-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathunbound.conf
216 lines (191 loc) · 10.8 KB
/
unbound.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
# Version=v1.13 Martineau update (Date Loaded
# v1.13 jumpsmm7 - Add 'serve-expired-ttl-reset: yes'
# - Add 'max-udp-size: 3072'
# - Add 'outgoing-port-*' Templates
# v1.12 Martineau - Add 'interface xxx.xxx.101.1@53/xxx.xxx.102.1@53' templates for Aimesh Guest SSID VLANs when dnsmasq disabled @juched
# Change 'serve-expired-ttl: 3600' to 86400 @juched
# v1.11 Martineau - Add 'private-address: ::/0' Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# - Add IPv6 Private Address 'fd00::/8' and 'fe80::/10'
# - Add If 'do-ip6: yes' set 'edns-buffer-size: 1232' @Linux_Chemist
# - Change 'cache-min-ttl:' removed
# v1.10 Martineau - Change Incorrect CIDR for '172.16.0.0' & '192.168.0.0'
# v1.09 Martineau - Change rpz 'zonefile:' must match @jusched's external script (see 'unbound_rpz.sh'/'rpzsites')
# v1.08 Martineau - Change 'cache-max-ttl: 21600' and 'cache-min-ttl: 5 to 14400/1200'
# - Change 'control-use-cert: no' "Fast Menu" ENABLED by default
# - Add Template for bypassing dnsmasq (port=0) for LAN devices DNS requests (@juched's Extended Statistics GUI)
# - Add '#Stubby' and '#DoT' edit markers for unbound_manager - Hack
# - Add 'outgoing-interface:' template
# - Add 'rpz' feature (requires respip module) introduced unbound v1.10.0 https://dnsrpz.info/ (@juched example)
# v1.07 Martineau - Add 'control-use-cert:' "Fast Menu" template
# v1.06 Martineau - Add 'extended-statistics:' template
# v1.05 Martineau - Add 'DNS-Over-TLS support' & 'so-rcvbuf:' templates
# Remove 'prefetch:' & 'prefetch-key:' duplicates - Thanks @Safemode
# v1.04 Martineau - Change 'ip-ratelimit:'
# v1.03 Martineau - Remove 'dns64-prefix:' and 'module-config: "dns64 ..."' from auto ENABLE if IPv6 detected
# v1.02 Martineau - Add '#use-syslog:' '#log-local-actions:' '#log-tag-queryreply:' Option placeholders
# v1.01 Martineau - Add 'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:' and 'module-config: "dns64 ..."'
# Change 'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
# Add If IPv6 detected, auto ENABLE 'dns64-prefix:' and modify to include 'module-config: "dns64 ..."'
#-----------------------------------------------------------------------------------------------------------------------------------
server:
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53535 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 127.0.0.1@53535 # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
#interface: 127.0.0.1@53 # v1.10 Required by router if dnsmasq 'disabled'
#interface: xxx.xxx.10x.1@53 # v1.12 AiMesh Guest SSID VLAN TAG (dnsmasq disabled) @juched
#access-control: 0.0.0.0/0 allow # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#outgoing-interface: xxx.xxx.xxx.xxx # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)
#########################################
# integration LOG's
#
#verbosity: 1 # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config (v3.06 now deletes this if size grows > 10MB)
log-time-ascii: yes # v1.01 as per @dave14305 minimal config
log-tag-queryreply: yes # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
#log-queries: yes
#log-replies: yes
#use-syslog: yes # v1.02 @Martineau Recommended to let scribe/syslog-ng handle the log(s)
#log-local-actions: yes # v1.02 @Martineau ('yes' required for @juched's Graphical Ad Block statistics)
log-servfail: yes # v1.01 as per @dave14305 minimal config
#########################################
module-config: "respip validator iterator" # v1.08 add 'respip' for rpz feature @juched
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/12 allow # v1.10 Martineau Fix CIDR 16->12
access-control: 192.168.0.0/16 allow # v1.10 @dave14305 Fix CIDR 24->16
# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8 # v1.11 Martineau
private-address: fe80::/10 # v1.11 Martineau
do-ip4: yes
do-udp: yes
do-tcp: yes
#########################################
# integration IPV6
#
do-ip6: no
private-address: ::/0 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# do-ip6: yes
# edns-buffer-size: 1232 # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/unbound_manager-manager-installer-utility-for-unbound-recursive-dns-server.61669/page-151
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 respip validator iterator" # v1.08 v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96 # v1.03 v1.01
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305 minimal config
# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
# tiny memory cache
extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
cache-max-ttl: 14400 # v1.08 Martineau
cache-min-ttl: 1200 # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 86400 # v1.12 as per @juched
serve-expired-ttl-reset: yes # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream.
incoming-num-tcp: 600
outgoing-num-tcp: 100
ip-ratelimit: 0 # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config
max-udp-size: 3072 # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767 # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535 # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 1m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default
#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################
# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
# The pid file
pidfile: "/opt/var/run/unbound.pid"
# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"
# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
#include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################
remote-control:
control-enable: yes
control-use-cert: no # v1.08 Default "Fast Menu" ENABLED v1.07 Martineau "Fast Menu"
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"
##########################################
#forward-zone:#Stubby # v1.08 Add #Stubby edit marker
#name: "."
#forward-addr: 127.0.1.1@5453
#forward-addr: 0::1@5453 # integration IPV6
#########################################
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ # v1.05 Martineau
#forward-zone:#DoT # v1.08 Add #DoT edit marker v1.05 DNS-Over-TLS support
#name: "."
#forward-tls-upstream: yes
#forward-addr: 1.1.1.1@853#cloudflare-dns.com
#forward-addr: 1.0.0.1@853#cloudflare-dns.com
#forward-addr: 9.9.9.9@853#dns.quad9.net
#forward-addr: 149.112.112.112@853#dns.quad9.net
#forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
#forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
#forward-addr: 2620:fe::fe@853#dns.quad9.net
#forward-addr: 2620:fe::9@853#dns.quad9.net
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# v1.01 Added the following
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: root.zone
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# v1.08 Example rpz ( see https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26)
# Uses @juched's script so until NLLabs fix the 'url:' download issue - assume the zonefile will be downloaded externally
# and an external cron job will update the DNS Firewall every 00:15 minutes
#
#rpz:#RPZ # v1.08 DNS Firewall
#name: rpz.urlhaus.abuse.ch
#url: "http://urlhaus.abuse.ch/downloads/rpz/"
#zonefile: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone # v1.09 Match @juched's 'rpzsites'
#rpz-log: yes
#rpz-log-name: "rpz.urlhaus.abuse.ch"
#rpz-action-override: nxdomain
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@