src/etc/unbound.conf - view

Return to unbound.conf CVS log

Up to [local] / src / etc

File: [local] / src / etc / unbound.conf (download)

Revision 1.21, Wed Oct 28 11:35:58 2020 UTC (3 years, 6 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE, OPENBSD_7_5, OPENBSD_7_4_BASE, OPENBSD_7_4, OPENBSD_7_3_BASE, OPENBSD_7_3, OPENBSD_7_2_BASE, OPENBSD_7_2, OPENBSD_7_1_BASE, OPENBSD_7_1, OPENBSD_7_0_BASE, OPENBSD_7_0, OPENBSD_6_9_BASE, OPENBSD_6_9, HEAD
Changes since 1.20: +1 -7 lines

Remove commented-out edns-buffer-size section from the default unbound.conf.

The default in Unbound (and other DNS server software in the recent "DNS flag
day") changed to 1232 bytes, this avoids problems due to fragmented packets
(fragments can result in blackholes and also enable some attack vectors)
so there's now little reason to reduce this from defaults, and increasing
it is more of a specialist use case that isn't really needed in this
streamlined default config.

# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $

server:
	interface: 127.0.0.1
	#interface: 127.0.0.1@5353	# listen on alternative port
	interface: ::1
	#do-ip6: no

	# override the default "any" address to send queries; if multiple
	# addresses are available, they are used randomly to counter spoofing
	#outgoing-interface: 192.0.2.1
	#outgoing-interface: 2001:db8::53

	access-control: 0.0.0.0/0 refuse
	access-control: 127.0.0.0/8 allow
	access-control: ::0/0 refuse
	access-control: ::1 allow

	hide-identity: yes
	hide-version: yes

	# Perform DNSSEC validation.
	#
	auto-trust-anchor-file: "/var/unbound/db/root.key"
	val-log-level: 2

	# Synthesize NXDOMAINs from DNSSEC NSEC chains.
	# https://tools.ietf.org/html/rfc8198
	#
	aggressive-nsec: yes

	# Serve zones authoritatively from Unbound to resolver clients.
	# Not for external service.
	#
	#local-zone: "local." static
	#local-data: "mycomputer.local. IN A 192.0.2.51"
	#local-zone: "2.0.192.in-addr.arpa." static
	#local-data-ptr: "192.0.2.51 mycomputer.local"

	# Use TCP for "forward-zone" requests. Useful if you are making
	# DNS requests over an SSH port forwarding.
	#
	#tcp-upstream: yes

	# CA Certificates used for forward-tls-upstream (RFC7858) hostname
	# verification.  Since it's outside the chroot it is only loaded at
	# startup and thus cannot be changed via a reload.
	#tls-cert-bundle: "/etc/ssl/cert.pem"

remote-control:
	control-enable: yes
	control-interface: /var/run/unbound.sock

# Use an upstream forwarder (recursive resolver) for some or all zones.
#
#forward-zone:
#	name: "."				# use for ALL queries
#	forward-addr: 192.0.2.53		# example address only
#	forward-first: yes			# try direct if forwarder fails

# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
# if that fails.
#forward-zone:
#	name: "."
#	forward-tls-upstream: yes		# use DNS-over-TLS forwarder
#	forward-first: no			# do NOT send direct
#	# the hostname after "#" is not a comment, it is used for TLS checks:
#	forward-addr: 192.0.2.53@853#resolver.hostname.example