aboutsummaryrefslogtreecommitdiffstats
path: root/roles/dns/files/unbound.conf
blob: 30c423df9bdd9a29e6a558fcff3c65d39f451c47 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

#
# /usr/local/etc/unbound/unbound.conf
# See unbound.conf(5)
#
# References
# ----------
# [1] Unbound setting up a secure local DNS server
#     https://superuser.com/a/1123357/731908
# [2] Unbound DNS Server Tutorial
#     https://calomel.org/unbound_dns.html
# [3] How to enable DNSSEC
#     https://www.unbound.net/documentation/howto_anchor.html
# [4] List of Public DNS Servers
#     https://wiki.ipfire.org/dns/public-servers
#
#
# Aaron LI
#

# NOTE:
# Configure `unbound` to be a recursive DNS resolver with local cache,
# instead of forwarding the queries to an upstream DNS resolver (e.g.,
# DNS.WATCH, Google Public DNS), in order to work well with the DNSBL
# services (e.g., spamhaus.org) used by Postfix.

server:
    # Specify the interfaces to answer queries from by ip-address.
    # The default is to listen to localhost (127.0.0.1 and ::1).
    # Specify 0.0.0.0 and ::0 to bind to all available interfaces.
    # The listen interfaces are not changed on reload, only on restart.
    interface: 127.0.0.1
    interface: ::1

    # Control which clients are allowed to make (recursive) queries
    # to this server.  Specify classless netblocks with /size and action.
    # By default everything is refused, except for localhost.
    #
    # Actions:
    #   * deny (drop message)
    #   * refuse (polite error reply)
    #   * allow (recursive ok)
    #   * allow_snoop (recursive and nonrecursive ok), e.g., "dig +trace"
    #   * deny_non_local (drop queries unless can be answered from local-data)
    #   * refuse_non_local (like deny_non_local but polite error reply)
    #
    access-control: 127.0.0.0/8 allow_snoop
    access-control: ::1         allow_snoop

    # Chroot to the given directory.  Set to "" to disable chroot.
    #chroot: "/usr/local/etc/unbound"
    chroot: ""

    # Enable or disable whether IPv4 queries are answered or issued.
    do-ip4: yes

    # Enable or disable whether IPv6 queries are answered or issued.
    do-ip6: yes

    # Enable or disable whether UDP queries are answered or issued.
    do-udp: yes

    # Enable or disable whether TCP queries are answered or issued.
    do-tcp: yes

    # Enable to not answer id.server and hostname.bind queries.
    hide-identity: yes

    # Enable to not answer version.server and version.bind queries.
    hide-version: yes

    # Enable to not answer trustanchor.unbound queries.
    hide-trustanchor: yes

    # Harden against out of zone RRsets, to avoid spoofing attempts.
    harden-glue: yes

    # Harden against receiving dnssec-stripped data.  If you turn it
    # off, failing to validate dnskey data for a trustanchor will
    # trigger insecure mode for that zone (like without a trustanchor).
    # Default on, which insists on dnssec data for trust-anchored zones.
    harden-dnssec-stripped: yes

    # Sent minimum amount of information to upstream servers to enhance
    # privacy.  Only sent minimum required labels of the QNAME and set
    # QTYPE to NS when possible.
    qname-minimisation: yes

    # Use 0x20-encoded random bits in the query to foil spoof attempts.
    # This feature is an experimental implementation of draft dns-0x20.
    use-caps-for-id: yes

    # File to read root hints from.  Default is using the builtin hints
    # for the IN class, which may become outdated, so it is good practice
    # to use a root-hints file.
    # get one from https://www.internic.net/domain/named.cache
    root-hints: "/usr/local/etc/unbound/root.hints"

    # File with trusted keys used to perform DNSSEC validation, and Unbound
    # must be able to read and write it, to keep it up to date with the
    # latest key(s).
    #
    # NOTE: `unbound-anchor` tool provides an initial anchor from bultin
    #       values, but for real trust you should check this thoroughly!
    auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"

    # Verbosity level of the validator to log failed validations.
    # Default: 0 (i.e., off).  1: A line per failed user query.
    # 2: With reason and bad IP.
    val-log-level: 1

    # Verbosity level: 0 (least verbose) -> 5 (very verbose).
    # Default: 1 (operational info).
    verbosity: 1

    # Print statistics to the log (for every thread) every N seconds.
    # Default: 0 (i.e., disabled)
    statistics-interval: 7200

    # Log messages to syslog(3) with the LOG_DAEMON facility.
    # NOTE: need to also configure syslog when chroot'ed!
    use-syslog: yes
    #
    # Log messages to the specified file.
    #use-syslog: no
    #logfile: "/usr/local/etc/unbound/unbound.log"

# Remote control config section.
#
remote-control:
    # Enable remote control with unbound-control(8) here.
    control-enable: yes

    # Interfaces listened to for remote control.
    control-interface: 127.0.0.1
    control-interface: ::1

    # Server and unbound-control key and certificate files.
    # Set up the keys and certificates with unbound-control-setup.
    control-use-cert: yes
    server-key-file: "/usr/local/etc/unbound/unbound_server.key"
    server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
    control-key-file: "/usr/local/etc/unbound/unbound_control.key"
    control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"


# WARNING:
# It is a *bad* idea to use a public or shared DNS resolver (e.g., Google
# Public DNS, ISP's DNS) to query DNS-based Blocklists (DNSBLs, e.g.,
# spamhaus.org, spamcop.net; see also https://www.dnsbl.info/), because
# most if not all DNSBL providers apply a *rate limit* (or white/black list)
# based on the DNS resolver that is used to query their service!
#
# Credits:
# * Mailcow - Why unbound?
#   https://mailcow.github.io/mailcow-dockerized-docs/u_e-why_unbound/
# * Spamhaus - FAQ
#   https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
#
#forward-zone:
#    # Forward all requested queries not fulfilled by this server to the root
#    # root domain (`.`).
#    #
#    # NOTE: Use DNSSEC-supported DNS servers from
#    #       https://wiki.ipfire.org/dns/public-servers
#    #
#    name: "."
#    forward-addr: 84.200.69.80                # DNS.WATCH (DE), primary
#    forward-addr: 2001:1608:10:25::1c04:b12f  # DNS.WATCH (DE), primary
#    forward-addr: 84.200.70.40                # DNS.WATCH (DE), secondary
#    forward-addr: 2001:1608:10:25::9249:d69b  # DNS.WATCH (DE), secondary
#    forward-addr: 8.8.8.8  # Google Public DNS (Anycast), primary
#    forward-addr: 8.8.4.4  # Google Public DNS (Anycast), secondary
Copyright © 2017-2018 Aaron LI. All Rights Reserved.