Annotation of src/etc/unbound.conf, Revision 1.17
1.17 ! ajacouto 1: # $OpenBSD: unbound.conf,v 1.16 2019/07/26 17:22:09 sthen Exp $
1.1 sthen 2:
3: server:
4: interface: 127.0.0.1
5: #interface: 127.0.0.1@5353 # listen on alternative port
6: interface: ::1
7: #do-ip6: no
1.7 sthen 8:
9: # override the default "any" address to send queries; if multiple
10: # addresses are available, they are used randomly to counter spoofing
11: #outgoing-interface: 192.0.2.1
12: #outgoing-interface: 2001:db8::53
1.1 sthen 13:
14: access-control: 0.0.0.0/0 refuse
15: access-control: 127.0.0.0/8 allow
16: access-control: ::0/0 refuse
17: access-control: ::1 allow
18:
19: hide-identity: yes
20: hide-version: yes
1.6 sthen 21:
1.12 florian 22: # Uncomment to enable DNSSEC validation.
23: #
24: #auto-trust-anchor-file: "/var/unbound/db/root.key"
1.13 sthen 25: #val-log-level: 2
1.12 florian 26:
27: # Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
28: # https://tools.ietf.org/html/rfc8198
29: #
30: #aggressive-nsec: yes
1.1 sthen 31:
32: # Serve zones authoritatively from Unbound to resolver clients.
1.4 millert 33: # Not for external service.
1.1 sthen 34: #
35: #local-zone: "local." static
36: #local-data: "mycomputer.local. IN A 192.0.2.51"
1.4 millert 37: #local-zone: "2.0.192.in-addr.arpa." static
1.1 sthen 38: #local-data-ptr: "192.0.2.51 mycomputer.local"
39:
40: # UDP EDNS reassembly buffer advertised to peers. Default 4096.
41: # May need lowering on broken networks with fragmentation/MTU issues,
42: # particularly if validating DNSSEC.
43: #
44: #edns-buffer-size: 1480
45:
46: # Use TCP for "forward-zone" requests. Useful if you are making
47: # DNS requests over an SSH port forwarding.
48: #
49: #tcp-upstream: yes
1.6 sthen 50:
1.15 dtucker 51: # CA Certificates used for forward-tls-upstream (RFC7858) hostname
52: # verification. Since it's outside the chroot it is only loaded at
53: # startup and thus cannot be changed via a reload.
54: #tls-cert-bundle: "/etc/ssl/cert.pem"
55:
1.5 sthen 56: remote-control:
57: control-enable: yes
58: control-interface: /var/run/unbound.sock
1.1 sthen 59:
1.10 sthen 60: # Use an upstream forwarder (recursive resolver) for some or all zones.
1.1 sthen 61: #
62: #forward-zone:
63: # name: "." # use for ALL queries
1.10 sthen 64: # forward-addr: 192.0.2.53 # example address only
1.1 sthen 65: # forward-first: yes # try direct if forwarder fails
1.15 dtucker 66:
67: # Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
68: # if that fails.
69: #forward-zone:
1.17 ! ajacouto 70: # name: "."
! 71: # forward-tls-upstream: yes # use DNS-over-TLS forwarder
! 72: # forward-first: no # do NOT send direct
! 73: # # the hostname after "#" is not a comment, it is used for TLS checks:
! 74: # forward-addr: 192.0.2.53@853#resolver.hostname.example
![[BACK]](/icons/back.gif){kind=icon}
Return to unbound.conf CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / etc