Last active
July 7, 2020 12:53
-
-
Save nmenon/58cf4e48e3f77f594781389308181a60 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is the DNS Server settings hosting DNS Cache for the rest of the home network. | |
# File on rpi /etc/unbound/unbound.conf.d/unbound_00_srv.conf | |
# Variant of http://blog.thestateofme.com/2018/04/04/howto-secure-your-dns-with-a-raspberry-pi-unbound-and-cloudflare-1-1-1-1/ | |
# Assuming that you have a Raspberry pi (3 or 4) with wifi (or prefer it to be ethernet) -> ethernet is setup as a staic IP. | |
# OS used here is raspbian buster https://www.raspberrypi.org/downloads/ on uSD card | |
server: | |
# Hookup on all interfaces (both wifi and ethernet - depends on what is actually connected).. | |
interface: 0.0.0.0 | |
logfile: "/var/log/unbound.log" | |
pidfile: "/var/log/unbound.pid" | |
use-syslog: yes | |
verbosity: 1 | |
access-control: 127.0.0.0/16 allow | |
access-control: 192.168.1.0/16 allow | |
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt | |
# enable to not answer id.server and hostname.bind queries. | |
hide-identity: no | |
# enable to not answer version.server and version.bind queries. | |
hide-version: no | |
# time to live (in seconds) | |
cache-max-ttl: 14400 | |
cache-min-ttl: 1200 | |
do-tcp: yes | |
do-udp: yes | |
do-ip6: yes | |
qname-minimisation: yes | |
prefetch: yes | |
prefetch-key: yes | |
rrset-roundrobin: yes | |
use-caps-for-id: yes | |
# number of threads to create. 1 disables threading. This should equal the number | |
# of CPU cores in the machine. Our example machine has 4 CPU cores. | |
num-threads: 4 | |
## Unbound Optimization and Speed Tweaks ### | |
# the number of slabs to use for cache and must be a power of 2 times the | |
# number of num-threads set above. more slabs reduce lock contention, but | |
# fragment memory usage. | |
msg-cache-slabs: 8 | |
rrset-cache-slabs: 8 | |
infra-cache-slabs: 8 | |
key-cache-slabs: 8 | |
# Increase the memory size of the cache. Use roughly twice as much rrset cache | |
# memory as you use msg cache memory. Due to malloc overhead, the total memory | |
# usage is likely to rise to double (or 2.5x) the total cache memory. The test | |
# box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects. | |
rrset-cache-size: 256m | |
msg-cache-size: 128m | |
# buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets | |
# the kernel buffer larger so that no messages are lost in spikes in the traffic. | |
so-rcvbuf: 1m | |
# If nonzero, unwanted replies are not only reported in statistics, but also | |
# a running total is kept per thread. If it reaches the threshold, a warning | |
# is printed and a defensive action is taken, the cache is cleared to flush | |
# potential poison out of it. A suggested value is 10000000, the default is | |
# 0 (turned off). We think 10K is a good value. | |
unwanted-reply-threshold: 10000 | |
# IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on | |
# localhost you will want to allow the resolver to send queries to localhost. | |
# Make sure to set do-not-query-localhost: yes . If yes, the above default | |
# do-not-query-address entries are present. if no, localhost can be queried | |
# (for testing and debugging). | |
do-not-query-localhost: no | |
## Unbound Optimization and Speed Tweaks ### | |
# Enforce privacy of these addresses. Strips them away from answers. It may | |
# cause DNSSEC validation to additionally mark it as bogus. Protects against | |
# 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain' and | |
# 'local-data' names are allowed to have these private addresses. No default. | |
private-address: 192.168.1.0/16 | |
# private-address: 172.16.0.0/12 | |
# private-address: 10.0.0.0/8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Use this if you'd like to resolve local devices by name instead of IP -> just use it for "local domain" | |
# File on rpi /etc/unbound/unbound.conf.d/unbound_50_local.conf | |
forward-zone: | |
# Configuration in frontier -> Advanced -> System settings (under configuration settings) -> Local Domain: | |
name: "local." | |
# The IP address of frontier router with DNS enabled Advanced -> DNS Settings Advanced -> DNS Settings | |
forward-addr: 192.168.1.1 | |
forward-ssl-upstream: no | |
forward-tls-upstream: no |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is the lookup we do to external DNS servers. | |
# File on rpi /etc/unbound/unbound.conf.d/unbound_99_ext.conf | |
forward-zone: | |
name: "." | |
# DNS_TLS https://en.wikipedia.org/wiki/DNS_over_TLS | |
forward-addr: 1.1.1.1@853 # cloudflare-dns.com primary | |
forward-addr: 8.8.8.8@853 # dns.google.com primary | |
forward-addr: 9.9.9.9@853 # quad9.net primary | |
forward-addr: 1.0.0.1@853 # cloudflare-dns.com secondary | |
forward-addr: 8.8.8.4@853 # dns.google.com secondary | |
forward-addr: 149.112.112.112@853 # quad9.net secondary | |
forward-ssl-upstream: yes | |
# If we want to use external DNS without security (TLS).. | |
# For example: many 3rd party DNS providers.. | |
# forward-addr: 1.1.1.1@53#cloudflare-dns.com | |
# forward-addr: 1.0.0.1@53#cloudflare-dns.com | |
# forward-ssl-upstream: no |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment