Import few changes to configuration
(cherry picked from commit c469ecef1546594729359c39d744e692e37f545e) Resolves: rhbz#2087120
This commit is contained in:
Petr Menšík
parent
c5810ec4d9
commit
5e9b07ef98
47
unbound.conf
47
unbound.conf
|
|
@ -98,14 +98,14 @@ server:
|
||||||
# num-queries-per-thread, or, use as many as the OS will allow you.
|
# num-queries-per-thread, or, use as many as the OS will allow you.
|
||||||
# outgoing-range: 4096
|
# outgoing-range: 4096
|
||||||
|
|
||||||
# permit unbound to use this port number or port range for
|
# permit Unbound to use this port number or port range for
|
||||||
# making outgoing queries, using an outgoing interface.
|
# making outgoing queries, using an outgoing interface.
|
||||||
# Only ephemeral ports are allowed by SElinux
|
# Only ephemeral ports are allowed by SElinux
|
||||||
outgoing-port-permit: 32768-60999
|
outgoing-port-permit: 32768-60999
|
||||||
|
|
||||||
# deny unbound the use this of port number or port range for
|
# deny Unbound the use this of port number or port range for
|
||||||
# making outgoing queries, using an outgoing interface.
|
# making outgoing queries, using an outgoing interface.
|
||||||
# Use this to make sure unbound does not grab a UDP port that some
|
# Use this to make sure Unbound does not grab a UDP port that some
|
||||||
# other server on this computer needs. The default is to avoid
|
# other server on this computer needs. The default is to avoid
|
||||||
# IANA-assigned port numbers.
|
# IANA-assigned port numbers.
|
||||||
# If multiple outgoing-port-permit and outgoing-port-avoid options
|
# If multiple outgoing-port-permit and outgoing-port-avoid options
|
||||||
|
|
@ -238,7 +238,7 @@ server:
|
||||||
# do-ip6: yes
|
# do-ip6: yes
|
||||||
|
|
||||||
# Enable UDP, "yes" or "no".
|
# Enable UDP, "yes" or "no".
|
||||||
# NOTE: if setting up an unbound on tls443 for public use, you might want to
|
# NOTE: if setting up an Unbound on tls443 for public use, you might want to
|
||||||
# disable UDP to avoid being used in DNS amplification attacks.
|
# disable UDP to avoid being used in DNS amplification attacks.
|
||||||
# do-udp: yes
|
# do-udp: yes
|
||||||
|
|
||||||
|
|
@ -275,7 +275,7 @@ server:
|
||||||
# use-systemd: no
|
# use-systemd: no
|
||||||
|
|
||||||
# Detach from the terminal, run in background, "yes" or "no".
|
# Detach from the terminal, run in background, "yes" or "no".
|
||||||
# Set the value to "no" when unbound runs as systemd service.
|
# Set the value to "no" when Unbound runs as systemd service.
|
||||||
# do-daemonize: yes
|
# do-daemonize: yes
|
||||||
|
|
||||||
# control which clients are allowed to make (recursive) queries
|
# control which clients are allowed to make (recursive) queries
|
||||||
|
|
@ -328,7 +328,7 @@ server:
|
||||||
# The pid file can be absolute and outside of the chroot, it is
|
# The pid file can be absolute and outside of the chroot, it is
|
||||||
# written just prior to performing the chroot and dropping permissions.
|
# written just prior to performing the chroot and dropping permissions.
|
||||||
#
|
#
|
||||||
# Additionally, unbound may need to access /dev/urandom (for entropy).
|
# Additionally, Unbound may need to access /dev/urandom (for entropy).
|
||||||
# How to do this is specific to your OS.
|
# How to do this is specific to your OS.
|
||||||
#
|
#
|
||||||
# If you give "" no chroot is performed. The path must not end in a /.
|
# If you give "" no chroot is performed. The path must not end in a /.
|
||||||
|
|
@ -542,7 +542,7 @@ server:
