Import few changes to configuration

This commit is contained in:
Petr Menšík 2022-03-29 17:28:39 +02:00
parent 84e89add4a
commit c469ecef15

View File

@ -98,14 +98,14 @@ server:
# num-queries-per-thread, or, use as many as the OS will allow you. # num-queries-per-thread, or, use as many as the OS will allow you.
# outgoing-range: 4096 # outgoing-range: 4096
# permit unbound to use this port number or port range for # permit Unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface. # making outgoing queries, using an outgoing interface.
# Only ephemeral ports are allowed by SElinux # Only ephemeral ports are allowed by SElinux
outgoing-port-permit: 32768-60999 outgoing-port-permit: 32768-60999
# deny unbound the use this of port number or port range for # deny Unbound the use this of port number or port range for
# making outgoing queries, using an outgoing interface. # making outgoing queries, using an outgoing interface.
# Use this to make sure unbound does not grab a UDP port that some # Use this to make sure Unbound does not grab a UDP port that some
# other server on this computer needs. The default is to avoid # other server on this computer needs. The default is to avoid
# IANA-assigned port numbers. # IANA-assigned port numbers.
# If multiple outgoing-port-permit and outgoing-port-avoid options # If multiple outgoing-port-permit and outgoing-port-avoid options
@ -238,7 +238,7 @@ server:
# do-ip6: yes # do-ip6: yes
# Enable UDP, "yes" or "no". # Enable UDP, "yes" or "no".
# NOTE: if setting up an unbound on tls443 for public use, you might want to # NOTE: if setting up an Unbound on tls443 for public use, you might want to
# disable UDP to avoid being used in DNS amplification attacks. # disable UDP to avoid being used in DNS amplification attacks.
# do-udp: yes # do-udp: yes
@ -275,7 +275,7 @@ server:
# use-systemd: no # use-systemd: no
# Detach from the terminal, run in background, "yes" or "no". # Detach from the terminal, run in background, "yes" or "no".
# Set the value to "no" when unbound runs as systemd service. # Set the value to "no" when Unbound runs as systemd service.
# do-daemonize: yes # do-daemonize: yes
# control which clients are allowed to make (recursive) queries # control which clients are allowed to make (recursive) queries
@ -328,7 +328,7 @@ server:
# The pid file can be absolute and outside of the chroot, it is # The pid file can be absolute and outside of the chroot, it is
# written just prior to performing the chroot and dropping permissions. # written just prior to performing the chroot and dropping permissions.
# #
# Additionally, unbound may need to access /dev/urandom (for entropy). # Additionally, Unbound may need to access /dev/urandom (for entropy).
# How to do this is specific to your OS. # How to do this is specific to your OS.
# #
# If you give "" no chroot is performed. The path must not end in a /. # If you give "" no chroot is performed. The path must not end in a /.
@ -542,7 +542,7 @@ server:
# Use several entries, one per domain name, to track multiple zones. # Use several entries, one per domain name, to track multiple zones.
# #
# If you want to perform DNSSEC validation, run unbound-anchor before # If you want to perform DNSSEC validation, run unbound-anchor before
# you start unbound (i.e. in the system boot scripts). And enable: # you start Unbound (i.e. in the system boot scripts). And enable:
# Please note usage of unbound-anchor root anchor is at your own risk # Please note usage of unbound-anchor root anchor is at your own risk
# and under the terms of our LICENSE (see that file in the source). # and under the terms of our LICENSE (see that file in the source).
# auto-trust-anchor-file: "/var/lib/unbound/root.key" # auto-trust-anchor-file: "/var/lib/unbound/root.key"
@ -613,7 +613,7 @@ server:
val-permissive-mode: no val-permissive-mode: no
# Ignore the CD flag in incoming queries and refuse them bogus data. # Ignore the CD flag in incoming queries and refuse them bogus data.
# Enable it if the only clients of unbound are legacy servers (w2008) # Enable it if the only clients of Unbound are legacy servers (w2008)
# that set CD but cannot validate themselves. # that set CD but cannot validate themselves.
# ignore-cd-flag: no # ignore-cd-flag: no
@ -643,7 +643,7 @@ server:
# Return the original TTL as received from the upstream name server rather # Return the original TTL as received from the upstream name server rather
# than the decrementing TTL as stored in the cache. Enabling this feature # than the decrementing TTL as stored in the cache. Enabling this feature
# does not impact cache expiry, it only changes the TTL unbound embeds in # does not impact cache expiry, it only changes the TTL Unbound embeds in
# responses to queries. Note that enabling this feature implicitly disables # responses to queries. Note that enabling this feature implicitly disables
# enforcement of the configured minimum and maximum TTL. # enforcement of the configured minimum and maximum TTL.
# serve-original-ttl: no # serve-original-ttl: no
@ -736,9 +736,9 @@ server:
