# Fedora distribution defaults server: # verbosity number, 0 is least verbose. 1 is default. verbosity: 1 # print statistics to the log (for every thread) every N seconds. # Set to "" or 0 to disable. Default is disabled. # Needs to be disabled for munin plugin statistics-interval: 0 # enable cumulative statistics, without clearing them after printing. # Needs to be disabled for munin plugin statistics-cumulative: no # enable extended statistics (query types, answer codes, status) # Needs to be enabled for munin plugin extended-statistics: yes # number of threads to create. 1 disables threading. # num-threads: 1 num-threads: 4 # specify the interfaces to answer queries from by ip-address. # The default is to listen to localhost (127.0.0.1 and ::1). # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. # interface: 0.0.0.0 # interface: ::0 # interface: 192.0.2.153 # interface: 192.0.2.154 # interface: 192.0.2.154@5003 # interface: 2001:DB8::5 # interface: eth0@5003 # # for dns over tls and raw dns over port 80 # interface: 0.0.0.0@443 # interface: ::0@443 # interface: 0.0.0.0@80 # interface: ::0@80 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. # interface-automatic: yes # # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 # NOTE: Disabled per Fedora policy not to listen to * on default install # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled interface-automatic: no # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. # Only ephemeral ports are allowed by SElinux outgoing-port-permit: 32768-60999 # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options # are present, they are processed in order. # Our SElinux policy does not allow non-ephemeral ports to be used outgoing-port-avoid: 0-32767 outgoing-port-avoid: 61000-65535 # use SO_REUSEPORT to distribute queries over threads. # at extreme load it could be better to turn it off to distribute even. so-reuseport: yes # use IP_TRANSPARENT so the interface: addresses can be non-local # and you can config non-existing IPs that are going to work later on # (uses IP_BINDANY on FreeBSD). ip-transparent: yes # Enable UDP, "yes" or "no". # NOTE: if setting up an Unbound on tls443 for public use, you might want to # disable UDP to avoid being used in DNS amplification attacks. # do-udp: yes # Enable EDNS TCP keepalive option. edns-tcp-keepalive: yes # Fedora note: do not activate this - not compiled in because # it causes frequent unbound crashes. Also, socket activation # is bad when you have things like dnsmasq also running with libvirt. # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no # If you give "" no chroot is performed. The path must not end in a /. # chroot: "/etc/unbound" chroot: "" # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. directory: "/etc/unbound" # print UTC timestamp in ascii to logfile, default is epoch in seconds. log-time-ascii: yes # Harden against unseemly large queries. harden-large-queries: yes # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. harden-referral-path: yes # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. qname-minimisation: yes # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. aggressive-nsec: yes # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). unwanted-reply-threshold: 10000000 # if yes, perform prefetching of almost expired message cache entries. prefetch: yes # if yes, perform key lookups adjacent to normal lookups. prefetch-key: yes # deny queries of type ANY with an empty response. deny-any: yes # if yes, Unbound rotates RRSet order in response. rrset-roundrobin: yes # if yes, Unbound doesn't insert authority/additional sections # into response messages when those sections are not required. minimal-responses: yes # module configuration of the server. A string with identifiers # separated by spaces. Syntax: "[dns64] [validator] iterator" # most modules have to be listed at the beginning of the line, # except cachedb(just before iterator), and python (at the beginning, # or, just before the iterator). # For redis cachedb use: # "ipsecmod validator cachedb iterator" module-config: "ipsecmod validator iterator" # trust anchor signaling sends a RFC8145 key tag query after priming. trust-anchor-signaling: yes # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) root-key-sentinel: yes # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" # trusted-keys-file: /etc/unbound/keys.d/*.key auto-trust-anchor-file: "/var/lib/unbound/root.key" # Should additional section of secure message also be kept clean of # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. val-clean-additional: yes # Turn permissive mode on to permit bogus messages. Thus, messages # for which security checks failed will be returned to clients, # instead of SERVFAIL. It still performs the security checks, which # result in interesting log files and possibly the AD bit in # replies if the message is found secure. The default is off. # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY val-permissive-mode: no # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. serve-expired: yes # Limit serving of expired responses to configured seconds after # expiration. 0 disables the limit. serve-expired-ttl: 14400 # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. val-log-level: 1 # service clients over TLS (on the TCP sockets) with plain DNS inside # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. # tls-service-key: "/etc/unbound/unbound_server.key" # tls-service-pem: "/etc/unbound/unbound_server.pem" # Fedora/RHEL: use system-wide crypto policies tls-ciphers: "PROFILE=SYSTEM" # Enable to attach Extended DNS Error codes (RFC8914) to responses. # Fedora defaults to yes. ede: yes # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale # Answer as EDNS0 option to expired responses. # Note that the ede option above needs to be enabled for this to work. # Fedora defaults to yes. ede-serve-expired: yes # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be # enabled/disabled via remote-control(below). # Fedora: module will be enabled on-demand by libreswan ipsecmod-enabled: no # Path to executable external hook. It must be defined when ipsecmod is # listed in module-config (above). ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook python: # Script file to load # python-script: "/etc/unbound/ubmodule-tst.py" # Remote control config section moved into own remote-control.conf # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load # dynlib-file: "/etc/unbound/dynlib.so" # Fedora: DNSCrypt support not enabled since it requires linking to # another crypto library #