server:
port:53
#
#
# Run in a chroot
#
#
chroot: "/etc/unbound"
#
#
# Interface to listen on; the ip address
# Use 0.0.0.0 to listen on all
#
# In the case of a router, I add a loopback address (10.53.1.53)
# and use this for unbound; this way, we have a single server that
# can be reached via multiple gateway
#
#
# We also have the option of specifying the outgoing interface
# This is applicable if you have multiple links to the internet
# and wish to restrict vpn traffic to a particular one
#
interface: 127.0.0.1
interface: $LOOPBACK_ADDR
outgoing-interface: $LAN_GW
#
#
# Types of queries to accept
#
#
#
do-ip6: no
do-ip4: yes
do-udp: yes
do-tcp: yes
#
#
# Access control
# Specify the CIDR blocks to allow or deny
# On an internet reachable host, use iptables too
#
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 0.0.0.0/0 refuse
#
#
# Next, we manually download the root hints
# "wget -qO root.hints https://www.internic.net/domain/named.cache"
#
#
root-hints: "/etc/unbound/root.hints"
#
#
# The trust anchors are taken care of by the unbound-anchor utility
# It runs a cron job to ensure they are up-to-date
#
# What are trust anchors? In DNSSEC, there is a chain of trust.
# The parent zone must have records that verify the child zone
# These are generally DS records which are hashes of the Zone signing key
#
# A traversal works like this
# DS records in root verify the DNSKEYs for .net
# DS records in .net verify the DNSKEYs for etherarp.net
# The DNSKEYs for etherarp.net verify the resource records.
#
# So the chain of trust needs a starting point,
# this key provided by ICANN is used to verify the root zone
#
#
auto-trust-anchor-file: "/etc/unbound/root.key"
#
#
hide-identity: yes
hide-version : yes
#
#
# Will trust glue only if it is within the servers authority.
# Suppose I want to set ns.etherarp.net as the NS for etherarp.net,
# then I need to set recotd 'ns' as a glue record
#
#
harden-glue:yes
#
#
# A zone we expect to be secure only responds with non-secure/conventional DNS
# By default, we repudiate the non-secure records, rendering the domain unreachable
# This is the same behavior as receiving dnssec data that doesn't match up with its anchor
#
# If set to no, it just accepts the unverified data at face value
# behaving as though it was a conventional dns zone
#
# LEAVE THIS SET TO "YES" otherwise you completely defeat the purpose of dnssec
#
harden-dnssec-stripped:yes
#
#
# When sending a query to the authority NS,
# pErTUrb bEtWEEN UpPeR aND LoWeR casE
#
# DNS is not case sensitive. However, when replying with an answer
# namesevers include the query received.
#
# This options requires the two match to trust the response
#
# Best to leave this set to "no" (default) as it can cause unreliability
#
use-caps-for-id:no
#
#
# Performance and computational options.
# If you don't have a multicore/hyperthreaded machine (e.g. running on embedded router)
# then set num-threads to 1 (disable multithreading )
#
# The slabs must take a value approximately double the number of threads
# this value must be a power of 2
#
#
num-threads: 4
msg-cache-slabs: 2
rrset-cache-slabs: 2
key-cache-slabs: 2
infra-cache-slabs: 2
#
#
# The RRset cache record values like A,NS
# These values are appropriate for a desktop or server
# On a small mbedded device like a router, use values like 2m
#
rrset-cache-size:256m
#
#
# Msg cache contains metadata, things like AD bit etc
# This should be 1/2 the size of the rrset-cache
#
#
msg-cache-size:128m
#
#
# Prefetch the message cache
# When popular entries are about to expire, we
# refresh
#
prefetch: yes
#
#
# Override records with short TTL (time to live)
# we do --not-- update records below this time
# Don't make it longer than ~300s, you may get stale records
#
#
cache-min-ttl:300
#
#
# Override records with long TTL
# Don't keep cached records for longer than 30h
#
#
cache-max-ttl:10800
#
#
# Suppose you have a special dns provider for accessing US netflix
# You can set a forward zone here.
#
# There is also a type of zone known as a stub zone.
# The difference - a forward zone overrides stubs
#
#
forward-zone:
name: "netflix.com"
forward-addr: 1.2.3.4
#
#
# We can split our config into multiple files.
# Let's add a file containing local records to block add domains
#
#
include: /etc/unbound/ads.conf
#
#
# Finally we set a forward zone for "." (the entire dns tree)
# This means that all requests are passed onto verisign and google's dns
# If you want, you could omit this, leaving your server to do all of the heavy lifting
#
forward-zone:
name: "."
forward-addr: 64.6.64.6
forward-addr: 64.6.65.6