| example.conf (282089) | example.conf (287917) |
|---|---|
| 1# 2# Example configuration file. 3# | 1# 2# Example configuration file. 3# |
| 4# See unbound.conf(5) man page, version 1.5.3. | 4# See unbound.conf(5) man page, version 1.5.4. |
| 5# 6# this is a comment. 7 8#Use this to include other text into the file. 9#include: "otherfile.conf" 10 11# The server clause sets the main parameters. 12server: --- 69 unchanged lines hidden (view full) --- 82 # so-rcvbuf: 0 83 84 # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). 85 # 0 is system default. Use 4m to handle spikes on very busy servers. 86 # so-sndbuf: 0 87 88 # use SO_REUSEPORT to distribute queries over threads. 89 # so-reuseport: no | 5# 6# this is a comment. 7 8#Use this to include other text into the file. 9#include: "otherfile.conf" 10 11# The server clause sets the main parameters. 12server: --- 69 unchanged lines hidden (view full) --- 82 # so-rcvbuf: 0 83 84 # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). 85 # 0 is system default. Use 4m to handle spikes on very busy servers. 86 # so-sndbuf: 0 87 88 # use SO_REUSEPORT to distribute queries over threads. 89 # so-reuseport: no |
| 90 91 # use IP_TRANSPARENT so the interface: addresses can be non-local 92 # and you can config non-existing IPs that are going to work later on 93 # ip-transparent: no |
|
| 90 91 # EDNS reassembly buffer to advertise to UDP peers (the actual buffer 92 # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). 93 # edns-buffer-size: 4096 94 95 # Maximum UDP response size (not applied to TCP response). 96 # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. 97 # max-udp-size: 4096 --- 32 unchanged lines hidden (view full) --- 130 # the time to live (TTL) value lower bound, in seconds. Default 0. 131 # If more than an hour could easily give trouble due to stale data. 132 # cache-min-ttl: 0 133 134 # the time to live (TTL) value cap for RRsets and messages in the 135 # cache. Items are not cached for longer. In seconds. 136 # cache-max-ttl: 86400 137 | 94 95 # EDNS reassembly buffer to advertise to UDP peers (the actual buffer 96 # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). 97 # edns-buffer-size: 4096 98 99 # Maximum UDP response size (not applied to TCP response). 100 # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. 101 # max-udp-size: 4096 --- 32 unchanged lines hidden (view full) --- 134 # the time to live (TTL) value lower bound, in seconds. Default 0. 135 # If more than an hour could easily give trouble due to stale data. 136 # cache-min-ttl: 0 137 138 # the time to live (TTL) value cap for RRsets and messages in the 139 # cache. Items are not cached for longer. In seconds. 140 # cache-max-ttl: 86400 141 |
| 142 # the time to live (TTL) value cap for negative responses in the cache 143 # cache-max-negative-ttl: 3600 144 |
|
| 138 # the time to live (TTL) value for cached roundtrip times, lameness and 139 # EDNS version information for hosts. In seconds. 140 # infra-host-ttl: 900 141 142 # minimum wait time for responses, increase if uplink is long. In msec. 143 # infra-cache-min-rtt: 50 144 145 # the number of slabs to use for the Infrastructure cache. --- 133 unchanged lines hidden (view full) --- 279 # harden-below-nxdomain: no 280 281 # Harden the referral path by performing additional queries for 282 # infrastructure data. Validates the replies (if possible). 283 # Default off, because the lookups burden the server. Experimental 284 # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. 285 # harden-referral-path: no 286 | 145 # the time to live (TTL) value for cached roundtrip times, lameness and 146 # EDNS version information for hosts. In seconds. 147 # infra-host-ttl: 900 148 149 # minimum wait time for responses, increase if uplink is long. In msec. 150 # infra-cache-min-rtt: 50 151 152 # the number of slabs to use for the Infrastructure cache. --- 133 unchanged lines hidden (view full) --- 286 # harden-below-nxdomain: no 287 288 # Harden the referral path by performing additional queries for 289 # infrastructure data. Validates the replies (if possible). 290 # Default off, because the lookups burden the server. Experimental 291 # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. 292 # harden-referral-path: no 293 |
