunny.wleiden.net. IN A 172.16.4.46"
205# local-data: "imi.wleiden.net. IN A 172.17.24.1"
206# local-data: "laptop.home.lan. IN A 10.0.0.2"
207# local-data: "xboxone.home.lan. IN A 10.0.0.3"
208# local-data: "ps4.home.lan. IN A 10.0.0.4"
209# local-data: "dhcp5.home.lan. IN A 10.0.0.5"
210# local-data: "dhcp6.home.lan. IN A 10.0.0.6"
211# local-data: "dhcp7.home.lan. IN A 10.0.0.7"
212
213# local-data-ptr: "172.17.137.1 cetim2.wleiden.net"
214# local-data-ptr: "172.17.93.1 vosko2.wleiden.net"
215# local-data-ptr: "172.16.4.46 sunny.wleiden.net"
216# local-data-ptr: "172.17.24.1 imi.wleiden.net"
217# local-data-ptr: "10.0.0.2 laptop.home.lan"
218# local-data-ptr: "10.0.0.3 xboxone.home.lan"
219# local-data-ptr: "10.0.0.4 ps4.home.lan"
220# local-data-ptr: "10.0.0.5 dhcp5.home.lan"
221# local-data-ptr: "10.0.0.6 dhcp6.home.lan"
222# local-data-ptr: "10.0.0.7 dhcp7.home.lan"
223
224 # Unbound can query your NSD or BIND server for private domain queries too.
225 # On our NSD page we have NSD configured to serve the private domain,
226 # "home.lan". Here we can tell Unbound to connect to the NSD server when it
227 # needs to resolve a *.home.lan hostname or IP.
228 #
229 # private-domain: "home.lan"
230 # local-zone: "0.0.10.in-addr.arpa." nodefault
231 # stub-zone:
232 # name: "home.lan"
233 # stub-addr: 10.0.0.111@53
234
235#
236# include: stub-zone ?????
237#
238
239 private-domain: "wleiden.net"
240 local-zone: "16.172.in-addr.arpa." nodefault
241 local-zone: "17.172.in-addr.arpa." nodefault
242 local-zone: "18.172.in-addr.arpa." nodefault
243 local-zone: "19.172.in-addr.arpa." nodefault
244 local-zone: "20.172.in-addr.arpa." nodefault
245 local-zone: "21.172.in-addr.arpa." nodefault
246 local-zone: "22.172.in-addr.arpa." nodefault
247 local-zone: "23.172.in-addr.arpa." nodefault
248 local-zone: "24.172.in-addr.arpa." nodefault
249 local-zone: "25.172.in-addr.arpa." nodefault
250 local-zone: "26.172.in-addr.arpa." nodefault
251 local-zone: "27.172.in-addr.arpa." nodefault
252 local-zone: "28.172.in-addr.arpa." nodefault
253 local-zone: "29.172.in-addr.arpa." nodefault
254 local-zone: "30.172.in-addr.arpa." nodefault
255 local-zone: "31.172.in-addr.arpa." nodefault
256 stub-zone:
257 name: "wleiden.net"
258 stub-addr: 172.16.4.46
259 stub-zone:
260 name: "16.172.in-addr.arpa."
261 stub-addr: 172.16.4.46
262 stub-zone:
263 name: "17.172.in-addr.arpa."
264 stub-addr: 172.16.4.46
265 stub-zone:
266 name: "18.172.in-addr.arpa."
267 stub-addr: 172.16.4.46
268 stub-zone:
269 name: "19.172.in-addr.arpa."
270 stub-addr: 172.16.4.46
271 stub-zone:
272 name: "20.172.in-addr.arpa."
273 stub-addr: 172.16.4.46
274 stub-zone:
275 name: "21.172.in-addr.arpa."
276 stub-addr: 172.16.4.46
277 stub-zone:
278 name: "22.172.in-addr.arpa."
279 stub-addr: 172.16.4.46
280 stub-zone:
281 name: "23.172.in-addr.arpa."
282 stub-addr: 172.16.4.46
283 stub-zone:
284 name: "24.172.in-addr.arpa."
285 stub-addr: 172.16.4.46
286 stub-zone:
287 name: "25.172.in-addr.arpa."
288 stub-addr: 172.16.4.46
289 stub-zone:
290 name: "26.172.in-addr.arpa."
291 stub-addr: 172.16.4.46
292 stub-zone:
293 name: "27.172.in-addr.arpa."
294 stub-addr: 172.16.4.46
295 stub-zone:
296 name: "28.172.in-addr.arpa."
297 stub-addr: 172.16.4.46
298 stub-zone:
299 name: "29.172.in-addr.arpa."
300 stub-addr: 172.16.4.46
301 stub-zone:
302 name: "30.172.in-addr.arpa."
303 stub-addr: 172.16.4.46
304 stub-zone:
305 name: "31.172.in-addr.arpa."
306 stub-addr: 172.16.4.46
307 # If you have an internal or private DNS names the external DNS servers can
308 # not resolve, then you can assign domain name strings to be redirected to a
309 # seperate dns server. For example, our comapny has the domain
310 # organization.com and the domain name internal.organization.com can not be
311 # resolved by Google's public DNS, but can be resolved by our private DNS
312 # server located at 1.1.1.1. The following tells Unbound that any
313 # organization.com domain, i.e. *.organization.com be dns resolved by 1.1.1.1
314 # instead of the public dns servers.
315 #
316 # forward-zone:
317 # name: "organization.com"
318 # forward-addr: 1.1.1.1 # Internal or private DNS
319
320 # Use the following forward-zone to forward all queries to Google DNS,
321 # OpenDNS.com or your local ISP's dns servers for example. To test resolution
322 # speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in
323 # milliseconds.
324 #
325 # forward-zone:
326 # name: "."
327 # forward-addr: 8.8.8.8 # Google Public DNS
328 # forward-addr: 74.82.42.42 # Hurricane Electric
329 # forward-addr: 4.2.2.4 # Level3 Verizon
330
331
332 include: /var/unbound/forward-zone
333
334#
335## Authoritative, validating, recursive caching DNS
336## unbound.conf -- https://calomel.org
337
Note: See TracBrowser for help on using the repository browser.