114 lines
4.1 KiB
Diff
114 lines
4.1 KiB
Diff
From 56187754cbd38f3623b56d9dc97fbe4b5b5d87e8 Mon Sep 17 00:00:00 2001
|
|
From: Tomas Korbar <tkorbar@redhat.com>
|
|
Date: Tue, 4 Feb 2025 09:48:12 +0100
|
|
Subject: [PATCH 1/1] Customize unbound.conf for Fedora defaults
|
|
|
|
Set some Fedora/RHEL specific changes to example configuration file. By
|
|
patching upstream provided config file we would not need to manually
|
|
update external copy in source RPM.
|
|
---
|
|
unbound-1.20.0/doc/example.conf.in | 33 ++++++++++++++++++++++++++++--
|
|
1 file changed, 31 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/unbound-1.20.0/doc/example.conf.in b/unbound-1.20.0/doc/example.conf.in
|
|
index 0368c8d..3ca085e 100644
|
|
--- a/unbound-1.20.0/doc/example.conf.in
|
|
+++ b/unbound-1.20.0/doc/example.conf.in
|
|
@@ -51,11 +51,19 @@ server:
|
|
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
|
|
# specify every interface[@port] on a new 'interface:' labelled line.
|
|
# The listen interfaces are not changed on reload, only on restart.
|
|
+ # interface: 0.0.0.0
|
|
+ # interface: ::0
|
|
# interface: 192.0.2.153
|
|
# interface: 192.0.2.154
|
|
# interface: 192.0.2.154@5003
|
|
# interface: 2001:DB8::5
|
|
# interface: eth0@5003
|
|
+ #
|
|
+ # for dns over tls and raw dns over port 80
|
|
+ # interface: 0.0.0.0@443
|
|
+ # interface: ::0@443
|
|
+ # interface: 0.0.0.0@80
|
|
+ # interface: ::0@80
|
|
|
|
# enable this feature to copy the source address of queries to reply.
|
|
# Socket options are not supported on all platforms. experimental.
|
|
@@ -276,6 +284,8 @@ server:
|
|
# nat64-prefix: 64:ff9b::0/96
|
|
|
|
# Enable UDP, "yes" or "no".
|
|
+ # NOTE: if setting up an Unbound on tls443 for public use, you might want to
|
|
+ # disable UDP to avoid being used in DNS amplification attacks.
|
|
# do-udp: yes
|
|
|
|
# Enable TCP, "yes" or "no".
|
|
@@ -311,6 +321,9 @@ server:
|
|
# can be dropped. Default is 0, disabled. In seconds, such as 3.
|
|
# sock-queue-timeout: 0
|
|
|
|
+ # Fedora note: do not activate this - not compiled in because
|
|
+ # it causes frequent unbound crashes. Also, socket activation
|
|
+ # is bad when you have things like dnsmasq also running with libvirt.
|
|
# Use systemd socket activation for UDP, TCP, and control sockets.
|
|
# use-systemd: no
|
|
|
|
@@ -890,6 +903,8 @@ server:
|
|
# you need to do the reverse notation yourself.
|
|
# local-data-ptr: "192.0.2.3 www.example.com"
|
|
|
|
+ include: /etc/unbound/local.d/*.conf
|
|
+
|
|
# tag a localzone with a list of tag names (in "" with spaces between)
|
|
# local-zone-tag: "example.com" "tag2 tag3"
|
|
|
|
@@ -900,8 +915,8 @@ server:
|
|
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
|
|
# Give the certificate to use and private key.
|
|
# default is "" (disabled). requires restart to take effect.
|
|
- # tls-service-key: "path/to/privatekeyfile.key"
|
|
- # tls-service-pem: "path/to/publiccertfile.pem"
|
|
+ # tls-service-key: "/etc/unbound/unbound_server.key"
|
|
+ # tls-service-pem: "/etc/unbound/unbound_server.pem"
|
|
# tls-port: 853
|
|
# https-port: 443
|
|
|
|
@@ -1141,6 +1156,12 @@ remote-control:
|
|
# unbound-control certificate file.
|
|
# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
|
|
|
|
+# Default Fedora settings
|
|
+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
|
|
+
|
|
+# Stub and Forward zones
|
|
+include: "@sysconfdir@/unbound/conf.d/*.conf"
|
|
+
|
|
# Stub zones.
|
|
# Create entries like below, to make all queries for 'example.com' and
|
|
# 'example.org' go to the given list of nameservers. list zero or more
|
|
@@ -1161,6 +1182,10 @@ remote-control:
|
|
# name: "example.org"
|
|
# stub-host: ns.example.com.
|
|
|
|
+# You can now also dynamically create and delete stub-zone's using
|
|
+# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
|
|
+# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
|
|
+
|
|
# Forward zones
|
|
# Create entries like below, to make all queries for 'example.com' and
|
|
# 'example.org' go to the given list of servers. These servers have to handle
|
|
@@ -1178,6 +1203,10 @@ remote-control:
|
|
# forward-zone:
|
|
# name: "example.org"
|
|
# forward-host: fwd.example.com
|
|
+#
|
|
+# You can now also dynamically create and delete forward-zone's using
|
|
+# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
|
|
+# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
|
|
|
|
# Authority zones
|
|
# The data for these zones is kept locally, from a file or downloaded.
|
|
--
|
|
2.48.1
|
|
|