source: hybrid/branches/releng-10/nanobsd/files/var/unbound/unbound.conf@ 13417

Last change on this file since 13417 was 13268, checked in by ed, 10 years ago

Unbound is not starting by default
Message : warning: too many file descriptors requested.

Reducing this wil start Unbound. Note this config is not
automaticly generated by wleiden config genisis and the interfaces
needs to be edited by hand for now
File size: 13.2 KB
Line 
1## Authoritative, validating, recursive caching DNS
2## unbound.conf -- https://calomel.org
3#
4server:
5 # log verbosity
6 verbosity: 3
7
8 use-syslog: no
9
10 # specify the interfaces to answer queries from by ip-address. The default
11 # is to listen to localhost (127.0.0.1 and ::1). specify 0.0.0.0 and ::0 to
12 # bind to all available interfaces. specify every interface[@port] on a new
13 # 'interface:' labeled line. The listen interfaces are not changed on
14 # reload, only on restart.
15 interface: 127.0.0.1
16 interface: 172.17.16.129
17 interface: 172.17.65.1
18 interface: 172.16.4.124
19 interface: 172.16.4.28
20 interface: 172.16.3.21
21 interface: 172.16.3.85
22 interface: 172.17.16.1
23
24 # interface: 0.0.0.0
25
26 # port to answer queries from
27 port: 53
28
29 # Enable IPv4, "yes" or "no".
30 do-ip4: yes
31
32 # Enable IPv6, "yes" or "no".
33 do-ip6: no
34
35 # Enable UDP, "yes" or "no".
36 do-udp: yes
37
38 # Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
39 # quicker to resolve as the functions related to TCP checks are not done.i
40 # NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains
41 # due to their size.
42 do-tcp: yes
43
44 # control which client ips are allowed to make (recursive) queries to this
45 # server. Specify classless netblocks with /size and action. By default
46 # everything is refused, except for localhost. Choose deny (drop message),
47 # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
48 # and nonrecursive ok)
49 access-control: 127.0.0.0/8 allow
50 access-control: 172.16.0.0/12 allow
51
52 # Read the root hints from this file. Default is nothing, using built in
53 # hints for the IN class. The file has the format of zone files, with root
54 # nameserver names and addresses only. The default may become outdated,
55 # when servers change, therefore it is good practice to use a root-hints
56 # file. get one from ftp://FTP.INTERNIC.NET/domain/named.cache
57 root-hints: "/var/unbound/root.hints"
58
59 # enable to not answer id.server and hostname.bind queries.
60 hide-identity: yes
61
62 # enable to not answer version.server and version.bind queries.
63 hide-version: yes
64
65 # Will trust glue only if it is within the servers authority.
66 # Harden against out of zone rrsets, to avoid spoofing attempts.
67 # Hardening queries multiple name servers for the same data to make
68 # spoofing significantly harder and does not mandate dnssec.
69 harden-glue: yes
70
71 # Require DNSSEC data for trust-anchored zones, if such data is absent, the
72 # zone becomes bogus. Harden against receiving dnssec-stripped data. If you
73 # turn it off, failing to validate dnskey data for a trustanchor will trigger
74 # insecure mode for that zone (like without a trustanchor). Default on,
75 # which insists on dnssec data for trust-anchored zones.
76 harden-dnssec-stripped: yes
77
78 # Use 0x20-encoded random bits in the query to foil spoof attempts.
79 # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
80 # While upper and lower case letters are allowed in domain names, no significance
81 # is attached to the case. That is, two names with the same spelling but
82 # different case are to be treated as if identical. This means calomel.org is the
83 # same as CaLoMeL.Org which is the same as CALOMEL.ORG.
84 use-caps-for-id: yes
85
86 # the time to live (TTL) value lower bound, in seconds. Default 0.
87 # If more than an hour could easily give trouble due to stale data.
88 cache-min-ttl: 3600
89
90 # the time to live (TTL) value cap for RRsets and messages in the
91 # cache. Items are not cached for longer. In seconds.
92 cache-max-ttl: 86400
93
94 # perform prefetching of close to expired message cache entries. If a client
95 # requests the dns lookup and the TTL of the cached hostname is going to
96 # expire in less than 10% of its TTL, unbound will (1st) return the ip of the
97 # host to the client and (2nd) pre-fetch the dns request from the remote dns
98 # server. This method has been shown to increase the amount of cached hits by
99 # local clients by 10% on average.
100 prefetch: yes
101
102 # number of threads to create. 1 disables threading. This should equal the number
103 # of CPU cores in the machine. Our example machine has 4 CPU cores.
104 num-threads: 1
105
106
107 ## Unbound Optimization and Speed Tweaks ###
108
109 # the number of slabs to use for cache and must be a power of 2 times the
110 # number of num-threads set above. more slabs reduce lock contention, but
111 # fragment memory usage.
