Last active
August 20, 2023 14:05
-
-
Save bmatthewshea/d77ac796813d8213e958ddc9885c245b to your computer and use it in GitHub Desktop.
Unbound configuration file - Ubuntu 18.xx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## File location: /etc/unbound/unbound.conf.d/99-unbound-custom.conf (new file) | |
## I DO NOT USE UNBOUND.CONF - it can get overwritten. | |
# Logrotate needs this when using 'sharedscripts' command. You also need it to view stats afaik. Uses localhost only. | |
remote-control: | |
control-enable: yes | |
server: | |
access-control: 127.0.0.0/8 allow | |
access-control: 10.0.0.0/8 allow | |
access-control: 172.16.0.0/16 allow | |
access-control: 192.168.0.0/16 allow | |
# DNS request port, IP and protocol | |
port: 53 | |
do-ip4: yes | |
do-ip6: no | |
do-udp: yes | |
do-tcp: yes | |
# logging | |
#chroot: "" | |
## verbosity (log level from 0 to 4, 4 is debug) | |
use-syslog: no | |
verbosity: 3 | |
logfile: /var/log/unbound/unbound.log | |
log-queries: no | |
log-time-ascii: yes | |
# Hide DNS Server info | |
hide-identity: yes | |
hide-version: yes | |
# Improve the security of your DNS Server (Limit DNS Fraud and use DNSSEC) | |
harden-glue: yes | |
harden-dnssec-stripped: yes | |
# Rewrite URLs written in CAPS | |
use-caps-for-id: yes | |
# Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning | |
unwanted-reply-threshold: 10000 | |
# other settings | |
## interface in my case listens only on localhost - can be lan or 0.0.0.0 if needed outside lan. | |
interface: 127.0.0.1 | |
cache-max-ttl: 604800 | |
cache-min-ttl: 86400 | |
prefetch: yes | |
rrset-roundrobin: yes | |
val-clean-additional: yes | |
# I use to have google set here for forward, but afaik you shouldn't need these if unbound correctly setup. | |
# | |
#forward-zone: | |
# name: "." | |
# forward-addr: 1.0.0.1@53#one.one.one.one | |
# forward-addr: 1.1.1.1@53#one.one.one.one | |
# forward-addr: 8.8.4.4@53#dns.google | |
# forward-addr: 8.8.8.8@53#dns.google | |
# forward-addr: 9.9.9.9@53#dns.quad9.net | |
# forward-addr: 149.112.112.112@53#dns.quad9.net |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please note on "forward zone": If you use another DNS server and are using the Unbound as a forward/caching server only, you can set your DNS server here. Another example of one of mine that uses a LAN host as the primary DNS (forward lookup) server:
This version has a router/firewall/Internet gateway on 192.168.101.1 that +also+ runs a DNS service for this LAN (it also caches previous lookups).
The Unbound machine ALSO caches DNS lookups in turn from 192.168.101.1.
If the Unbound machine doesn't already have a cached result, it asks 192.168.101.1.
If 192.168.101.1 doesn't answer for whatever reason (service down/restarting/etc), Unbound can fall back to a Google DNS IP. Of course, since 192.168.101.1 is a router in this example, your Internet DNS lookup would fail anyway if it were really down = no Internet.
Using forward DNS lookups like this will greatly reduce forward lookups going "outside" on the Internet by each host on your LAN(s).