-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathunbound.conf
65 lines (49 loc) · 1.7 KB
/
unbound.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
server:
interface: lo0
interface: igc1
interface: igc2
interface: igc3
ip-transparent: yes
do-ip6: yes
prefer-ip6: no
access-control: 127.0.0.0/8 allow
access-control: 10.0.1.0/24 allow
access-control: 10.0.2.0/24 allow
access-control: 10.0.3.0/24 allow
access-control: 0.0.0.0/0 refuse
access-control: ::1 allow
access-control: fe80::/10 allow
access-control: fda3:650d:dbbd::/48 allow
access-control: ::0/0 refuse
hide-identity: yes
hide-version: yes
# Perform DNSSEC validation.
#
auto-trust-anchor-file: "/var/unbound/db/root.key"
val-log-level: 2
# Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
# https://tools.ietf.org/html/rfc8198
#
aggressive-nsec: yes
# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
#
#tcp-upstream: yes
# CA Certificates used for forward-tls-upstream (RFC7858) hostname
# verification. Since it's outside the chroot it is only loaded at
# startup and thus cannot be changed via a reload.
tls-cert-bundle: "/etc/ssl/cert.pem"
# Include file for local-data and local-data-ptr
include: /var/unbound/etc/internal-zone.conf
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
forward-zone:
name: "."
forward-tls-upstream: yes
forward-first: no
# the hostname after "#" is not a comment, it is used for TLS checks:
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com