server: ########################################################################### # BASIC SETTINGS ########################################################################### # Listen to for queries from clients and answer from this network interface # and port. interface: 127.0.0.1 port: 5335 do-ip4: yes do-udp: yes do-tcp: yes # Maybe set to yes if you have IPv6 connectivity do-ip6: no # and for *native* IPv6 prefer-ip6: no # Enable DNSSEC auto-trust-anchor-file: "/var/lib/unbound/root.key" # where to find root server data root-hints: "/var/lib/unbound/root.hints" # Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems edns-buffer-size: 1472 # Rotates RRSet order in response (the pseudo-random number is taken from # the query ID, for speed and thread safety). rrset-roundrobin: yes # Drop privileges after binding the port. username: "unbound" ########################################################################### # LOGGING ########################################################################### # If no logfile is specified, syslog is used #logfile: "/var/log/unbound/unbound.log" log-time-ascii: yes # The verbosity number, # level 0 means no verbosity, only errors. # level 1 gives operational information. verbosity: 0 # Do not print log lines to inform about local zone actions log-local-actions: no # Do not print one line per query to the log log-queries: no # Do not print one line per reply to the log log-replies: no # Do not print log lines that say why queries return SERVFAIL to clients log-servfail: no # Further limit logging logfile: /dev/null ########################################################################### # PRIVACY SETTINGS ########################################################################### # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other # denials, using information from previous NXDO-MAINs answers. In other # words, use cached NSEC records to generate negative answers within a # range and positive answers from wildcards. This increases performance, # decreases latency and resource utilization on both authoritative and # recursive servers, and increases privacy. Also, it may help increase # resilience to certain DoS attacks in some circumstances. aggressive-nsec: yes # Extra delay for timeouted UDP ports before they are closed, in msec. # This prevents very delayed answer packets from the upstream (recursive) # servers from bouncing against closed ports and setting off all sort of # close-port counters, with eg. 1500 msec. When timeouts happen you need # extra sockets, it checks the ID and remote IP of packets, and unwanted # packets are added to the unwanted packet counter. delay-close: 10000 # Prevent the unbound server from forking into the background as a daemon do-daemonize: no # Add localhost to the do-not-query-address list. do-not-query-localhost: no # Number of bytes size of the aggressive negative cache. neg-cache-size: 4M # Send minimum amount of information to upstream servers to enhance # privacy (best privacy). qname-minimisation: yes ########################################################################### # SECURITY SETTINGS ########################################################################### # Only give access to recursion clients from LAN IPs access-control: 127.0.0.1/32 allow access-control: 192.168.0.0/16 allow access-control: 172.16.0.0/12 allow access-control: 10.0.0.0/8 allow # Enable chroot (i.e, change apparent root directory for the current # running process and its children) #chroot: "/usr/local/etc/unbound" # Deny queries of type ANY with an empty response. deny-any: yes # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. harden-algo-downgrade: yes # RFC 8020. returns nxdomain to queries for a name below another name that # is already known to be nxdomain. harden-below-nxdomain: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the # zone becomes bogus. If turned off you run the risk of a downgrade attack # that disables security for a zone. harden-dnssec-stripped: yes # Trust glue only if it is within the server's authority harden-glue: yes # Ignore very large queries. harden-large-queries: yes # Perform additional queries for infrastructure data to harden the referral # path. Validates the replies if trust anchors are configured and the zones # are signed. This enforces DNSSEC validation on nameserver NS sets and the # nameserver addresses that are encountered on the referral path to the # answer. Experimental option. harden-referral-path: no # Ignore very small EDNS buffer sizes from queries. harden-short-bufsize: yes # Refuse id.server and hostname.bind queries hide-identity: yes # Refuse version.server and version.bind queries hide-version: yes # Set the HTTP User-Agent header for outgoing HTTP requests. If # set to "", the default, then the package name and version are # used. #http-user-agent: "DNS" # Report this identity rather than the hostname of the server. identity: "DNS" # These private network addresses are not allowed to be returned for public # internet names. Any occurrence of such addresses are removed from DNS # answers. Additionally, the DNSSEC validator may mark the answers bogus. # This protects against DNS Rebinding private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 169.254.0.0/16 private-address: 192.168.0.0/16 private-address: fd00::/8 private-address: fe80::/10 # Enable ratelimiting of queries (per second) sent to nameserver for # performing recursion. More queries are turned away with an error # (servfail). This stops recursive floods (e.g., random query names), but # not spoofed reflection floods. Cached responses are not rate limited by # this setting. Experimental option. ratelimit: 1000 # Set the total number of unwanted replies to eep track of in every thread. # When it reaches the threshold, a defensive action of clearing the rrset # and message caches is taken, hopefully flushing away any poison. # Unbound suggests a value of 10 million. unwanted-reply-threshold: 10000 # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details # !! Änderung gegenüber Pi-hole. Wenn es Fehler gibt, hier no statt yes probieren. !! use-caps-for-id: yes # Help protect users that rely on this validator for authentication from # potentially bad data in the additional section. Instruct the validator to # remove data from the additional section of secure messages that are not # signed properly. Messages that are insecure, bogus, indeterminate or # unchecked are not affected. val-clean-additional: yes ########################################################################### # PERFORMANCE SETTINGS ########################################################################### # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/ # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch: yes # fetch DS records earlier (DNSSEC): more cpu usage, less latency prefetch-key: yes # One thread should be sufficient, can be increased on beefy machines num-threads: 1 # increase cache size to utilize more RAM, rrset=msg*2 msg-cache-size: 64m rrset-cache-size: 128m remote-control: control-enable: no # get data for all TLDs by IXFR (or AXFR) from root servers # these are the only servers that answer an IXFR query auth-zone: name: "." primary: 199.9.14.201 # b.root-servers.net primary: 192.33.4.12 # c.root-servers.net primary: 192.112.36.4 # g.root-servers.net primary: 2001:500:200::b # b.root-servers.net primary: 2001:500:2::c # c.root-servers.net primary: 2001:500:12::d0d # g.root-servers.net fallback-enabled: yes for-downstream: no for-upstream: yes zonefile: /var/lib/unbound/root.zone