|
||||||
# Use several entries, one per domain name, to track multiple zones.
|
# Use several entries, one per domain name, to track multiple zones.
|
||||||
#
|
#
|
||||||
# If you want to perform DNSSEC validation, run unbound-anchor before
|
# If you want to perform DNSSEC validation, run unbound-anchor before
|
||||||
# you start unbound (i.e. in the system boot scripts). And enable:
|
# you start Unbound (i.e. in the system boot scripts). And enable:
|
||||||
# Please note usage of unbound-anchor root anchor is at your own risk
|
# Please note usage of unbound-anchor root anchor is at your own risk
|
||||||
# and under the terms of our LICENSE (see that file in the source).
|
# and under the terms of our LICENSE (see that file in the source).
|
||||||
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
||||||
|
|
@ -613,7 +613,7 @@ server:
|
||||||
val-permissive-mode: no
|
val-permissive-mode: no
|
||||||
|
|
||||||
# Ignore the CD flag in incoming queries and refuse them bogus data.
|
# Ignore the CD flag in incoming queries and refuse them bogus data.
|
||||||
# Enable it if the only clients of unbound are legacy servers (w2008)
|
# Enable it if the only clients of Unbound are legacy servers (w2008)
|
||||||
# that set CD but cannot validate themselves.
|
# that set CD but cannot validate themselves.
|
||||||
# ignore-cd-flag: no
|
# ignore-cd-flag: no
|
||||||
|
|
||||||
|
|
@ -643,7 +643,7 @@ server:
|
||||||
|
|
||||||
# Return the original TTL as received from the upstream name server rather
|
# Return the original TTL as received from the upstream name server rather
|
||||||
# than the decrementing TTL as stored in the cache. Enabling this feature
|
# than the decrementing TTL as stored in the cache. Enabling this feature
|
||||||
# does not impact cache expiry, it only changes the TTL unbound embeds in
|
# does not impact cache expiry, it only changes the TTL Unbound embeds in
|
||||||
# responses to queries. Note that enabling this feature implicitly disables
|
# responses to queries. Note that enabling this feature implicitly disables
|
||||||
# enforcement of the configured minimum and maximum TTL.
|
# enforcement of the configured minimum and maximum TTL.
|
||||||
# serve-original-ttl: no
|
# serve-original-ttl: no
|
||||||
|
|
@ -736,9 +736,9 @@ server:
|
||||||
# Add example.com into ipset
|
# Add example.com into ipset
|
||||||
# local-zone: "example.com" ipset
|
# local-zone: "example.com" ipset
|
||||||
|
|
||||||
# If unbound is running service for the local host then it is useful
|
# If Unbound is running service for the local host then it is useful
|
||||||
# to perform lan-wide lookups to the upstream, and unblock the
|
# to perform lan-wide lookups to the upstream, and unblock the
|
||||||
# long list of local-zones above. If this unbound is a dns server
|
# long list of local-zones above. If this Unbound is a dns server
|
||||||
# for a network of computers, disabled is better and stops information
|
# for a network of computers, disabled is better and stops information
|
||||||
# leakage of local lan information.
|
# leakage of local lan information.
|
||||||
# unblock-lan-zones: no
|
# unblock-lan-zones: no
|
||||||
|
|
@ -922,7 +922,7 @@ server:
|
||||||
# the number of servers that will be used in the fast server selection.
|
# the number of servers that will be used in the fast server selection.
|
||||||
# fast-server-num: 3
|
# fast-server-num: 3
|
||||||
|
|
||||||
# Specific options for ipsecmod. unbound needs to be configured with
|
# Specific options for ipsecmod. Unbound needs to be configured with
|
||||||
# --enable-ipsecmod for these to take effect.
|
# --enable-ipsecmod for these to take effect.
|
||||||
#
|
#
|
||||||
# Enable or disable ipsecmod (it still needs to be defined in
|
# Enable or disable ipsecmod (it still needs to be defined in
|
||||||
|
|
@ -936,7 +936,7 @@ server:
|
||||||
# ipsecmod-hook: "./my_executable"
|
# ipsecmod-hook: "./my_executable"
|
||||||
ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
|
ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
|
||||||
|
|
||||||
# When enabled unbound will reply with SERVFAIL if the return value of
|
# When enabled Unbound will reply with SERVFAIL if the return value of
|
||||||
# the ipsecmod-hook is not 0.
|
# the ipsecmod-hook is not 0.
|
||||||
# ipsecmod-strict: no
|
# ipsecmod-strict: no
|
||||||
#
|
#
|
||||||
|
|
@ -1005,10 +1005,10 @@ remote-control:
