rohan-molloy/unbound.conf

## unbound.conf
# d899b42486eb805b8e432c5758568db487c6bcfc067d6ca7e1292a5a66d66de6  unbound.conf
server:
    # Listen on tcp 443,853
    interface: 0.0.0.0@853
    interface: 0.0.0.0@443

    # Allow from anywhere
    access-control: 0.0.0.0/0 allow
    access-control: ::0/0 allow

    # Enable UDP, "yes" or "no".
    # NOTE: if setting up an unbound on tls443 for public use, you might want to
    # disable UDP to avoid being used in DNS amplification attacks.
    do-udp: no

    # upstream connections use TCP only (and no UDP), "yes" or "no"
    # useful for tunneling scenarios, default no.
    tcp-upstream: yes

    # upstream connections also use UDP (even if do-udp is no).
    # useful if if you want UDP upstream, but don't provide UDP downstream.
    udp-upstream-without-downstream: no

    # service clients over TLS (on the TCP sockets), with plain DNS inside
    # the TLS stream.  Give the certificate to use and private key.
    # default is "" (disabled).  requires restart to take effect.
    tls-service-key: "/etc/unbound/unbound_tls.key"
    tls-service-pem: "/etc/unbound/unbound_tls.pem"
    tls-port: 853

    # cipher setting for TLSv1.2
    tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"

    # cipher setting for TLSv1.3
    tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

    # number of threads to create. 1 disables threading.
    num-threads: 1

    # Amount of memory to use for the message cache.
    # plain value in bytes or you can append k, m or G. default is "4Mb".
    msg-cache-size: 64M

    # Amount of memory to use for the RRset cache.
    # plain value in bytes or you can append k, m or G. default is "4Mb".
    rrset-cache-size: 128M

    # initial file like trust-anchor-file, then it stores metadata.
    # Use several entries, one per domain name, to track multiple zones.
    # If you want to perform DNSSEC validation, run unbound-anchor before
    # you start unbound (i.e. in the system boot scripts).  And enable:
    # Please note usage of unbound-anchor root anchor is at your own risk
    # and under the terms of our LICENSE (see that file in the source).
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

    # trust anchor signaling sends a RFC8145 key tag query after priming.
    trust-anchor-signaling: yes

    # Should additional section of secure message also be kept clean of
    # unsecure data. Useful to shield the users of this validator from
    # potential bogus data in the additional section. All unsigned data
    # in the additional section is removed from secure messages.
    val-clean-additional: yes

    # Turn permissive mode on to permit bogus messages. Thus, messages
    # for which security checks failed will be returned to clients,
    # instead of SERVFAIL. It still performs the security checks, which
    # result in interesting log files and possibly the AD bit in
    # replies if the message is found secure. The default is off.
    # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
    val-permissive-mode: no

    # Override the date for validation with a specific fixed date.
    # Do not set this unless you are debugging signature inception
    # and expiration. "" or "0" turns the feature off. -1 ignores date.
    val-override-date: "0"

    # Will  trust  glue  only  if  it is within the servers authority.
    # Default is on.
    harden-glue: yes

    # Harden against receiving dnssec-stripped data. If you turn it
    # off, failing to validate dnskey data for a trustanchor will
    # trigger insecure mode for that zone (like without a trustanchor).
    # Default on, which insists on dnssec data for trust-anchored zones.
    harden-dnssec-stripped: yes

    # Harden against queries that fall under dnssec-signed nxdomain names.
    harden-below-nxdomain: yes

    # Sent minimum amount of information to upstream servers to enhance
    # privacy. Only sent minimum required labels of the QNAME and set QTYPE
    # to A when possible.
    qname-minimisation: yes

    # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
    # log to. If yes, it overrides the logfile.
    use-syslog: yes

    # print statistics to the log (for every thread) every N seconds.
    # Set to "" or 0 to disable. Default is disabled.
    # Needs to be disabled for munin plugin
    statistics-interval: 600

    # enable cumulative statistics, without clearing them after printing.
    # Needs to be disabled for munin plugin
    statistics-cumulative: yes

    # enable extended statistics (query types, answer codes, status)
    # printed from unbound-control. default off, because of speed.
    # Needs to be enabled for munin plugin
    extended-statistics: yes

    # If  yes,  deny  queries  of  type  ANY  with  an empty response.
    # Default is no. If disabled, unbound responds with a short  list
    # of  resource records if some can be found in the cache and makes
    # the upstream type ANY query if there are none.
    deny-any: yes

    # If yes, Unbound rotates RRSet order in response (the random number is taken
    # from the query ID, for speed and thread safety). Default is no.
    rrset-roundrobin: yes

    # if yes, Unbound doesn't insert authority/additional sections
    # into response messages when those sections are not required.
    minimal-responses: yes

    # if yes, the above default do-not-query-address entries are present.
    # if no, localhost can be queried (for testing and debugging).
    do-not-query-localhost: yes

