-
-
Save darkmanlv/24dfad3bb4cdcba4eb7fa55e93aa39bb to your computer and use it in GitHub Desktop.
Unbound + DNSCrypt configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DNSCRYPT_LOCALIP=127.0.0.1 | |
| DNSCRYPT_LOCALIP2=127.0.0.2 | |
| DNSCRYPT_LOCALPORT=9053 | |
| DNSCRYPT_RESOLVERPORT=443 | |
| DNSCRYPT_USER=nobody | |
| DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.resolver2.dnscrypt.eu | |
| DNSCRYPT_PROVIDER_NAME2=2.dnscrypt-cert.resolver1.dnscrypt.eu | |
| DNSCRYPT_PROVIDER_KEY=3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A:9955 | |
| DNSCRYPT_PROVIDER_KEY2=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66 | |
| DNSCRYPT_RESOLVERIP=77.66.84.233 | |
| DNSCRYPT_RESOLVERIP2=176.56.237.171 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| local-zone: "home." static | |
| local-data: "raspberry.home. IN A 192.168.0.253" | |
| local-data: "router.home. IN A 192.168.0.254" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| local-data-ptr: "192.168.0.253 raspberry.home." | |
| local-data-ptr: "192.168.0.254 router.home." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server: | |
| # Core cpu count | |
| num-threads: 2 | |
| # DNSSEC features | |
| # Updated via : unbound-anchor -v -a /etc/unbound/root.key | |
| auto-trust-anchor-file: "/etc/unbound/root.key" | |
| module-config: "validator iterator" | |
| # Downloaded via : wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/unbound/etc/root.hints | |
| root-hints: "/etc/unbound/root.hints" | |
| interface: 0.0.0.0 | |
| port: 53 # port to answer queries from | |
| do-ip4: yes # Enable IPv4, "yes" or "no". | |
| do-ip6: no # Enable IPv6, "yes" or "no". | |
| do-udp: yes # Enable UDP, "yes" or "no". | |
| do-tcp: yes | |
| # Hide unbound information | |
| hide-identity: yes | |
| hide-version: yes | |
| # If yes, Unbound rotates RRSet order in response. This is almost | |
| # same as Thijs Kinkhorst's implementation except that random number | |
| # source is query-id. | |
| rrset-roundrobin: yes | |
| # Time to live minimum for RRsets and messages in the cache. | |
| cache-min-ttl: 60 | |
| # If yes, Unbound doesn't insert authority/additional sections into | |
| # response message when those sections are not required [1]. This is | |
| # similar to BIND9's minimal-responses or Google Public DNS | |
| # behavior. | |
| minimal-responses: no | |
| # Use 0x20-encoded random bits in the query to foil spoof | |
| # attempts. This perturbs the lowercase and uppercase of query | |
| # names sent to authority servers and checks if the reply still | |
| # has the correct casing. Disabled by default. This feature is | |
| # an experimental implementation of draft dns-0x20. | |
| use-caps-for-id: yes | |
| # If yes, message cache elements are prefetched before they expire | |
| # to keep the cache up to date. | |
| prefetch: yes | |
| # If yes, fetch the DNSKEYs earlier in the validation process, | |
| # when a DS record is encountered. | |
| prefetch-key: yes | |
| # ACL | |
| access-control: 127.0.0.0/8 allow | |
| access-control: 192.168.0.0/24 allow | |
| access-control: 0.0.0.0/0 refuse | |
| # Enforce privacy | |
| private-address: 192.168.0.0/24 | |
| # Local zone definition | |
| private-domain: "home." | |
| include: /etc/unbound/forward.conf | |
| include: /etc/unbound/reverse.conf | |
| # You need this as no for dnscrypt-proxy to work | |
| do-not-query-localhost: no | |
| # Disable remote control | |
| remote-control: | |
| control-enable: no | |
| # Forward all queries to specified servers | |
| forward-zone: | |
| name: "." | |
| # CryptDNS | |
| # forward-addr: 127.0.0.1@9053 | |
| # OpenDNS | |
| forward-addr: 208.67.222.222 | |
| forward-addr: 208.67.220.220 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment