69 lines
1.7 KiB
Plaintext
69 lines
1.7 KiB
Plaintext
server:
|
|
# the working directory.
|
|
directory: "/etc/unbound"
|
|
|
|
# run as the unbound user
|
|
username: unbound
|
|
|
|
verbosity: 0 # uncomment and increase to get more logging.
|
|
# logfile: "/var/log/unbound.log" # won't work due to apparmor
|
|
# use-syslog: no
|
|
|
|
# By default listen only to localhost
|
|
#interface: ::1
|
|
#interface: 127.0.0.1
|
|
port: 53
|
|
|
|
# Only allow localhost to use this Unbound instance.
|
|
access-control: 127.0.0.1/8 allow
|
|
access-control: ::1/128 allow
|
|
|
|
# Private IP ranges, which shall never be returned or forwarded as public DNS response.
|
|
private-address: 10.0.0.0/8
|
|
private-address: 172.16.0.0/12
|
|
private-address: 192.168.0.0/16
|
|
private-address: 169.254.0.0/16
|
|
private-address: fd00::/8
|
|
private-address: fe80::/10
|
|
|
|
# Functionality
|
|
do-ip4: yes
|
|
do-ip6: yes
|
|
do-udp: yes
|
|
do-tcp: yes
|
|
|
|
# Performance
|
|
num-threads: 2
|
|
cache-min-ttl: 300
|
|
cache-max-ttl: 86400
|
|
serve-expired: yes
|
|
neg-cache-size: 4M
|
|
msg-cache-size: 50m
|
|
rrset-cache-size: 100m
|
|
|
|
so-reuseport: yes
|
|
so-rcvbuf: 4m
|
|
so-sndbuf: 4m
|
|
|
|
# Privacy / hardening
|
|
# hide server info from clients
|
|
hide-identity: yes
|
|
hide-version: yes
|
|
harden-glue: yes
|
|
harden-dnssec-stripped: yes
|
|
harden-algo-downgrade: yes
|
|
harden-large-queries: yes
|
|
harden-short-bufsize: yes
|
|
|
|
rrset-roundrobin: yes
|
|
minimal-responses: yes
|
|
identity: "Server"
|
|
|
|
# Include possible white/blacklists
|
|
include: /etc/unbound/lists.d/*.conf
|
|
|
|
remote-control:
|
|
control-enable: yes
|
|
control-port: 953
|
|
|