diff --git a/unbound.conf b/unbound.conf index db0bfe5..695a1bc 100644 --- a/unbound.conf +++ b/unbound.conf @@ -38,7 +38,7 @@ server: extended-statistics: yes # number of threads to create. 1 disables threading. - num-threads: 2 + num-threads: 4 # specify the interfaces to answer queries from by ip-address. # The default is to listen to localhost (127.0.0.1 and ::1). @@ -121,7 +121,7 @@ server: # so-sndbuf: 0 # use SO_REUSEPORT to distribute queries over threads. - # so-reuseport: no + so-reuseport: yes # use IP_TRANSPARENT so the interface: addresses can be non-local # and you can config non-existing IPs that are going to work later on @@ -337,12 +337,12 @@ server: # enable to not answer id.server and hostname.bind queries. # hide-identity: no - # enable to not answer trustanchor.unbound queries. - # hide-trustanchor: no - # enable to not answer version.server and version.bind queries. # hide-version: no + # enable to not answer trustanchor.unbound queries. + # hide-trustanchor: no + # the identity to report. Leave "" or default to return hostname. # identity: "" @@ -459,7 +459,7 @@ server: # module configuration of the server. A string with identifiers # separated by spaces. Syntax: "[dns64] [validator] iterator" - # module-config: "validator iterator" + module-config: "ipsecmod validator iterator" # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. @@ -538,7 +538,7 @@ server: # Serve expired reponses from cache, with TTL 0 in the response, # and then attempt to fetch the data afresh. - # serve-expired: no + serve-expired: yes # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -727,6 +727,14 @@ server: # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # ip-ratelimit-factor: 10 + # IPsec module for Opportunistic IPsec + # Libreswan will enable this via unbound-control + #ipsecmod-enabled:yes + #ipsecmod-hook:/usr/libexec/ipsec/unbound-hook.py + #ipsecmod-ignore-bogus:no + #ipsecmod-max-ttl:3600 + #ipsecmod-whitelist:libreswan.org + # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. # o list python in the module-config string (above) to enable.