    # Specify the interfaces to send outgoing queries to authoritative
    # server from by ip-address. If none, the default (all) interface
    # is used. Specify every interface on a 'outgoing-interface:' line.
    outgoing-interface: 0.0.0.0

    # Set this to yes to prefer ipv6 upstream servers over ipv4.
    prefer-ip6: no

    # if given, user privileges are dropped (after binding port),
    # and the given username is assumed. Default is user "unbound".
    # If you give "" no privileges are dropped.
    username: "unbound"

    # the working directory. The relative files in this config are
    # relative to this directory. If you give "" the working directory
    # is not changed.
    # If you give a server: directory: dir before include: file statements
    # then those includes can be relative to the working directory.
    chroot: ""
    directory: "/etc/unbound"

    # Set the identity to report. If set to "", the default, then the hostname of the server is returned.
    identity: ""

    # Configure  a  local zone. The type determines the answer to give
    # if there is no  match  from  local-data.  The  types  are  deny,
    # refuse,  static, transparent, redirect, nodefault, typetranspar-
    # ent, inform, inform_deny,  inform_redirect,  always_transparent,
    # always_refuse, always_nxdomain, noview, and are explained below.
    # After that the default settings are listed. Use  local-data:  to
    # enter  data  into  the  local  zone. Answers for local zones are
    # authoritative DNS answers. By default the zones are class IN.
    local-zone: "unbound.contoso.com." static

    # Configure  local data, which is served in reply to queries for it.
    # The query has to match exactly unless you configure the local-zone
    # as redirect. If not matched exactly, the local-zone type determines
    # further processing. If local-data is configured that is not a subdomain
    # of a local-zone, a transparent local-zone is configured. For record types
    # such as TXT,  use  single  quotes, as in local-data: 'example. TXT "text"'.
    local-data: "unbound.contoso.com. A 203.0.113.100"

    # Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
    # You can also add PTR records using local-data directly, but then
    # you need to do the reverse notation yourself.
    local-data-ptr: "203.0.113.100 unbound.contoso.com."

# Enable Unbound Remote Control
# Use a different set of certificates
# /usr/sbin/unbound-control-setup -d /etc/unbound/remote\
remote-control:
   control-enable: yes
   control-use-cert: yes
   server-key-file: /etc/unbound/unbound_server.key
   server-cert-file: /etc/unbound/unbound_server.pem
   control-key-file: /etc/unbound/unbound_control.key
   control-cert-file: /etc/unbound/unbound_control.pem
   control-interface: 127.0.0.1
   control-port: 8953
	# d899b42486eb805b8e432c5758568db487c6bcfc067d6ca7e1292a5a66d66de6 unbound.conf
	server:
	# Listen on tcp 443,853
	interface: 0.0.0.0@853
	interface: 0.0.0.0@443

	# Allow from anywhere
	access-control: 0.0.0.0/0 allow
	access-control: ::0/0 allow

	# Enable UDP, "yes" or "no".
	# NOTE: if setting up an unbound on tls443 for public use, you might want to
	# disable UDP to avoid being used in DNS amplification attacks.
	do-udp: no

	# upstream connections use TCP only (and no UDP), "yes" or "no"
	# useful for tunneling scenarios, default no.
	tcp-upstream: yes

	# upstream connections also use UDP (even if do-udp is no).
	# useful if if you want UDP upstream, but don't provide UDP downstream.
	udp-upstream-without-downstream: no

	# service clients over TLS (on the TCP sockets), with plain DNS inside
	# the TLS stream. Give the certificate to use and private key.
	# default is "" (disabled). requires restart to take effect.
	tls-service-key: "/etc/unbound/unbound_tls.key"
	tls-service-pem: "/etc/unbound/unbound_tls.pem"
	tls-port: 853

	# cipher setting for TLSv1.2
	tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"

	# cipher setting for TLSv1.3
	tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

	# number of threads to create. 1 disables threading.
	num-threads: 1

	# Amount of memory to use for the message cache.
	# plain value in bytes or you can append k, m or G. default is "4Mb".
	msg-cache-size: 64M

	# Amount of memory to use for the RRset cache.
	# plain value in bytes or you can append k, m or G. default is "4Mb".
	rrset-cache-size: 128M

	# initial file like trust-anchor-file, then it stores metadata.
	# Use several entries, one per domain name, to track multiple zones.
	# If you want to perform DNSSEC validation, run unbound-anchor before
	# you start unbound (i.e. in the system boot scripts). And enable:
	# Please note usage of unbound-anchor root anchor is at your own risk
	# and under the terms of our LICENSE (see that file in the source).
	auto-trust-anchor-file: "/var/lib/unbound/root.key"

	# trust anchor signaling sends a RFC8145 key tag query after priming.
	trust-anchor-signaling: yes

	# Should additional section of secure message also be kept clean of
	# unsecure data. Useful to shield the users of this validator from
	# potential bogus data in the additional section. All unsigned data
	# in the additional section is removed from secure messages.
	val-clean-additional: yes

