133 lines
5.9 KiB
Plaintext
133 lines
5.9 KiB
Plaintext
server:
|
|
verbosity: 1
|
|
|
|
# number of threads to create. 1 disables threading.
|
|
# num-threads: 1
|
|
|
|
# specify the interfaces to answer queries from by ip-address.
|
|
interface: 0.0.0.0
|
|
interface: ::0
|
|
|
|
# Detach from the terminal, run in background, "yes" or "no".
|
|
# Set the value to "no" when unbound runs as systemd service.
|
|
do-daemonize: no
|
|
|
|
# control which clients are allowed to make (recursive) queries
|
|
# to this server. Specify classless netblocks with /size and action.
|
|
# By default everything is refused, except for localhost.
|
|
# Choose deny (drop message), refuse (polite error reply),
|
|
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
|
|
# deny_non_local (drop queries unless can be answered from local-data)
|
|
# refuse_non_local (like deny_non_local but polite error reply).
|
|
#access-control: 172.23.0.0/16 allow
|
|
|
|
# if given, user privileges are dropped (after binding port),
|
|
# and the given username is assumed. Default is user "unbound".
|
|
# If you give "" no privileges are dropped.
|
|
# username: "unbound"
|
|
|
|
# print one line with time, IP, name, type, class for every query.
|
|
# log-queries: no
|
|
log-queries: yes
|
|
|
|
# print one line per reply, with time, IP, name, type, class, rcode,
|
|
# timetoresolve, fromcache and responsesize.
|
|
# log-replies: no
|
|
log-replies: yes
|
|
|
|
# log the local-zone actions, like local-zone type inform is enabled
|
|
# also for the other local zone types.
|
|
# log-local-actions: no
|
|
|
|
# print log lines that say why queries return SERVFAIL to clients.
|
|
log-servfail: yes
|
|
|
|
# file to read root hints from.
|
|
# get one from https://www.internic.net/domain/named.cache
|
|
# root-hints: ""
|
|
root-hints: "root.hints"
|
|
|
|
# enable to not answer id.server and hostname.bind queries.
|
|
# hide-identity: no
|
|
hide-identity: yes
|
|
|
|
# enable to not answer version.server and version.bind queries.
|
|
# hide-version: no
|
|
hide-version: yes
|
|
|
|
# enable to not answer trustanchor.unbound queries.
|
|
# hide-trustanchor: no
|
|
|
|
# Sent minimum amount of information to upstream servers to enhance
|
|
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
|
|
# to NS when possible.
|
|
qname-minimisation: yes
|
|
|
|
# Enforce privacy of these addresses. Strips them away from answers.
|
|
# It may cause DNSSEC validation to additionally mark it as bogus.
|
|
# Protects against 'DNS Rebinding' (uses browser as network proxy).
|
|
# Only 'private-domain' and 'local-data' names are allowed to have
|
|
# these private addresses. No default.
|
|
# private-address: 10.0.0.0/8
|
|
# private-address: 172.16.0.0/12
|
|
# private-address: 192.168.0.0/16
|
|
# private-address: 169.254.0.0/16
|
|
# private-address: fd00::/8
|
|
# private-address: fe80::/10
|
|
# private-address: ::ffff:0:0/96
|
|
|
|
# if yes, Unbound rotates RRSet order in response.
|
|
rrset-roundrobin: yes
|
|
|
|
# if yes, Unbound doesn't insert authority/additional sections
|
|
# into response messages when those sections are not required.
|
|
minimal-responses: yes
|
|
|
|
# true to disable DNSSEC lameness check in iterator.
|
|
# disable-dnssec-lame-check: no
|
|
|
|
# module configuration of the server. A string with identifiers
|
|
# separated by spaces. Syntax: "[dns64] [validator] iterator"
|
|
module-config: "validator iterator"
|
|
|
|
# File with trusted keys, kept uptodate using RFC5011 probes,
|
|
# initial file like trust-anchor-file, then it stores metadata.
|
|
# Use several entries, one per domain name, to track multiple zones.
|
|
#
|
|
# If you want to perform DNSSEC validation, run unbound-anchor before
|
|
# you start unbound (i.e. in the system boot scripts). And enable:
|
|
# Please note usage of unbound-anchor root anchor is at your own risk
|
|
# and under the terms of our LICENSE (see that file in the source).
|
|
#auto-trust-anchor-file: "var/root-anchors.txt"
|
|
|
|
# trust anchor signaling sends a RFC8145 key tag query after priming.
|
|
# trust-anchor-signaling: yes
|
|
|
|
# File with DLV trusted keys. Same format as trust-anchor-file.
|
|
# There can be only one DLV configured, it is trusted from root down.
|
|
# DLV is going to be decommissioned. Please do not use it any more.
|
|
# dlv-anchor-file: "dlv.isc.org.key"
|
|
|
|
# File with trusted keys for validation. Specify more than one file
|
|
# with several entries, one file per entry.
|
|
# Zone file format, with DS and DNSKEY entries.
|
|
# Note this gets out of date, use auto-trust-anchor-file please.
|
|
# trust-anchor-file: "/etc/dnssec/root-anchors.txt"
|
|
trust-anchor-file: "root-anchors.txt"
|
|
|
|
# Trusted key for validation. DS or DNSKEY. specify the RR on a
|
|
# single line, surrounded by "". TTL is ignored. class is IN default.
|
|
# Note this gets out of date, use auto-trust-anchor-file please.
|
|
# (These examples are from August 2007 and may not be valid anymore).
|
|
# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
|
|
# trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
|
|
|
|
# Turn permissive mode on to permit bogus messages. Thus, messages
|
|
# for which security checks failed will be returned to clients,
|
|
# instead of SERVFAIL. It still performs the security checks, which
|
|
# result in interesting log files and possibly the AD bit in
|
|
# replies if the message is found secure. The default is off.
|
|
#val-permissive-mode: yes
|
|
|
|
include: /etc/unbound/unbound.d/*.conf
|