Edit

IABSD.fr/src/etc/unbound.conf

Branch :

  • Show log

    Commit

  • Author : sthen
    Date : 2020-10-28 11:35:58
    Hash : 4c3a6c80
    Message : Remove commented-out edns-buffer-size section from the default unbound.conf. The default in Unbound (and other DNS server software in the recent "DNS flag day") changed to 1232 bytes, this avoids problems due to fragmented packets (fragments can result in blackholes and also enable some attack vectors) so there's now little reason to reduce this from defaults, and increasing it is more of a specialist use case that isn't really needed in this streamlined default config.

  • etc/unbound.conf
  • # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
    
    server:
    	interface: 127.0.0.1
    	#interface: 127.0.0.1@5353	# listen on alternative port
    	interface: ::1
    	#do-ip6: no
    
    	# override the default "any" address to send queries; if multiple
    	# addresses are available, they are used randomly to counter spoofing
    	#outgoing-interface: 192.0.2.1
    	#outgoing-interface: 2001:db8::53
    
    	access-control: 0.0.0.0/0 refuse
    	access-control: 127.0.0.0/8 allow
    	access-control: ::0/0 refuse
    	access-control: ::1 allow
    
    	hide-identity: yes
    	hide-version: yes
    
    	# Perform DNSSEC validation.
    	#
    	auto-trust-anchor-file: "/var/unbound/db/root.key"
    	val-log-level: 2
    
    	# Synthesize NXDOMAINs from DNSSEC NSEC chains.
    	# https://tools.ietf.org/html/rfc8198
    	#
    	aggressive-nsec: yes
    
    	# Serve zones authoritatively from Unbound to resolver clients.
    	# Not for external service.
    	#
    	#local-zone: "local." static
    	#local-data: "mycomputer.local. IN A 192.0.2.51"
    	#local-zone: "2.0.192.in-addr.arpa." static
    	#local-data-ptr: "192.0.2.51 mycomputer.local"
    
    	# Use TCP for "forward-zone" requests. Useful if you are making
    	# DNS requests over an SSH port forwarding.
    	#
    	#tcp-upstream: yes
    
    	# CA Certificates used for forward-tls-upstream (RFC7858) hostname
    	# verification.  Since it's outside the chroot it is only loaded at
    	# startup and thus cannot be changed via a reload.
    	#tls-cert-bundle: "/etc/ssl/cert.pem"
    
    remote-control:
    	control-enable: yes
    	control-interface: /var/run/unbound.sock
    
    # Use an upstream forwarder (recursive resolver) for some or all zones.
    #
    #forward-zone:
    #	name: "."				# use for ALL queries
    #	forward-addr: 192.0.2.53		# example address only
    #	forward-first: yes			# try direct if forwarder fails
    
    # Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
    # if that fails.
    #forward-zone:
    #	name: "."
    #	forward-tls-upstream: yes		# use DNS-over-TLS forwarder
    #	forward-first: no			# do NOT send direct
    #	# the hostname after "#" is not a comment, it is used for TLS checks:
    #	forward-addr: 192.0.2.53@853#resolver.hostname.example