	# Turn permissive mode on to permit bogus messages. Thus, messages
	# for which security checks failed will be returned to clients,
	# instead of SERVFAIL. It still performs the security checks, which
	# result in interesting log files and possibly the AD bit in
	# replies if the message is found secure. The default is off.
	# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
	val-permissive-mode: no

	# Override the date for validation with a specific fixed date.
	# Do not set this unless you are debugging signature inception
	# and expiration. "" or "0" turns the feature off. -1 ignores date.
	val-override-date: "0"

	# Will trust glue only if it is within the servers authority.
	# Default is on.
	harden-glue: yes

	# Harden against receiving dnssec-stripped data. If you turn it
	# off, failing to validate dnskey data for a trustanchor will
	# trigger insecure mode for that zone (like without a trustanchor).
	# Default on, which insists on dnssec data for trust-anchored zones.
	harden-dnssec-stripped: yes

	# Harden against queries that fall under dnssec-signed nxdomain names.
	harden-below-nxdomain: yes

	# Sent minimum amount of information to upstream servers to enhance
	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
	# to A when possible.
	qname-minimisation: yes

	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
	# log to. If yes, it overrides the logfile.
	use-syslog: yes

	# print statistics to the log (for every thread) every N seconds.
	# Set to "" or 0 to disable. Default is disabled.
	# Needs to be disabled for munin plugin
	statistics-interval: 600

	# enable cumulative statistics, without clearing them after printing.
	# Needs to be disabled for munin plugin
	statistics-cumulative: yes

	# enable extended statistics (query types, answer codes, status)
	# printed from unbound-control. default off, because of speed.
	# Needs to be enabled for munin plugin
	extended-statistics: yes

	# If yes, deny queries of type ANY with an empty response.
	# Default is no. If disabled, unbound responds with a short list
	# of resource records if some can be found in the cache and makes
	# the upstream type ANY query if there are none.
	deny-any: yes

	# If yes, Unbound rotates RRSet order in response (the random number is taken
	# from the query ID, for speed and thread safety). Default is no.
	rrset-roundrobin: yes

	# if yes, Unbound doesn't insert authority/additional sections
	# into response messages when those sections are not required.
	minimal-responses: yes

	# if yes, the above default do-not-query-address entries are present.
	# if no, localhost can be queried (for testing and debugging).
	do-not-query-localhost: yes

	# Specify the interfaces to send outgoing queries to authoritative
	# server from by ip-address. If none, the default (all) interface
	# is used. Specify every interface on a 'outgoing-interface:' line.
	outgoing-interface: 0.0.0.0

	# Set this to yes to prefer ipv6 upstream servers over ipv4.
	prefer-ip6: no

	# if given, user privileges are dropped (after binding port),
	# and the given username is assumed. Default is user "unbound".
	# If you give "" no privileges are dropped.
	username: "unbound"

	# the working directory. The relative files in this config are
	# relative to this directory. If you give "" the working directory
	# is not changed.
	# If you give a server: directory: dir before include: file statements
	# then those includes can be relative to the working directory.
	chroot: ""
	directory: "/etc/unbound"

	# Set the identity to report. If set to "", the default, then the hostname of the server is returned.
	identity: ""

	# Configure a local zone. The type determines the answer to give
	# if there is no match from local-data. The types are deny,
	# refuse, static, transparent, redirect, nodefault, typetranspar-
	# ent, inform, inform_deny, inform_redirect, always_transparent,
	# always_refuse, always_nxdomain, noview, and are explained below.
	# After that the default settings are listed. Use local-data: to
	# enter data into the local zone. Answers for local zones are
	# authoritative DNS answers. By default the zones are class IN.
	local-zone: "unbound.contoso.com." static

	# Configure local data, which is served in reply to queries for it.
	# The query has to match exactly unless you configure the local-zone
	# as redirect. If not matched exactly, the local-zone type determines
	# further processing. If local-data is configured that is not a subdomain
	# of a local-zone, a transparent local-zone is configured. For record types
	# such as TXT, use single quotes, as in local-data: 'example. TXT "text"'.
	local-data: "unbound.contoso.com. A 203.0.113.100"

	# Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
	# You can also add PTR records using local-data directly, but then
	# you need to do the reverse notation yourself.
	local-data-ptr: "203.0.113.100 unbound.contoso.com."

	# Enable Unbound Remote Control
	# Use a different set of certificates
	# /usr/sbin/unbound-control-setup -d /etc/unbound/remote\
	remote-control:
	control-enable: yes
	control-use-cert: yes
	server-key-file: /etc/unbound/unbound_server.key
	server-cert-file: /etc/unbound/unbound_server.pem
	control-key-file: /etc/unbound/unbound_control.key
	control-cert-file: /etc/unbound/unbound_control.pem
	control-interface: 127.0.0.1
	control-port: 8953