mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2025-04-20 22:26:50 +02:00
151 lines
5.7 KiB
Diff
151 lines
5.7 KiB
Diff
Customize unbound.conf. Some changes are inspired by Fedora.
|
|
|
|
--- a/doc/example.conf.in
|
|
+++ b/doc/example.conf.in
|
|
@@ -44,13 +44,15 @@
|
|
# statistics-inhibit-zero: yes
|
|
|
|
# number of threads to create. 1 disables threading.
|
|
- # num-threads: 1
|
|
+ num-threads: 4
|
|
|
|
# specify the interfaces to answer queries from by ip-address.
|
|
# The default is to listen to localhost (127.0.0.1 and ::1).
|
|
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
|
|
# specify every interface[@port] on a new 'interface:' labelled line.
|
|
# The listen interfaces are not changed on reload, only on restart.
|
|
+ # interface: 0.0.0.0
|
|
+ # interface: ::0
|
|
# interface: 192.0.2.153
|
|
# interface: 192.0.2.154
|
|
# interface: 192.0.2.154@5003
|
|
@@ -59,6 +61,7 @@
|
|
|
|
# enable this feature to copy the source address of queries to reply.
|
|
# Socket options are not supported on all platforms. experimental.
|
|
+ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0.
|
|
# interface-automatic: no
|
|
|
|
# instead of the default port, open additional ports separated by
|
|
@@ -94,7 +97,8 @@
|
|
|
|
# permit Unbound to use this port number or port range for
|
|
# making outgoing queries, using an outgoing interface.
|
|
- # outgoing-port-permit: 32768
|
|
+ # NOTE: 32768-60999 is the ephemeral port range on Linux.
|
|
+ outgoing-port-permit: 32768-60999
|
|
|
|
# deny Unbound the use this of port number or port range for
|
|
# making outgoing queries, using an outgoing interface.
|
|
@@ -276,6 +280,8 @@
|
|
# nat64-prefix: 64:ff9b::0/96
|
|
|
|
# Enable UDP, "yes" or "no".
|
|
+ # NOTE: if setting up an Unbound on tls443 for public use, you might want to
|
|
+ # disable UDP to avoid being used in DNS amplification attacks.
|
|
# do-udp: yes
|
|
|
|
# Enable TCP, "yes" or "no".
|
|
@@ -473,9 +479,6 @@
|
|
# print log lines that say why queries return SERVFAIL to clients.
|
|
# log-servfail: no
|
|
|
|
- # the pid file. Can be an absolute path outside of chroot/work dir.
|
|
- # pidfile: "@UNBOUND_PIDFILE@"
|
|
-
|
|
# file to read root hints from.
|
|
# get one from https://www.internic.net/domain/named.cache
|
|
# root-hints: ""
|
|
@@ -594,7 +597,7 @@
|
|
# threshold, a warning is printed and a defensive action is taken,
|
|
# the cache is cleared to flush potential poison out of it.
|
|
# A suggested value is 10000000, the default is 0 (turned off).
|
|
- # unwanted-reply-threshold: 0
|
|
+ unwanted-reply-threshold: 10000000
|
|
|
|
# Do not query the following addresses. No DNS queries are sent there.
|
|
# List one address per entry. List classless netblocks with /size,
|
|
@@ -640,7 +643,7 @@
|
|
# And then enable the auto-trust-anchor-file config item.
|
|
# Please note usage of unbound-anchor root anchor is at your own risk
|
|
# and under the terms of our LICENSE (see that file in the source).
|
|
- # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
|
|
+ # auto-trust-anchor-file: ""
|
|
|
|
# trust anchor signaling sends a RFC8145 key tag query after priming.
|
|
# trust-anchor-signaling: yes
|
|
@@ -651,8 +654,8 @@
|
|
# File with trusted keys for validation. Specify more than one file
|
|
# with several entries, one file per entry.
|
|
# Zone file format, with DS and DNSKEY entries.
|
|
- # Note this gets out of date, use auto-trust-anchor-file please.
|
|
- # trust-anchor-file: ""
|
|
+ # NOTE: This file is provided by the dnssec-root package.
|
|
+ trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
|
|
|
|
# Trusted key for validation. DS or DNSKEY. specify the RR on a
|
|
# single line, surrounded by "". TTL is ignored. class is IN default.
|
|
@@ -701,6 +704,7 @@
|
|
# instead of SERVFAIL. It still performs the security checks, which
|
|
# result in interesting log files and possibly the AD bit in
|
|
# replies if the message is found secure. The default is off.
|
|
+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY!
|
|
# val-permissive-mode: no
|
|
|
|
# Ignore the CD flag in incoming queries and refuse them bogus data.
|
|
@@ -746,7 +750,7 @@
|
|
|
|
# Have the validator log failed validations for your diagnosis.
|
|
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
|
|
- # val-log-level: 0
|
|
+ val-log-level: 1
|
|
|
|
# It is possible to configure NSEC3 maximum iteration counts per
|
|
# keysize. Keep this table very short, as linear search is done.
|
|
@@ -900,8 +904,8 @@
|
|
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
|
|
# Give the certificate to use and private key.
|
|
# default is "" (disabled). requires restart to take effect.
|
|
- # tls-service-key: "path/to/privatekeyfile.key"
|
|
- # tls-service-pem: "path/to/publiccertfile.pem"
|
|
+ # tls-service-key: "/etc/unbound/doh-server.key"
|
|
+ # tls-service-pem: "/etc/unbound/doh-server.pem"
|
|
# tls-port: 853
|
|
# https-port: 443
|
|
|
|
@@ -1045,12 +1049,12 @@
|
|
# cookie-secret: <128 bit random hex string>
|
|
|
|
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
|
|
- # ede: no
|
|
+ ede: yes
|
|
|
|
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
|
|
# Answer as EDNS0 option to expired responses.
|
|
# Note that the ede option above needs to be enabled for this to work.
|
|
- # ede-serve-expired: no
|
|
+ ede-serve-expired: yes
|
|
|
|
# Specific options for ipsecmod. Unbound needs to be configured with
|
|
# --enable-ipsecmod for these to take effect.
|
|
@@ -1113,12 +1117,13 @@
|
|
remote-control:
|
|
# Enable remote control with unbound-control(8) here.
|
|
# set up the keys and certificates with unbound-control-setup.
|
|
- # control-enable: no
|
|
+ control-enable: yes
|
|
|
|
# what interfaces are listened to for remote control.
|
|
# give 0.0.0.0 and ::0 to listen to all interfaces.
|
|
# set to an absolute path to use a unix local name pipe, certificates
|
|
# are not used for that, so key and cert files need not be present.
|
|
+ control-interface: /run/unbound.control.sock
|
|
# control-interface: 127.0.0.1
|
|
# control-interface: ::1
|
|
|
|
@@ -1356,3 +1361,5 @@
|
|
# rpz-signal-nxdomain-ra: no
|
|
# for-downstream: no
|
|
# tags: "example"
|
|
+
|
|
+include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
|