aports/main/unbound/conf.patch
2024-07-06 17:00:31 +00:00

151 lines
5.7 KiB
Diff

Customize unbound.conf. Some changes are inspired by Fedora.
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -44,13 +44,15 @@
# statistics-inhibit-zero: yes
# number of threads to create. 1 disables threading.
- # num-threads: 1
+ num-threads: 4
# specify the interfaces to answer queries from by ip-address.
# The default is to listen to localhost (127.0.0.1 and ::1).
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface[@port] on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
+ # interface: 0.0.0.0
+ # interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 192.0.2.154@5003
@@ -59,6 +61,7 @@
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
+ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0.
# interface-automatic: no
# instead of the default port, open additional ports separated by
@@ -94,7 +97,8 @@
# permit Unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
- # outgoing-port-permit: 32768
+ # NOTE: 32768-60999 is the ephemeral port range on Linux.
+ outgoing-port-permit: 32768-60999
# deny Unbound the use this of port number or port range for
# making outgoing queries, using an outgoing interface.
@@ -276,6 +280,8 @@
# nat64-prefix: 64:ff9b::0/96
# Enable UDP, "yes" or "no".
+ # NOTE: if setting up an Unbound on tls443 for public use, you might want to
+ # disable UDP to avoid being used in DNS amplification attacks.
# do-udp: yes
# Enable TCP, "yes" or "no".
@@ -473,9 +479,6 @@
# print log lines that say why queries return SERVFAIL to clients.
# log-servfail: no
- # the pid file. Can be an absolute path outside of chroot/work dir.
- # pidfile: "@UNBOUND_PIDFILE@"
-
# file to read root hints from.
# get one from https://www.internic.net/domain/named.cache
# root-hints: ""
@@ -594,7 +597,7 @@
# threshold, a warning is printed and a defensive action is taken,
# the cache is cleared to flush potential poison out of it.
# A suggested value is 10000000, the default is 0 (turned off).
- # unwanted-reply-threshold: 0
+ unwanted-reply-threshold: 10000000
# Do not query the following addresses. No DNS queries are sent there.
# List one address per entry. List classless netblocks with /size,
@@ -640,7 +643,7 @@
# And then enable the auto-trust-anchor-file config item.
# Please note usage of unbound-anchor root anchor is at your own risk
# and under the terms of our LICENSE (see that file in the source).
- # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
+ # auto-trust-anchor-file: ""
# trust anchor signaling sends a RFC8145 key tag query after priming.
# trust-anchor-signaling: yes
@@ -651,8 +654,8 @@
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries.
- # Note this gets out of date, use auto-trust-anchor-file please.
- # trust-anchor-file: ""
+ # NOTE: This file is provided by the dnssec-root package.
+ trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
# Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default.
@@ -701,6 +704,7 @@
# instead of SERVFAIL. It still performs the security checks, which
# result in interesting log files and possibly the AD bit in
# replies if the message is found secure. The default is off.
+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY!
# val-permissive-mode: no
# Ignore the CD flag in incoming queries and refuse them bogus data.
@@ -746,7 +750,7 @@
# Have the validator log failed validations for your diagnosis.
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
- # val-log-level: 0
+ val-log-level: 1
# It is possible to configure NSEC3 maximum iteration counts per
# keysize. Keep this table very short, as linear search is done.
@@ -900,8 +904,8 @@
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
# Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
- # tls-service-key: "path/to/privatekeyfile.key"
- # tls-service-pem: "path/to/publiccertfile.pem"
+ # tls-service-key: "/etc/unbound/doh-server.key"
+ # tls-service-pem: "/etc/unbound/doh-server.pem"
# tls-port: 853
# https-port: 443
@@ -1045,12 +1049,12 @@
# cookie-secret: <128 bit random hex string>
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
- # ede: no
+ ede: yes
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
# Answer as EDNS0 option to expired responses.
# Note that the ede option above needs to be enabled for this to work.
- # ede-serve-expired: no
+ ede-serve-expired: yes
# Specific options for ipsecmod. Unbound needs to be configured with
# --enable-ipsecmod for these to take effect.
@@ -1113,12 +1117,13 @@
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
- # control-enable: no
+ control-enable: yes
# what interfaces are listened to for remote control.
# give 0.0.0.0 and ::0 to listen to all interfaces.
# set to an absolute path to use a unix local name pipe, certificates
# are not used for that, so key and cert files need not be present.
+ control-interface: /run/unbound.control.sock
# control-interface: 127.0.0.1
# control-interface: ::1
@@ -1356,3 +1361,5 @@
# rpz-signal-nxdomain-ra: no
# for-downstream: no
# tags: "example"
+
+include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"