| 294 # Harden against algorithm downgrade when multiple algorithms are 295 # advertised in the DS record. If no, allows the weakest algorithm 296 # to validate the zone. 297 # harden-algo-downgrade: yes 298 |
|
| 287 # Use 0x20-encoded random bits in the query to foil spoof attempts. 288 # This feature is an experimental implementation of draft dns-0x20. 289 # use-caps-for-id: no | 299 # Use 0x20-encoded random bits in the query to foil spoof attempts. 300 # This feature is an experimental implementation of draft dns-0x20. 301 # use-caps-for-id: no |
| 302 303 # Domains (and domains in them) without support for dns-0x20 and 304 # the fallback fails because they keep sending different answers. 305 # caps-whitelist: "licdn.com" |
|
| 290 291 # Enforce privacy of these addresses. Strips them away from answers. 292 # It may cause DNSSEC validation to additionally mark it as bogus. 293 # Protects against 'DNS Rebinding' (uses browser as network proxy). 294 # Only 'private-domain' and 'local-data' names are allowed to have 295 # these private addresses. No default. 296 # private-address: 10.0.0.0/8 297 # private-address: 172.16.0.0/12 --- 46 unchanged lines hidden (view full) --- 344 # If you want to perform DNSSEC validation, run unbound-anchor before 345 # you start unbound (i.e. in the system boot scripts). And enable: 346 # Please note usage of unbound-anchor root anchor is at your own risk 347 # and under the terms of our LICENSE (see that file in the source). 348 # auto-trust-anchor-file: "/var/unbound/root.key" 349 350 # File with DLV trusted keys. Same format as trust-anchor-file. 351 # There can be only one DLV configured, it is trusted from root down. | 306 307 # Enforce privacy of these addresses. Strips them away from answers. 308 # It may cause DNSSEC validation to additionally mark it as bogus. 309 # Protects against 'DNS Rebinding' (uses browser as network proxy). 310 # Only 'private-domain' and 'local-data' names are allowed to have 311 # these private addresses. No default. 312 # private-address: 10.0.0.0/8 313 # private-address: 172.16.0.0/12 --- 46 unchanged lines hidden (view full) --- 360 # If you want to perform DNSSEC validation, run unbound-anchor before 361 # you start unbound (i.e. in the system boot scripts). And enable: 362 # Please note usage of unbound-anchor root anchor is at your own risk 363 # and under the terms of our LICENSE (see that file in the source). 364 # auto-trust-anchor-file: "/var/unbound/root.key" 365 366 # File with DLV trusted keys. Same format as trust-anchor-file. 367 # There can be only one DLV configured, it is trusted from root down. |
| 352 # Download http://ftp.isc.org/www/dlv/dlv.isc.org.key | 368 # DLV is going to be decommissioned. Please do not use it any more. |
| 353 # dlv-anchor-file: "dlv.isc.org.key" 354 355 # File with trusted keys for validation. Specify more than one file 356 # with several entries, one file per entry. 357 # Zone file format, with DS and DNSKEY entries. 358 # Note this gets out of date, use auto-trust-anchor-file please. 359 # trust-anchor-file: "" 360 --- 135 unchanged lines hidden (view full) --- 496 # o deny serves local data (if any), else, drops queries. 497 # o refuse serves local data (if any), else, replies with error. 498 # o static serves local data, else, nxdomain or nodata answer. 499 # o transparent gives local data, but resolves normally for other names 500 # o redirect serves the zone data for any subdomain in the zone. 501 # o nodefault can be used to normally resolve AS112 zones. 502 # o typetransparent resolves normally for other types and other names 503 # o inform resolves normally, but logs client IP address | 369 # dlv-anchor-file: "dlv.isc.org.key" 370 371 # File with trusted keys for validation. Specify more than one file 372 # with several entries, one file per entry. 