# # /usr/local/etc/unbound/unbound.conf # See unbound.conf(5) # # References # ---------- # [1] Unbound setting up a secure local DNS server # https://superuser.com/a/1123357/731908 # [2] Unbound DNS Server Tutorial # https://calomel.org/unbound_dns.html # [3] How to enable DNSSEC # https://www.unbound.net/documentation/howto_anchor.html # [4] List of Public DNS Servers # https://wiki.ipfire.org/dns/public-servers # # # Aaron LI # # NOTE: # Configure `unbound` to be a recursive DNS resolver with local cache, # instead of forwarding the queries to an upstream DNS resolver (e.g., # DNS.WATCH, Google Public DNS), in order to work well with the DNSBL # services (e.g., spamhaus.org) used by Postfix. server: # Specify the interfaces to answer queries from by ip-address. # The default is to listen to localhost (127.0.0.1 and ::1). # Specify 0.0.0.0 and ::0 to bind to all available interfaces. # The listen interfaces are not changed on reload, only on restart. interface: 127.0.0.1 interface: ::1 # Control which clients are allowed to make (recursive) queries # to this server. Specify classless netblocks with /size and action. # By default everything is refused, except for localhost. # # Actions: # * deny (drop message) # * refuse (polite error reply) # * allow (recursive ok) # * allow_snoop (recursive and nonrecursive ok), e.g., "dig +trace" # * deny_non_local (drop queries unless can be answered from local-data) # * refuse_non_local (like deny_non_local but polite error reply) # access-control: 127.0.0.0/8 allow_snoop access-control: ::1 allow_snoop # Chroot to the given directory. Set to "" to disable chroot. #chroot: "/usr/local/etc/unbound" chroot: "" # Enable or disable whether IPv4 queries are answered or issued. do-ip4: yes # Enable or disable whether IPv6 queries are answered or issued. do-ip6: yes # Enable or disable whether UDP queries are answered or issued. do-udp: yes # Enable or disable whether TCP queries are answered or issued. do-tcp: yes # Enable to not answer id.server and hostname.bind queries. hide-identity: yes # Enable to not answer version.server and version.bind queries. hide-version: yes # Enable to not answer trustanchor.unbound queries. hide-trustanchor: yes # Harden against out of zone RRsets, to avoid spoofing attempts. harden-glue: yes # Harden against receiving dnssec-stripped data. If you turn it # off, failing to validate dnskey data for a trustanchor will # trigger insecure mode for that zone (like without a trustanchor). # Default on, which insists on dnssec data for trust-anchored zones. harden-dnssec-stripped: yes # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set # QTYPE to NS when possible. qname-minimisation: yes # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. use-caps-for-id: yes # File to read root hints from. Default is using the builtin hints # for the IN class, which may become outdated, so it is good practice # to use a root-hints file. # get one from https://www.internic.net/domain/named.cache root-hints: "/usr/local/etc/unbound/root.hints" # File with trusted keys used to perform DNSSEC validation, and Unbound # must be able to read and write it, to keep it up to date with the # latest key(s). # # NOTE: `unbound-anchor` tool provides an initial anchor from bultin # values, but for real trust you should check this thoroughly! auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" # Verbosity level of the validator to log failed validations. # Default: 0 (i.e., off). 1: A line per failed user query. # 2: With reason and bad IP. val-log-level: 1 # Verbosity level: 0 (least verbose) -> 5 (very verbose). # Default: 1 (operational info). verbosity: 1 # Print statistics to the log (for every thread) every N seconds. # Default: 0 (i.e., disabled) statistics-interval: 7200 # Log messages to syslog(3) with the LOG_DAEMON facility. # NOTE: need to also configure syslog when chroot'ed! use-syslog: yes # # Log messages to the specified file. #use-syslog: no #logfile: "/usr/local/etc/unbound/unbound.log" # Remote control config section. # remote-control: # Enable remote control with unbound-control(8) here. control-enable: yes # Interfaces listened to for remote control. control-interface: 127.0.0.1 control-interface: ::1 # Server and unbound-control key and certificate files. # Set up the keys and certificates with unbound-control-setup. control-use-cert: yes server-key-file: "/usr/local/etc/unbound/unbound_server.key" server-cert-file: "/usr/local/etc/unbound/unbound_server.pem" control-key-file: "/usr/local/etc/unbound/unbound_control.key" control-cert-file: "/usr/local/etc/unbound/unbound_control.pem" # WARNING: # It is a *bad* idea to use a public or shared DNS resolver (e.g., Google # Public DNS, ISP's DNS) to query DNS-based Blocklists (DNSBLs, e.g., # spamhaus.org, spamcop.net; see also https://www.dnsbl.info/), because # most if not all DNSBL providers apply a *rate limit* (or white/black list) # based on the DNS resolver that is used to query their service! # # Credits: # * Mailcow - Why unbound? # https://mailcow.github.io/mailcow-dockerized-docs/u_e-why_unbound/ # * Spamhaus - FAQ # https://www.spamhaus.org/faq/section/DNSBL%20Usage#261 # #forward-zone: # # Forward all requested queries not fulfilled by this server to the root # # root domain (`.`). # # # # NOTE: Use DNSSEC-supported DNS servers from # # https://wiki.ipfire.org/dns/public-servers # # # name: "." # forward-addr: 84.200.69.80 # DNS.WATCH (DE), primary # forward-addr: 2001:1608:10:25::1c04:b12f # DNS.WATCH (DE), primary # forward-addr: 84.200.70.40 # DNS.WATCH (DE), secondary # forward-addr: 2001:1608:10:25::9249:d69b # DNS.WATCH (DE), secondary # forward-addr: 8.8.8.8 # Google Public DNS (Anycast), primary # forward-addr: 8.8.4.4 # Google Public DNS (Anycast), secondary