Customize unbound.conf. Some changes are inspired by Fedora. --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -44,13 +44,15 @@ # statistics-inhibit-zero: yes # number of threads to create. 1 disables threading. - # num-threads: 1 + num-threads: 4 # specify the interfaces to answer queries from by ip-address. # The default is to listen to localhost (127.0.0.1 and ::1). # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 # interface: 192.0.2.153 # interface: 192.0.2.154 # interface: 192.0.2.154@5003 @@ -59,6 +61,7 @@ # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0. # interface-automatic: no # instead of the default port, open additional ports separated by @@ -94,7 +97,8 @@ # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. - # outgoing-port-permit: 32768 + # NOTE: 32768-60999 is the ephemeral port range on Linux. + outgoing-port-permit: 32768-60999 # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. @@ -276,6 +280,8 @@ # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". + # NOTE: if setting up an Unbound on tls443 for public use, you might want to + # disable UDP to avoid being used in DNS amplification attacks. # do-udp: yes # Enable TCP, "yes" or "no". @@ -473,9 +479,6 @@ # print log lines that say why queries return SERVFAIL to clients. # log-servfail: no - # the pid file. Can be an absolute path outside of chroot/work dir. - # pidfile: "@UNBOUND_PIDFILE@" - # file to read root hints from. # get one from https://www.internic.net/domain/named.cache # root-hints: "" @@ -594,7 +597,7 @@ # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). - # unwanted-reply-threshold: 0 + unwanted-reply-threshold: 10000000 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, @@ -640,7 +643,7 @@ # And then enable the auto-trust-anchor-file config item. # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). - # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" + # auto-trust-anchor-file: "" # trust anchor signaling sends a RFC8145 key tag query after priming. # trust-anchor-signaling: yes @@ -651,8 +654,8 @@ # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. # Zone file format, with DS and DNSKEY entries. - # Note this gets out of date, use auto-trust-anchor-file please. - # trust-anchor-file: "" + # NOTE: This file is provided by the dnssec-root package. + trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # Trusted key for validation. DS or DNSKEY. specify the RR on a # single line, surrounded by "". TTL is ignored. class is IN default. @@ -701,6 +704,7 @@ # instead of SERVFAIL. It still performs the security checks, which # result in interesting log files and possibly the AD bit in # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY! # val-permissive-mode: no # Ignore the CD flag in incoming queries and refuse them bogus data. @@ -746,7 +750,7 @@ # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. - # val-log-level: 0 + val-log-level: 1 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. @@ -900,8 +904,8 @@ # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. - # tls-service-key: "path/to/privatekeyfile.key" - # tls-service-pem: "path/to/publiccertfile.pem" + # tls-service-key: "/etc/unbound/doh-server.key" + # tls-service-pem: "/etc/unbound/doh-server.pem" # tls-port: 853 # https-port: 443 @@ -1045,12 +1049,12 @@ # cookie-secret: <128 bit random hex string> # Enable to attach Extended DNS Error codes (RFC8914) to responses. - # ede: no + ede: yes # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale # Answer as EDNS0 option to expired responses. # Note that the ede option above needs to be enabled for this to work. - # ede-serve-expired: no + ede-serve-expired: yes # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. @@ -1113,12 +1117,13 @@ remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. - # control-enable: no + control-enable: yes # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. # set to an absolute path to use a unix local name pipe, certificates # are not used for that, so key and cert files need not be present. + control-interface: /run/unbound.control.sock # control-interface: 127.0.0.1 # control-interface: ::1 @@ -1356,3 +1361,5 @@ # rpz-signal-nxdomain-ra: no # for-downstream: no # tags: "example" + +include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"