|
|
- # $OpenBSD: unbound.conf,v 1.17 2019/08/25 15:50:21 ajacoutot Exp $
-
- server:
- interface: 127.0.0.1
- #interface: 127.0.0.1@5353 # listen on alternative port
- interface: ::1
- #do-ip6: no
-
- # override the default "any" address to send queries; if multiple
- # addresses are available, they are used randomly to counter spoofing
- #outgoing-interface: 192.0.2.1
- #outgoing-interface: 2001:db8::53
-
- access-control: 0.0.0.0/0 refuse
- access-control: 127.0.0.0/8 allow
- access-control: ::0/0 refuse
- access-control: ::1 allow
-
- hide-identity: yes
- hide-version: yes
-
- # Uncomment to enable DNSSEC validation.
- #
- #auto-trust-anchor-file: "/var/unbound/db/root.key"
- #val-log-level: 2
-
- # Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
- # https://tools.ietf.org/html/rfc8198
- #
- #aggressive-nsec: yes
-
- # Serve zones authoritatively from Unbound to resolver clients.
- # Not for external service.
- #
- #local-zone: "local." static
- #local-data: "mycomputer.local. IN A 192.0.2.51"
- #local-zone: "2.0.192.in-addr.arpa." static
- #local-data-ptr: "192.0.2.51 mycomputer.local"
-
- # UDP EDNS reassembly buffer advertised to peers. Default 4096.
- # May need lowering on broken networks with fragmentation/MTU issues,
- # particularly if validating DNSSEC.
- #
- #edns-buffer-size: 1480
-
- # Use TCP for "forward-zone" requests. Useful if you are making
- # DNS requests over an SSH port forwarding.
- #
- #tcp-upstream: yes
-
- # CA Certificates used for forward-tls-upstream (RFC7858) hostname
- # verification. Since it's outside the chroot it is only loaded at
- # startup and thus cannot be changed via a reload.
- #tls-cert-bundle: "/etc/ssl/cert.pem"
-
- remote-control:
- control-enable: yes
- control-interface: /var/run/unbound.sock
-
- # Use an upstream forwarder (recursive resolver) for some or all zones.
- #
- #forward-zone:
- # name: "." # use for ALL queries
- # forward-addr: 192.0.2.53 # example address only
- # forward-first: yes # try direct if forwarder fails
-
- # Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
- # if that fails.
- #forward-zone:
- # name: "."
- # forward-tls-upstream: yes # use DNS-over-TLS forwarder
- # forward-first: no # do NOT send direct
- # # the hostname after "#" is not a comment, it is used for TLS checks:
- # forward-addr: 192.0.2.53@853#resolver.hostname.example
|