112 msg-cache-slabs: 8
113 rrset-cache-slabs: 8
114 infra-cache-slabs: 8
115 key-cache-slabs: 8
116
117 # Increase the memory size of the cache. Use roughly twice as much rrset cache
118 # memory as you use msg cache memory. Due to malloc overhead, the total memory
119 # usage is likely to rise to double (or 2.5x) the total cache memory. The test
120 # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
121 rrset-cache-size: 64m
122 msg-cache-size: 32m
123
124 # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
125 # the kernel buffer larger so that no messages are lost in spikes in the traffic.
126 so-rcvbuf: 1m
127
128 ## Unbound Optimization and Speed Tweaks ###
129 ## To prevent : error: too many file descriptors requested at startup
130 outgoing-range: 900
131
132 # Enforce privacy of these addresses. Strips them away from answers. It may
133 # cause DNSSEC validation to additionally mark it as bogus. Protects against
134 # 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain' and
135 # 'local-data' names are allowed to have these private addresses. No default.
136 private-address: 10.0.0.0/8
137# private-address: 172.16.0.0/12
138 private-address: 10.0.0.0/16
139 private-address: 192.254.0.0/16
140
141 # Allow the domain (and its subdomains) to contain private addresses.
142 # local-data statements are allowed to contain private addresses too.
143 private-domain: "wleiden.net"
144
145 # If nonzero, unwanted replies are not only reported in statistics, but also
146 # a running total is kept per thread. If it reaches the threshold, a warning
147 # is printed and a defensive action is taken, the cache is cleared to flush
148 # potential poison out of it. A suggested value is 10000000, the default is
149 # 0 (turned off). We think 10K is a good value.
150 unwanted-reply-threshold: 10000
151
152 # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
153 # localhost you will want to allow the resolver to send queries to localhost.
154 # Make sure to set do-not-query-localhost: yes . If yes, the above default
155 # do-not-query-address entries are present. if no, localhost can be queried
156 # (for testing and debugging).
157 do-not-query-localhost: no
158
159 # File with trusted keys, kept up to date using RFC5011 probes, initial file
160 # like trust-anchor-file, then it stores metadata. Use several entries, one
161 # per domain name, to track multiple zones. If you use forward-zone below to
162 # query the Google DNS servers you MUST comment out this option or all DNS
163 # queries will fail.
164
165 auto-trust-anchor-file: "/var/unbound/root.key"
166
167 # Should additional section of secure message also be kept clean of unsecure
168 # data. Useful to shield the users of this validator from potential bogus
169 # data in the additional section. All unsigned data in the additional section
170 # is removed from secure messages.
171 val-clean-additional: yes
172
173 # Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo
174 # account for a 70 percent share of all advertising traffic. Block them.
175 local-zone: "doubleclick.net" redirect
176 local-data: "doubleclick.net A 127.0.0.1"
177 local-zone: "googlesyndication.com" redirect
178 local-data: "googlesyndication.com A 127.0.0.1"
179 local-zone: "googleadservices.com" redirect
180 local-data: "googleadservices.com A 127.0.0.1"
181 local-zone: "google-analytics.com" redirect
182 local-data: "google-analytics.com A 127.0.0.1"
183 local-zone: "ads.youtube.com" redirect
184 local-data: "ads.youtube.com A 127.0.0.1"
185 local-zone: "adserver.yahoo.com" redirect
186 local-data: "adserver.yahoo.com A 127.0.0.1"
187
188
189
190 # Unbound will not load if you specify the same local-zone and local-data
191 # servers in the main configuration as well as in this "include:" file. We
192 # suggest commenting out any of the local-zone and local-data lines above if
193 # you suspect they could be included in the unbound_ad_servers servers file.
194 #include: "/var/unbound/unbound_ad_servers"
195
196 # locally served zones can be configured for the machines on the LAN.
197
198 # local-zone: "wleiden.net" static
199 # local-zone: "16.172.in-addr.arpa" transparent
200
201 # include: /var/unbound/local-data
202
203# local-data: "cetim2.wleiden.net. IN A 172.17.137.1"
204# local-data: "vosko2.wleiden.net. IN A 172.17.93.1"
205# local-data: "sunny.wleiden.net. IN A 172.16.4.46"
206# local-data: "imi.wleiden.net. IN A 172.17.24.1"
207# local-data: "laptop.home.lan. IN A 10.0.0.2"
208# local-data: "xboxone.home.lan. IN A 10.0.0.3"
209# local-data: "ps4.home.lan. IN A 10.0.0.4"
210# local-data: "dhcp5.home.lan. IN A 10.0.0.5"
211# local-data: "dhcp6.home.lan. IN A 10.0.0.6"
212# local-data: "dhcp7.home.lan. IN A 10.0.0.7"
213
214# local-data-ptr: "172.17.137.1 cetim2.wleiden.net"
215# local-data-ptr: "172.17.93.1 vosko2.wleiden.net"
216# local-data-ptr: "172.16.4.46 sunny.wleiden.net"
217# local-data-ptr: "172.17.24.1 imi.wleiden.net"
218# local-data-ptr: "10.0.0.2 laptop.home.lan"
219# local-data-ptr: "10.0.0.3 xboxone.home.lan"
220# local-data-ptr: "10.0.0.4 ps4.home.lan"
221# local-data-ptr: "10.0.0.5 dhcp5.home.lan"
222# local-data-ptr: "10.0.0.6 dhcp6.home.lan"
223# local-data-ptr: "10.0.0.7 dhcp7.home.lan"
224
225 # Unbound can query your NSD or BIND server for private domain queries too.
