1# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $ 2 3server: 4 interface: 127.0.0.1 5 #interface: 127.0.0.1@5353 # listen on alternative port 6 interface: ::1 7 #do-ip6: no 8 9 # override the default "any" address to send queries; if multiple 10 # addresses are available, they are used randomly to counter spoofing 11 #outgoing-interface: 192.0.2.1 12 #outgoing-interface: 2001:db8::53 13 14 access-control: 0.0.0.0/0 refuse 15 access-control: 127.0.0.0/8 allow 16 access-control: ::0/0 refuse 17 access-control: ::1 allow 18 19 hide-identity: yes 20 hide-version: yes 21 22 # Perform DNSSEC validation. 23 # 24 auto-trust-anchor-file: "/var/unbound/db/root.key" 25 val-log-level: 2 26 27 # Synthesize NXDOMAINs from DNSSEC NSEC chains. 28 # https://tools.ietf.org/html/rfc8198 29 # 30 aggressive-nsec: yes 31 32 # Serve zones authoritatively from Unbound to resolver clients. 33 # Not for external service. 34 # 35 #local-zone: "local." static 36 #local-data: "mycomputer.local. IN A 192.0.2.51" 37 #local-zone: "2.0.192.in-addr.arpa." static 38 #local-data-ptr: "192.0.2.51 mycomputer.local" 39 40 # Use TCP for "forward-zone" requests. Useful if you are making 41 # DNS requests over an SSH port forwarding. 42 # 43 #tcp-upstream: yes 44 45 # CA Certificates used for forward-tls-upstream (RFC7858) hostname 46 # verification. Since it's outside the chroot it is only loaded at 47 # startup and thus cannot be changed via a reload. 48 #tls-cert-bundle: "/etc/ssl/cert.pem" 49 50remote-control: 51 control-enable: yes 52 control-interface: /var/run/unbound.sock 53 54# Use an upstream forwarder (recursive resolver) for some or all zones. 55# 56#forward-zone: 57# name: "." # use for ALL queries 58# forward-addr: 192.0.2.53 # example address only 59# forward-first: yes # try direct if forwarder fails 60 61# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext 62# if that fails. 63#forward-zone: 64# name: "." 65# forward-tls-upstream: yes # use DNS-over-TLS forwarder 66# forward-first: no # do NOT send direct 67# # the hostname after "#" is not a comment, it is used for TLS checks: 68# forward-addr: 192.0.2.53@853#resolver.hostname.example 69