373 # Zone file format, with DS and DNSKEY entries. 374 # Note this gets out of date, use auto-trust-anchor-file please. 375 # trust-anchor-file: "" 376 --- 135 unchanged lines hidden (view full) --- 512 # o deny serves local data (if any), else, drops queries. 513 # o refuse serves local data (if any), else, replies with error. 514 # o static serves local data, else, nxdomain or nodata answer. 515 # o transparent gives local data, but resolves normally for other names 516 # o redirect serves the zone data for any subdomain in the zone. 517 # o nodefault can be used to normally resolve AS112 zones. 518 # o typetransparent resolves normally for other types and other names 519 # o inform resolves normally, but logs client IP address |
| 520 # o inform_deny drops queries and logs client IP address |
|
| 504 # 505 # defaults are localhost address, reverse for 127.0.0.1 and ::1 506 # and nxdomain for AS112 zones. If you configure one of these zones 507 # the default content is omitted, or you can omit it with 'nodefault'. 508 # 509 # If you configure local-data without specifying local-zone, by 510 # default a transparent local-zone is created for the data. 511 # --- 25 unchanged lines hidden (view full) --- 537 # request upstream over SSL (with plain DNS inside the SSL stream). 538 # Default is no. Can be turned on and off with unbound-control. 539 # ssl-upstream: no 540 541 # DNS64 prefix. Must be specified when DNS64 is use. 542 # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. 543 # dns64-prefix: 64:ff9b::0/96 544 | 521 # 522 # defaults are localhost address, reverse for 127.0.0.1 and ::1 523 # and nxdomain for AS112 zones. If you configure one of these zones 524 # the default content is omitted, or you can omit it with 'nodefault'. 525 # 526 # If you configure local-data without specifying local-zone, by 527 # default a transparent local-zone is created for the data. 528 # --- 25 unchanged lines hidden (view full) --- 554 # request upstream over SSL (with plain DNS inside the SSL stream). 555 # Default is no. Can be turned on and off with unbound-control. 556 # ssl-upstream: no 557 558 # DNS64 prefix. Must be specified when DNS64 is use. 559 # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. 560 # dns64-prefix: 64:ff9b::0/96 561 |
| 562 # ratelimit for uncached, new queries, this limits recursion effort. 563 # ratelimiting is experimental, and may help against randomqueryflood. 564 # if 0(default) it is disabled, otherwise state qps allowed per zone. 565 # ratelimit: 0 566 567 # ratelimits are tracked in a cache, size in bytes of cache (or k,m). 568 # ratelimit-size: 4m 569 # ratelimit cache slabs, reduces lock contention if equal to cpucount. 570 # ratelimit-slabs: 4 571 572 # 0 blocks when ratelimited, otherwise let 1/xth traffic through 573 # ratelimit-factor: 10 574 575 # override the ratelimit for a specific domain name. 576 # give this setting multiple times to have multiple overrides. 577 # ratelimit-for-domain: example.com 1000 578 # override the ratelimits for all domains below a domain name 579 # can give this multiple times, the name closest to the zone is used. 580 # ratelimit-below-domain: example 1000 581 |
|
| 545# Python config section. To enable: 546# o use --with-pythonmodule to configure before compiling. 547# o list python in the module-config string (above) to enable. 548# o and give a python-script to run. 549python: 550 # Script file to load 551 # python-script: "/var/unbound/ubmodule-tst.py" 552 --- 59 unchanged lines hidden --- | 582# Python config section. To enable: 583# o use --with-pythonmodule to configure before compiling. 584# o list python in the module-config string (above) to enable. 585# o and give a python-script to run. 586python: 587 # Script file to load 588 # python-script: "/var/unbound/ubmodule-tst.py" 589 --- 59 unchanged lines hidden --- |