226 # On our NSD page we have NSD configured to serve the private domain,
227 # "home.lan". Here we can tell Unbound to connect to the NSD server when it
228 # needs to resolve a *.home.lan hostname or IP.
229 #
230 # private-domain: "home.lan"
231 # local-zone: "0.0.10.in-addr.arpa." nodefault
232 # stub-zone:
233 # name: "home.lan"
234 # stub-addr: 10.0.0.111@53
235
236#
237# include: stub-zone ?????
238#
239
240 private-domain: "wleiden.net"
241 local-zone: "16.172.in-addr.arpa." nodefault
242 local-zone: "17.172.in-addr.arpa." nodefault
243 local-zone: "18.172.in-addr.arpa." nodefault
244 local-zone: "19.172.in-addr.arpa." nodefault
245 local-zone: "20.172.in-addr.arpa." nodefault
246 local-zone: "21.172.in-addr.arpa." nodefault
247 local-zone: "22.172.in-addr.arpa." nodefault
248 local-zone: "23.172.in-addr.arpa." nodefault
249 local-zone: "24.172.in-addr.arpa." nodefault
250 local-zone: "25.172.in-addr.arpa." nodefault
251 local-zone: "26.172.in-addr.arpa." nodefault
252 local-zone: "27.172.in-addr.arpa." nodefault
253 local-zone: "28.172.in-addr.arpa." nodefault
254 local-zone: "29.172.in-addr.arpa." nodefault
255 local-zone: "30.172.in-addr.arpa." nodefault
256 local-zone: "31.172.in-addr.arpa." nodefault
257 stub-zone:
258 name: "wleiden.net"
259 stub-addr: 172.16.4.46
260 stub-zone:
261 name: "16.172.in-addr.arpa."
262 stub-addr: 172.16.4.46
263 stub-zone:
264 name: "17.172.in-addr.arpa."
265 stub-addr: 172.16.4.46
266 stub-zone:
267 name: "18.172.in-addr.arpa."
268 stub-addr: 172.16.4.46
269 stub-zone:
270 name: "19.172.in-addr.arpa."
271 stub-addr: 172.16.4.46
272 stub-zone:
273 name: "20.172.in-addr.arpa."
274 stub-addr: 172.16.4.46
275 stub-zone:
276 name: "21.172.in-addr.arpa."
277 stub-addr: 172.16.4.46
278 stub-zone:
279 name: "22.172.in-addr.arpa."
280 stub-addr: 172.16.4.46
281 stub-zone:
282 name: "23.172.in-addr.arpa."
283 stub-addr: 172.16.4.46
284 stub-zone:
285 name: "24.172.in-addr.arpa."
286 stub-addr: 172.16.4.46
287 stub-zone:
288 name: "25.172.in-addr.arpa."
289 stub-addr: 172.16.4.46
290 stub-zone:
291 name: "26.172.in-addr.arpa."
292 stub-addr: 172.16.4.46
293 stub-zone:
294 name: "27.172.in-addr.arpa."
295 stub-addr: 172.16.4.46
296 stub-zone:
297 name: "28.172.in-addr.arpa."
298 stub-addr: 172.16.4.46
299 stub-zone:
300 name: "29.172.in-addr.arpa."
301 stub-addr: 172.16.4.46
302 stub-zone:
303 name: "30.172.in-addr.arpa."
304 stub-addr: 172.16.4.46
305 stub-zone:
306 name: "31.172.in-addr.arpa."
307 stub-addr: 172.16.4.46
308 # If you have an internal or private DNS names the external DNS servers can
309 # not resolve, then you can assign domain name strings to be redirected to a
310 # seperate dns server. For example, our comapny has the domain
311 # organization.com and the domain name internal.organization.com can not be
312 # resolved by Google's public DNS, but can be resolved by our private DNS
313 # server located at 1.1.1.1. The following tells Unbound that any
314 # organization.com domain, i.e. *.organization.com be dns resolved by 1.1.1.1
315 # instead of the public dns servers.
316 #
317 # forward-zone:
318 # name: "organization.com"
319 # forward-addr: 1.1.1.1 # Internal or private DNS
320
321 # Use the following forward-zone to forward all queries to Google DNS,
322 # OpenDNS.com or your local ISP's dns servers for example. To test resolution
323 # speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in
324 # milliseconds.
325 #
326 # forward-zone:
327 # name: "."
328 # forward-addr: 8.8.8.8 # Google Public DNS
329 # forward-addr: 74.82.42.42 # Hurricane Electric
330 # forward-addr: 4.2.2.4 # Level3 Verizon
331
332
333 include: /var/unbound/forward-zone
334
335#
336## Authoritative, validating, recursive caching DNS
337## unbound.conf -- https://calomel.org
338
Note: See TracBrowser for help on using the repository browser.