|
||||||
# For local sockets this option is ignored, and TLS is not used.
|
# For local sockets this option is ignored, and TLS is not used.
|
||||||
control-use-cert: "no"
|
control-use-cert: "no"
|
||||||
|
|
||||||
# unbound server key file.
|
# Unbound server key file.
|
||||||
server-key-file: "/etc/unbound/unbound_server.key"
|
server-key-file: "/etc/unbound/unbound_server.key"
|
||||||
|
|
||||||
# unbound server certificate file.
|
# Unbound server certificate file.
|
||||||
server-cert-file: "/etc/unbound/unbound_server.pem"
|
server-cert-file: "/etc/unbound/unbound_server.pem"
|
||||||
|
|
||||||
# unbound-control key file.
|
# unbound-control key file.
|
||||||
|
|
@ -1125,7 +1125,7 @@ auth-zone:
|
||||||
#
|
#
|
||||||
# DNSCrypt
|
# DNSCrypt
|
||||||
# Caveats:
|
# Caveats:
|
||||||
# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
|
# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
|
||||||
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
|
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
|
||||||
# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
|
# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
|
||||||
# listen on `dnscrypt-port` with the follo0wing snippet:
|
# listen on `dnscrypt-port` with the follo0wing snippet:
|
||||||
|
|
@ -1165,7 +1165,7 @@ auth-zone:
|
||||||
|
|
||||||
# IPSet
|
# IPSet
|
||||||
# Add specify domain into set via ipset.
|
# Add specify domain into set via ipset.
|
||||||
# Note: To enable ipset unbound needs to run as root user.
|
# Note: To enable ipset Unbound needs to run as root user.
|
||||||
# ipset:
|
# ipset:
|
||||||
# # set name for ip v4 addresses
|
# # set name for ip v4 addresses
|
||||||
# name-v4: "list-v4"
|
# name-v4: "list-v4"
|
||||||
|
|
@ -1188,7 +1188,7 @@ auth-zone:
|
||||||
# dnstap-tls: yes
|
# dnstap-tls: yes
|
||||||
# # name for authenticating the upstream server. or "" disabled.
|
# # name for authenticating the upstream server. or "" disabled.
|
||||||
# dnstap-tls-server-name: ""
|
# dnstap-tls-server-name: ""
|
||||||
# # if "", it uses the cert bundle from the main unbound config.
|
# # if "", it uses the cert bundle from the main Unbound config.
|
||||||
# dnstap-tls-cert-bundle: ""
|
# dnstap-tls-cert-bundle: ""
|
||||||
# # key file for client authentication, or "" disabled.
|
# # key file for client authentication, or "" disabled.
|
||||||
# dnstap-tls-client-key-file: ""
|
# dnstap-tls-client-key-file: ""
|
||||||
|
|
@ -1208,10 +1208,11 @@ auth-zone:
|
||||||
# dnstap-log-forwarder-response-messages: no
|
# dnstap-log-forwarder-response-messages: no
|
||||||
|
|
||||||
# Response Policy Zones
|
# Response Policy Zones
|
||||||
# RPZ policies. Applied in order of configuration. QNAME and Response IP
|
# RPZ policies. Applied in order of configuration. QNAME, Response IP
|
||||||
# Address trigger are the only supported triggers. Supported actions are:
|
# Address, nsdname, nsip and clientip triggers are supported. Supported
|
||||||
# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from
|
# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
|
||||||
# file, using zone transfer, or using HTTP. The respip module needs to be added
|
# and drop. Policies can be loaded from a file, or using zone
|
||||||
|
# transfer, or using HTTP. The respip module needs to be added
|
||||||
# to the module-config, e.g.: module-config: "respip validator iterator".
|
# to the module-config, e.g.: module-config: "respip validator iterator".
|
||||||
# rpz:
|
# rpz:
|
||||||
# name: "rpz.example.com"
|
# name: "rpz.example.com"
|
||||||
|
|
@ -1223,4 +1224,6 @@ auth-zone:
|
||||||
# rpz-cname-override: www.example.org
|
# rpz-cname-override: www.example.org
|
||||||
# rpz-log: yes
|
# rpz-log: yes
|
||||||
# rpz-log-name: "example policy"
|
# rpz-log-name: "example policy"
|
||||||
|
# rpz-signal-nxdomain-ra: no
|
||||||
|
# for-downstream: no
|
||||||
# tags: "example"
|
# tags: "example"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue