Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A pretty good unbound.conf, DNSSEC, caching and local forwarding
remote-control:
control-enable: yes
server:
do-ip6: no
do-ip4: yes
do-udp: yes
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
num-threads: 4
# Enable logs
verbosity: 1
# List of Root DNS Server
root-hints: "/var/lib/unbound/root.hints"
# Use the root servers key for DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Respond to DNS requests on all interfaces
interface: 0.0.0.0
max-udp-size: 3072
# Authorized IPs to access the DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.1 allow
access-control: 10.42.0.0/16 allow
# not allowed to be returned for public internet names
private-address: 10.42.0.0/16
# Hide DNS Server info
hide-identity: yes
hide-version: yes
# Limit DNS Fraud and use DNSSEC
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
use-caps-for-id: yes
# Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
unwanted-reply-threshold: 10000000
# Have the validator print validation failures to the log.
val-log-level: 1
# Minimum lifetime of cache entries in seconds
cache-min-ttl: 300
# Maximum lifetime of cached entries
cache-max-ttl: 14400
prefetch: yes
prefetch-key: yes
# Optimisations
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# increase memory size of the cache
rrset-cache-size: 256m
msg-cache-size: 128m
# increase buffer size so that no messages are lost in traffic spikes
so-rcvbuf: 1m
# Enable unvalidated lookups to VPC internal domains
private-domain: "internal"
domain-insecure: "internal"
unblock-lan-zones: yes
insecure-lan-zones: yes
forward-zone:
name: "internal."
forward-tls-upstream: no
forward-addr: 10.42.0.2
forward-zone:
name: "10.in-addr.arpa."
forward-addr: 10.42.0.2
# All other queries go to trusted DNS providers
forward-zone:
name: "."
forward-tls-upstream: yes
# Quad9
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
# Cloudflare DNS
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.