mirror of
https://github.com/openbsd/src.git
synced 2024-12-21 23:18:00 -08:00
4c3a6c80a8
The default in Unbound (and other DNS server software in the recent "DNS flag day") changed to 1232 bytes, this avoids problems due to fragmented packets (fragments can result in blackholes and also enable some attack vectors) so there's now little reason to reduce this from defaults, and increasing it is more of a specialist use case that isn't really needed in this streamlined default config.
69 lines
2.0 KiB
Plaintext
69 lines
2.0 KiB
Plaintext
# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
|
|
|
|
server:
|
|
interface: 127.0.0.1
|
|
#interface: 127.0.0.1@5353 # listen on alternative port
|
|
interface: ::1
|
|
#do-ip6: no
|
|
|
|
# override the default "any" address to send queries; if multiple
|
|
# addresses are available, they are used randomly to counter spoofing
|
|
#outgoing-interface: 192.0.2.1
|
|
#outgoing-interface: 2001:db8::53
|
|
|
|
access-control: 0.0.0.0/0 refuse
|
|
access-control: 127.0.0.0/8 allow
|
|
access-control: ::0/0 refuse
|
|
access-control: ::1 allow
|
|
|
|
hide-identity: yes
|
|
hide-version: yes
|
|
|
|
# Perform DNSSEC validation.
|
|
#
|
|
auto-trust-anchor-file: "/var/unbound/db/root.key"
|
|
val-log-level: 2
|
|
|
|
# Synthesize NXDOMAINs from DNSSEC NSEC chains.
|
|
# https://tools.ietf.org/html/rfc8198
|
|
#
|
|
aggressive-nsec: yes
|
|
|
|
# Serve zones authoritatively from Unbound to resolver clients.
|
|
# Not for external service.
|
|
#
|
|
#local-zone: "local." static
|
|
#local-data: "mycomputer.local. IN A 192.0.2.51"
|
|
#local-zone: "2.0.192.in-addr.arpa." static
|
|
#local-data-ptr: "192.0.2.51 mycomputer.local"
|
|
|
|
# Use TCP for "forward-zone" requests. Useful if you are making
|
|
# DNS requests over an SSH port forwarding.
|
|
#
|
|
#tcp-upstream: yes
|
|
|
|
# CA Certificates used for forward-tls-upstream (RFC7858) hostname
|
|
# verification. Since it's outside the chroot it is only loaded at
|
|
# startup and thus cannot be changed via a reload.
|
|
#tls-cert-bundle: "/etc/ssl/cert.pem"
|
|
|
|
remote-control:
|
|
control-enable: yes
|
|
control-interface: /var/run/unbound.sock
|
|
|
|
# Use an upstream forwarder (recursive resolver) for some or all zones.
|
|
#
|
|
#forward-zone:
|
|
# name: "." # use for ALL queries
|
|
# forward-addr: 192.0.2.53 # example address only
|
|
# forward-first: yes # try direct if forwarder fails
|
|
|
|
# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
|
|
# if that fails.
|
|
#forward-zone:
|
|
# name: "."
|
|
# forward-tls-upstream: yes # use DNS-over-TLS forwarder
|
|
# forward-first: no # do NOT send direct
|
|
# # the hostname after "#" is not a comment, it is used for TLS checks:
|
|
# forward-addr: 192.0.2.53@853#resolver.hostname.example
|