# Add example.com into ipset # Add example.com into ipset
# local-zone: "example.com" ipset # local-zone: "example.com" ipset
# If unbound is running service for the local host then it is useful # If Unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the # to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server # long list of local-zones above. If this Unbound is a dns server
# for a network of computers, disabled is better and stops information # for a network of computers, disabled is better and stops information
# leakage of local lan information. # leakage of local lan information.
# unblock-lan-zones: no # unblock-lan-zones: no
@ -922,7 +922,7 @@ server:
# the number of servers that will be used in the fast server selection. # the number of servers that will be used in the fast server selection.
# fast-server-num: 3 # fast-server-num: 3
# Specific options for ipsecmod. unbound needs to be configured with # Specific options for ipsecmod. Unbound needs to be configured with
# --enable-ipsecmod for these to take effect. # --enable-ipsecmod for these to take effect.
# #
# Enable or disable ipsecmod (it still needs to be defined in # Enable or disable ipsecmod (it still needs to be defined in
@ -936,7 +936,7 @@ server:
# ipsecmod-hook: "./my_executable" # ipsecmod-hook: "./my_executable"
ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
# When enabled unbound will reply with SERVFAIL if the return value of # When enabled Unbound will reply with SERVFAIL if the return value of
# the ipsecmod-hook is not 0. # the ipsecmod-hook is not 0.
# ipsecmod-strict: no # ipsecmod-strict: no
# #
@ -1005,10 +1005,10 @@ remote-control:
# For local sockets this option is ignored, and TLS is not used. # For local sockets this option is ignored, and TLS is not used.
control-use-cert: "no" control-use-cert: "no"
# unbound server key file. # Unbound server key file.
server-key-file: "/etc/unbound/unbound_server.key" server-key-file: "/etc/unbound/unbound_server.key"
# unbound server certificate file. # Unbound server certificate file.
server-cert-file: "/etc/unbound/unbound_server.pem" server-cert-file: "/etc/unbound/unbound_server.pem"
# unbound-control key file. # unbound-control key file.
@ -1125,7 +1125,7 @@ auth-zone:
# #
# DNSCrypt # DNSCrypt
# Caveats: # Caveats:
# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper # 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
# listen on `dnscrypt-port` with the follo0wing snippet: # listen on `dnscrypt-port` with the follo0wing snippet:
@ -1165,7 +1165,7 @@ auth-zone:
# IPSet # IPSet
# Add specify domain into set via ipset. # Add specify domain into set via ipset.
# Note: To enable ipset unbound needs to run as root user. # Note: To enable ipset Unbound needs to run as root user.
# ipset: # ipset:
# # set name for ip v4 addresses # # set name for ip v4 addresses
# name-v4: "list-v4" # name-v4: "list-v4"
@ -1188,7 +1188,7 @@ auth-zone:
# dnstap-tls: yes # dnstap-tls: yes
# # name for authenticating the upstream server. or "" disabled. # # name for authenticating the upstream server. or "" disabled.
# dnstap-tls-server-name: "" # dnstap-tls-server-name: ""
# # if "", it uses the cert bundle from the main unbound config. # # if "", it uses the cert bundle from the main Unbound config.
# dnstap-tls-cert-bundle: "" # dnstap-tls-cert-bundle: ""
# # key file for client authentication, or "" disabled. # # key file for client authentication, or "" disabled.
# dnstap-tls-client-key-file: "" # dnstap-tls-client-key-file: ""
@ -1208,10 +1208,11 @@ auth-zone:
# dnstap-log-forwarder-response-messages: no # dnstap-log-forwarder-response-messages: no
# Response Policy Zones # Response Policy Zones
# RPZ policies. Applied in order of configuration. QNAME and Response IP # RPZ policies. Applied in order of configuration. QNAME, Response IP
# Address trigger are the only supported triggers. Supported actions are: # Address, nsdname, nsip and clientip triggers are supported. Supported
# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from # actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
# file, using zone transfer, or using HTTP. The respip module needs to be added # and drop. Policies can be loaded from a file, or using zone
# transfer, or using HTTP. The respip module needs to be added
# to the module-config, e.g.: module-config: "respip validator iterator". # to the module-config, e.g.: module-config: "respip validator iterator".
# rpz: # rpz:
# name: "rpz.example.com" # name: "rpz.example.com"
@ -1223,4 +1224,6 @@ auth-zone:
# rpz-cname-override: www.example.org # rpz-cname-override: www.example.org
# rpz-log: yes # rpz-log: yes
# rpz-log-name: "example policy" # rpz-log-name: "example policy"
# rpz-signal-nxdomain-ra: no
# for-downstream: no
# tags: "example" # tags: "example"