summaryrefslogtreecommitdiff
path: root/etc/unbound.conf
blob: a523ab6f2dfc16fff913546ce9bd7f4c0d21447f (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

# $OpenBSD: unbound.conf,v 1.9 2018/12/07 09:21:08 florian Exp $

server:
	interface: 127.0.0.1
	#interface: 127.0.0.1@5353	# listen on alternative port
	interface: ::1
	#do-ip6: no

	# override the default "any" address to send queries; if multiple
	# addresses are available, they are used randomly to counter spoofing
	#outgoing-interface: 192.0.2.1
	#outgoing-interface: 2001:db8::53

	access-control: 0.0.0.0/0 refuse
	access-control: 127.0.0.0/8 allow
	access-control: ::0/0 refuse
	access-control: ::1 allow

	hide-identity: yes
	hide-version: yes

	# Uncomment to enable qname minimisation.
	# https://tools.ietf.org/html/rfc7816
	#
	#qname-minimisation: yes

	# Enable DNSSEC validation.
	auto-trust-anchor-file: "/var/unbound/db/root.key"
	val-log-level: 2

	# Synthesize NXDOMAINs from DNSSEC NSEC chains.  RFC 8198
	aggressive-nsec: yes

	# Serve zones authoritatively from Unbound to resolver clients.
	# Not for external service.
	#
	#local-zone: "local." static
	#local-data: "mycomputer.local. IN A 192.0.2.51"
	#local-zone: "2.0.192.in-addr.arpa." static
	#local-data-ptr: "192.0.2.51 mycomputer.local"

	# UDP EDNS reassembly buffer advertised to peers. Default 4096.
	# May need lowering on broken networks with fragmentation/MTU issues,
	# particularly if validating DNSSEC.
	#
	#edns-buffer-size: 1480

	# Use TCP for "forward-zone" requests. Useful if you are making
	# DNS requests over an SSH port forwarding.
	#
	#tcp-upstream: yes

	# DNS64 options, synthesizes AAAA records for hosts that don't have
	# them. For use with NAT64 (PF "af-to").
	#
	#module-config: "dns64 validator iterator"
	#dns64-prefix: 64:ff9b::/96	# well-known prefix (default)
	#dns64-synthall: no

remote-control:
	control-enable: yes
	control-use-cert: no
	control-interface: /var/run/unbound.sock

# Use an upstream forwarder (recursive resolver) for specific zones.
# Example addresses given below are public resolvers valid as of 2014/03.
#
#forward-zone:
#	name: "."				# use for ALL queries
#	forward-addr: 74.82.42.42		# he.net
#	forward-addr: 2001:470:20::2		# he.net v6
#	forward-addr: 8.8.8.8			# google.com
#	forward-addr: 2001:4860:4860::8888	# google.com v6
#	forward-addr: 208.67.222.222		# opendns.com
#	forward-first: yes			# try direct if forwarder fails
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-23 04:13:23 +0000