cc9a5c9d7b
Place distribution defaults into file provided in /usr/share/unbound. Include that file from default configuration before conf.d/*.conf is included, to ensure similar order is kept. Rely on remote-control to be configured by conf.d/remote-control.conf only. Moved parts from orinal unbound.conf to single file together. Resolves: RHEL-77780
227 lines
8.2 KiB
Plaintext
227 lines
8.2 KiB
Plaintext
# Fedora distribution defaults
|
|
|
|
server:
|
|
# verbosity number, 0 is least verbose. 1 is default.
|
|
verbosity: 1
|
|
|
|
# print statistics to the log (for every thread) every N seconds.
|
|
# Set to "" or 0 to disable. Default is disabled.
|
|
# Needs to be disabled for munin plugin
|
|
statistics-interval: 0
|
|
|
|
# enable cumulative statistics, without clearing them after printing.
|
|
# Needs to be disabled for munin plugin
|
|
statistics-cumulative: no
|
|
|
|
# enable extended statistics (query types, answer codes, status)
|
|
# Needs to be enabled for munin plugin
|
|
extended-statistics: yes
|
|
|
|
# number of threads to create. 1 disables threading.
|
|
# num-threads: 1
|
|
num-threads: 4
|
|
|
|
# specify the interfaces to answer queries from by ip-address.
|
|
# The default is to listen to localhost (127.0.0.1 and ::1).
|
|
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
|
|
# specify every interface[@port] on a new 'interface:' labelled line.
|
|
# The listen interfaces are not changed on reload, only on restart.
|
|
# interface: 0.0.0.0
|
|
# interface: ::0
|
|
# interface: 192.0.2.153
|
|
# interface: 192.0.2.154
|
|
# interface: 192.0.2.154@5003
|
|
# interface: 2001:DB8::5
|
|
# interface: eth0@5003
|
|
#
|
|
# for dns over tls and raw dns over port 80
|
|
# interface: 0.0.0.0@443
|
|
# interface: ::0@443
|
|
# interface: 0.0.0.0@80
|
|
# interface: ::0@80
|
|
|
|
# enable this feature to copy the source address of queries to reply.
|
|
# Socket options are not supported on all platforms. experimental.
|
|
# interface-automatic: yes
|
|
#
|
|
# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
|
|
# NOTE: Disabled per Fedora policy not to listen to * on default install
|
|
# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
|
|
interface-automatic: no
|
|
|
|
# permit Unbound to use this port number or port range for
|
|
# making outgoing queries, using an outgoing interface.
|
|
# Only ephemeral ports are allowed by SElinux
|
|
outgoing-port-permit: 32768-60999
|
|
|
|
# IANA-assigned port numbers.
|
|
# If multiple outgoing-port-permit and outgoing-port-avoid options
|
|
# are present, they are processed in order.
|
|
# Our SElinux policy does not allow non-ephemeral ports to be used
|
|
outgoing-port-avoid: 0-32767
|
|
outgoing-port-avoid: 61000-65535
|
|
|
|
# use SO_REUSEPORT to distribute queries over threads.
|
|
# at extreme load it could be better to turn it off to distribute even.
|
|
so-reuseport: yes
|
|
|
|
# use IP_TRANSPARENT so the interface: addresses can be non-local
|
|
# and you can config non-existing IPs that are going to work later on
|
|
# (uses IP_BINDANY on FreeBSD).
|
|
ip-transparent: yes
|
|
|
|
# Enable UDP, "yes" or "no".
|
|
# NOTE: if setting up an Unbound on tls443 for public use, you might want to
|
|
# disable UDP to avoid being used in DNS amplification attacks.
|
|
# do-udp: yes
|
|
|
|
# Enable EDNS TCP keepalive option.
|
|
edns-tcp-keepalive: yes
|
|
|
|
# Fedora note: do not activate this - not compiled in because
|
|
# it causes frequent unbound crashes. Also, socket activation
|
|
# is bad when you have things like dnsmasq also running with libvirt.
|
|
# Use systemd socket activation for UDP, TCP, and control sockets.
|
|
# use-systemd: no
|
|
|
|
# If you give "" no chroot is performed. The path must not end in a /.
|
|
# chroot: "/etc/unbound"
|
|
chroot: ""
|
|
|
|
# If you give a server: directory: dir before include: file statements
|
|
# then those includes can be relative to the working directory.
|
|
directory: "/etc/unbound"
