Return to unbound.conf CVS log | Up to [local] / src / etc |
File: [local] / src / etc / unbound.conf (download)
Revision 1.21, Wed Oct 28 11:35:58 2020 UTC (3 years, 6 months ago) by sthen
Remove commented-out edns-buffer-size section from the default unbound.conf. The default in Unbound (and other DNS server software in the recent "DNS flag day") changed to 1232 bytes, this avoids problems due to fragmented packets (fragments can result in blackholes and also enable some attack vectors) so there's now little reason to reduce this from defaults, and increasing it is more of a specialist use case that isn't really needed in this streamlined default config. |
# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $ server: interface: 127.0.0.1 #interface: 127.0.0.1@5353 # listen on alternative port interface: ::1 #do-ip6: no # override the default "any" address to send queries; if multiple # addresses are available, they are used randomly to counter spoofing #outgoing-interface: 192.0.2.1 #outgoing-interface: 2001:db8::53 access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow hide-identity: yes hide-version: yes # Perform DNSSEC validation. # auto-trust-anchor-file: "/var/unbound/db/root.key" val-log-level: 2 # Synthesize NXDOMAINs from DNSSEC NSEC chains. # https://tools.ietf.org/html/rfc8198 # aggressive-nsec: yes # Serve zones authoritatively from Unbound to resolver clients. # Not for external service. # #local-zone: "local." static #local-data: "mycomputer.local. IN A 192.0.2.51" #local-zone: "2.0.192.in-addr.arpa." static #local-data-ptr: "192.0.2.51 mycomputer.local" # Use TCP for "forward-zone" requests. Useful if you are making # DNS requests over an SSH port forwarding. # #tcp-upstream: yes # CA Certificates used for forward-tls-upstream (RFC7858) hostname # verification. Since it's outside the chroot it is only loaded at # startup and thus cannot be changed via a reload. #tls-cert-bundle: "/etc/ssl/cert.pem" remote-control: control-enable: yes control-interface: /var/run/unbound.sock # Use an upstream forwarder (recursive resolver) for some or all zones. # #forward-zone: # name: "." # use for ALL queries # forward-addr: 192.0.2.53 # example address only # forward-first: yes # try direct if forwarder fails # Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext # if that fails. #forward-zone: # name: "." # forward-tls-upstream: yes # use DNS-over-TLS forwarder # forward-first: no # do NOT send direct # # the hostname after "#" is not a comment, it is used for TLS checks: # forward-addr: 192.0.2.53@853#resolver.hostname.example