blob: 528405a9fac1d61efcef091e0b5742e8e369a2f8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
# $OpenBSD: unbound.conf,v 1.19 2019/11/07 15:46:37 sthen Exp $
server:
interface: 127.0.0.1
#interface: 127.0.0.1@5353 # listen on alternative port
interface: ::1
#do-ip6: no
# override the default "any" address to send queries; if multiple
# addresses are available, they are used randomly to counter spoofing
#outgoing-interface: 192.0.2.1
#outgoing-interface: 2001:db8::53
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
hide-identity: yes
hide-version: yes
# Perform DNSSEC validation. Comment out the below option to disable.
#
auto-trust-anchor-file: "/var/unbound/db/root.key"
val-log-level: 2
# Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
# https://tools.ietf.org/html/rfc8198
#
aggressive-nsec: yes
# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.
#
#local-zone: "local." static
#local-data: "mycomputer.local. IN A 192.0.2.51"
#local-zone: "2.0.192.in-addr.arpa." static
#local-data-ptr: "192.0.2.51 mycomputer.local"
# UDP EDNS reassembly buffer advertised to peers. Default 4096.
# May need lowering on broken networks with fragmentation/MTU issues,
# particularly if validating DNSSEC.
#
#edns-buffer-size: 1480
# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
#
#tcp-upstream: yes
# CA Certificates used for forward-tls-upstream (RFC7858) hostname
# verification. Since it's outside the chroot it is only loaded at
# startup and thus cannot be changed via a reload.
#tls-cert-bundle: "/etc/ssl/cert.pem"
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
# Use an upstream forwarder (recursive resolver) for some or all zones.
#
#forward-zone:
# name: "." # use for ALL queries
# forward-addr: 192.0.2.53 # example address only
# forward-first: yes # try direct if forwarder fails
# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
# if that fails.
#forward-zone:
# name: "."
# forward-tls-upstream: yes # use DNS-over-TLS forwarder
# forward-first: no # do NOT send direct
# # the hostname after "#" is not a comment, it is used for TLS checks:
# forward-addr: 192.0.2.53@853#resolver.hostname.example
|