|
|
|
|
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
|
|
log-time-ascii: yes
|
|
|
|
# Harden against unseemly large queries.
|
|
harden-large-queries: yes
|
|
|
|
# Default off, because the lookups burden the server. Experimental
|
|
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
|
|
harden-referral-path: yes
|
|
|
|
# Sent minimum amount of information to upstream servers to enhance
|
|
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
|
|
# to A when possible.
|
|
qname-minimisation: yes
|
|
|
|
# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
|
|
# and other denials, using information from previous NXDOMAINs answers.
|
|
aggressive-nsec: yes
|
|
|
|
# threshold, a warning is printed and a defensive action is taken,
|
|
# the cache is cleared to flush potential poison out of it.
|
|
# A suggested value is 10000000, the default is 0 (turned off).
|
|
unwanted-reply-threshold: 10000000
|
|
|
|
# if yes, perform prefetching of almost expired message cache entries.
|
|
prefetch: yes
|
|
|
|
# if yes, perform key lookups adjacent to normal lookups.
|
|
prefetch-key: yes
|
|
|
|
# deny queries of type ANY with an empty response.
|
|
deny-any: yes
|
|
|
|
# if yes, Unbound rotates RRSet order in response.
|
|
rrset-roundrobin: yes
|
|
|
|
# if yes, Unbound doesn't insert authority/additional sections
|
|
# into response messages when those sections are not required.
|
|
minimal-responses: yes
|
|
|
|
# module configuration of the server. A string with identifiers
|
|
# separated by spaces. Syntax: "[dns64] [validator] iterator"
|
|
# most modules have to be listed at the beginning of the line,
|
|
# except cachedb(just before iterator), and python (at the beginning,
|
|
# or, just before the iterator).
|
|
# For redis cachedb use:
|
|
# "ipsecmod validator cachedb iterator"
|
|
module-config: "ipsecmod validator iterator"
|
|
|
|
# trust anchor signaling sends a RFC8145 key tag query after priming.
|
|
trust-anchor-signaling: yes
|
|
|
|
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
|
|
root-key-sentinel: yes
|
|
|
|
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
|
|
# you need external update procedures to track changes in keys.
|
|
# trusted-keys-file: ""
|
|
#
|
|
trusted-keys-file: /etc/unbound/keys.d/*.key
|
|
auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
|
|
|
# Should additional section of secure message also be kept clean of
|
|
# unsecure data. Useful to shield the users of this validator from
|
|
# potential bogus data in the additional section. All unsigned data
|
|
# in the additional section is removed from secure messages.
|
|
val-clean-additional: yes
|
|
|
|
# Turn permissive mode on to permit bogus messages. Thus, messages
|
|
# for which security checks failed will be returned to clients,
|
|
# instead of SERVFAIL. It still performs the security checks, which
|
|
# result in interesting log files and possibly the AD bit in
|
|
# replies if the message is found secure. The default is off.
|
|
# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
|
|
val-permissive-mode: no
|
|
|
|
# Serve expired responses from cache, with serve-expired-reply-ttl in
|
|
# the response, and then attempt to fetch the data afresh.
|
|
serve-expired: yes
|
|
|
|
# Limit serving of expired responses to configured seconds after
|
|
# expiration. 0 disables the limit.
|
|
serve-expired-ttl: 14400
|
|
|
|
# Have the validator log failed validations for your diagnosis.
|
|
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
|
|
val-log-level: 1
|
|
|
|
# service clients over TLS (on the TCP sockets) with plain DNS inside
|
|
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
|
|
# Give the certificate to use and private key.
|
|
# default is "" (disabled). requires restart to take effect.
|
|
# tls-service-key: "/etc/unbound/unbound_server.key"
|
|
# tls-service-pem: "/etc/unbound/unbound_server.pem"
|
|
|
|
# Fedora/RHEL: use system-wide crypto policies
|
|
tls-ciphers: "PROFILE=SYSTEM"
|
|
|
|
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
|
|
# Fedora defaults to yes.
|
|
ede: yes
|
|
|
|
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
|
|
# Answer as EDNS0 option to expired responses.
|
|
# Note that the ede option above needs to be enabled for this to work.
|
|
# Fedora defaults to yes.
|
|
ede-serve-expired: yes
|
|
|
|
# Enable or disable ipsecmod (it still needs to be defined in
|
|
# module-config above). Can be used when ipsecmod needs to be
|
|
# enabled/disabled via remote-control(below).
|
|
# Fedora: module will be enabled on-demand by libreswan
|
|
ipsecmod-enabled: no
|
|
|
|
# Path to executable external hook. It must be defined when ipsecmod is
|
|
# listed in module-config (above).
|
|
ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook
|
|
|
|
python:
|
|
# Script file to load
|
|
# python-script: "/etc/unbound/ubmodule-tst.py"
|
|
|
|
# Remote control config section moved into own remote-control.conf
|
|
|
|
# the module-config then you need one dynlib-file per instance.
|
|
dynlib:
|
|
# Script file to load
|
|
# dynlib-file: "/etc/unbound/dynlib.so"
|
|
|
|
# Fedora: DNSCrypt support not enabled since it requires linking to
|
|
# another crypto library
|
|
#
|