b.waal
46924deb99
Added multiple comments to sections explaining their purpose. Added private IPv6 range Added max queries per sec Added extra privacy measures Added caching with prefetch
58 lines
1.5 KiB
Plaintext
58 lines
1.5 KiB
Plaintext
server:
|
|
# If no logfile is specified, syslog is used
|
|
# logfile: "/var/log/unbound/unbound.log"
|
|
verbosity: 0
|
|
interface: 127.0.0.1
|
|
|
|
# A single thread is pretty sufficient for home or small office instances.
|
|
num-threads: 1
|
|
|
|
# Define protocols for connections to and from Unbound.
|
|
port: 5335
|
|
do-ip4: yes
|
|
do-udp: yes
|
|
do-tcp: yes
|
|
do-ip6: no
|
|
prefer-ip6: no
|
|
|
|
# Private IP ranges, which shall never be returned or forwarded as public DNS response.
|
|
private-address: 10.0.0.0/8
|
|
private-address: 169.254.0.0/16
|
|
private-address: 172.16.0.0/12
|
|
private-address: 192.168.0.0/16
|
|
private-address: fd00::/8
|
|
private-address: fe80::/10
|
|
|
|
# Maximum number of queries per second
|
|
ratelimit: 1000
|
|
|
|
# Defend against and print warning when reaching unwanted reply limit.
|
|
unwanted-reply-threshold: 10000
|
|
|
|
# Set EDNS reassembly buffer size to match new upstream default, as of DNS Flag Day 2020 recommendation.
|
|
edns-buffer-size: 1232
|
|
|
|
# Hardening
|
|
harden-glue: yes
|
|
harden-dnssec-stripped: yes
|
|
harden-algo-downgrade: yes
|
|
harden-large-queries: yes
|
|
harden-short-bufsize: yes
|
|
|
|
# Privacy
|
|
use-caps-for-id: yes
|
|
rrset-roundrobin: yes
|
|
|
|
# Increase incoming and outgoing query buffer size to cover traffic peaks.
|
|
so-rcvbuf: 4m
|
|
so-sndbuf: 4m
|
|
|
|
# Caching
|
|
cache-min-ttl: 300
|
|
cache-max-ttl: 86400
|
|
serve-expired: yes
|
|
neg-cache-size: 4M
|
|
prefetch: yes
|
|
prefetch-key: yes
|
|
msg-cache-size: 50m
|
|
rrset-cache-size: 100m |