-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpfui_unbound.conf
264 lines (212 loc) · 11.5 KB
/
pfui_unbound.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
# $OpenBSD: unbound.conf - PFUI_Unbound Example
# Andy Lemin
# A security and privacy centric Unbound DNS configuration example.
# Includes hints for deploying; DNS over TLS (DoT), DNS over HTTPS (DoH), DNSSEC,
# DNS rebinding protection, QNAME minimisation, DNS Blacklist filtering, and DNS Exfiltration / Tunneling protection.
# And of course integrating Unbound DNS with PF (Python Module feature) to provide a Deny-by-default DNS-Firewall.
server:
### BEGIN MAIN SERVER SECTION
# PFUI_Unbound does not currently support chroot'ed environments
chroot: ""
# log verbosity
verbosity: 1
# The verbosity number, level 0 means no verbosity, only errors.
# Level 1 gives operational information.
# Level 2 gives detailed operational information.
# Level 3 gives query level information, output per query.
# Level 4 gives algorithm level information.
# Level 5 logs client identification for cache misses.
# Default is level 1.
# The verbosity can also be increased from the command-line, see unbound(8).
# Interfaces to listen
interface: 0.0.0.0
#interface: 127.0.0.1@5353 # listen on alternative port
#interface: ::1
# override the default "any" address to send queries; if multiple
# addresses are available, they are used randomly to counter spoofing
# outgoing-interface: 192.0.2.1
# outgoing-interface: 2001:db8::53
# port to answer queries from
port: 53
# Enable IPv4, "yes" or "no".
do-ip4: yes
# Enable IPv6, "yes" or "no".
do-ip6: no
# Enable UDP, "yes" or "no".
do-udp: yes
# If TCP is not needed, Unbound is quicker without it as functions related to TCP checks are not performed.
# NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains due to their size (MTU).
# TCP Support should be enabled if configuring DoT or DoH as they use SSL over TCP
do-tcp: no
# Fully recursive root lookups (See update_root_hints.sh)
# Do not set any forward-zone: with root-hints:, to allow Unbound to perform recursive root lookups.
#root-hints: /var/unbound/etc/root.hints
### SECURITY SECTION
# action can be one of deny (drop message), refuse (polite error reply), allow (recursive ok),
# or allow_snoop (recursive and non-recursive ok). By default everything is refused except for localhost.
access-control: 0.0.0.0/0 deny # v4 Default
access-control: 127.0.0.1/32 allow_snoop
access-control: 127.0.0.0/8 allow # Loops
access-control: 10.10.0.0/16 allow # LANs
access-control: 172.16.0.0/12 allow # LANs
access-control: 192.168.0.0/16 allow # LANs
access-control: ::0/0 deny # v6 Default
access-control: ::1 allow # v6 Loops
hide-identity: yes
hide-version: yes
# Will trust glue only if it is within the servers authority.
# Harden against out of zone rrsets, to avoid spoofing attempts.
# Hardening queries multiple name servers for the same data to make
# spoofing significantly harder and does not mandate dnssec.
harden-glue: yes
# Very large queries are ignored. Default is off, since it is legal protocol wise to send these, and could be
# necessary for operation if TSIG or EDNS payload is very large. DNS Exfiltration uses loooong names..
harden-large-queries: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the
# zone becomes bogus. Harden against receiving dnssec-stripped data. If you
# turn it off, failing to validate dnskey data for a trustanchor will trigger
# insecure mode for that zone (like without a trustanchor). Default on,
# which insists on dnssec data for trust-anchored zones.
# harden-dnssec-stripped: no
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
# While upper and lower case letters are allowed in domain names, no significance
# is attached to the case. That is, two names with the same spelling but
# different case are to be treated as if identical. This means calomel.org is the
# same as CaLoMeL.Org which is the same as CALOMEL.ORG.
use-caps-for-id: yes
# the time to live (TTL) value lower bound, in seconds. Default 0.
# If more than an hour could easily give trouble due to stale data.
cache-min-ttl: 3600
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
cache-max-ttl: 86400
# Enforce privacy of these addresses. Strips them away from answers. It may
# cause DNSSEC validation to additionally mark it as bogus. Protects against
# 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain' and
# 'local-data' names are allowed to have these private addresses. No default.
private-address: 192.168.0.0/16
private-address: 172.16.0.0/12
private-address: 169.254.0.0/16
private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
# Allow the following domains (and subdomains) to contain private addresses.
# local-data statements are allowed to contain private addresses too.
# Sets domains to be insecure, DNSSEC chain of trust is ignored towards these.
private-domain: local
domain-insecure: local
# If nonzero, unwanted replies are not only reported in statistics, but also
# a running total is kept per thread. If it reaches the threshold, a warning
# is printed and a defensive action is taken, the cache is cleared to flush
# potential poison out of it. A suggested value is 10000000, the default is
# 0 (turned off). We think 10K is a good value.
unwanted-reply-threshold: 10000
# IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
# localhost you will want to allow the resolver to send queries to localhost.
# Make sure to set do-not-query-localhost: yes . If yes, the above default
# do-not-query-address entries are present. if no, localhost can be queried
# (for testing and debugging).
do-not-query-localhost: no
# Should additional section of secure message also be kept clean of unsecure
# data. Useful to shield the users of this validator from potential bogus
# data in the additional section. All unsigned data in the additional section
# is removed from secure messages.
val-clean-additional: yes
# If yes, Unbound doesn't insert authority/additional sections into response messages when those sections are not
# required. This reduces response size significantly, and may avoid TCP fallback. May cause a slight speedup.
minimal-responses: yes
# Uncomment to enable qname minimisation.
# https://tools.ietf.org/html/draft-ietf-dnsop-qname-minimisation-08
# Send minimum amount of information to upstream servers to enhance privacy.
# Only send minimum required labels of the QNAME and set QTYPE to A when possible. Best effort approach; full
# QNAME and original QTYPE will be sent when upstream replies with an RCODE other than NOERROR, except when
# receiving NXDOMAIN from a DNSSEC signed zone. Default is yes.
qname-minimisation: yes
# QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to potentially broken nameservers.
# A lot of domains will not be resolvable when this option in enabled. Only use if you know what you are doing.
# This option only has effect when qname-minimisation is enabled. Default is off.
qname-minimisation-strict: no
#harden-below-nxdomain: yes
# Uncomment to enable DNSSEC validation.
#auto-trust-anchor-file: "/var/unbound/db/root.key"
# Uncomment to enable DNS Block Lists (See update_dns_blocklist.sh)
# NB; Unbound may not load if you specify duplicate local-zone & local-data domain entries
# in both the main configuration and the "include:" file.
# If using update_dns_blocklist.sh
# include: /var/unbound/etc/dns_blocklist
# If using unbound-adblock (recomended)
# include: /var/unbound/db/adblock.conf
### BEGIN PERFORMANCE SECTION
# perform prefetching of close to expired message cache entries. If a client
# requests the dns lookup and the TTL of the cached hostname is going to
# expire in less than 10% of its TTL, unbound will (1st) return the ip of the
# host to the client and (2nd) pre-fetch the dns request from the remote dns
# server. This method has been shown to increase the amount of cached hits by
# local clients by 10% on average.
prefetch: yes
# number of threads to create. 1 disables threading. This should equal the number
# of CPU cores in the machine. Our example machine has 4 CPU cores.
#num-threads: 4
# The number of slabs to use for cache, and must be a power of 2 times the
# number of num-threads set above. more slabs reduce lock contention, but
# fragment memory usage.
#msg-cache-slabs: 16
#rrset-cache-slabs: 16
#infra-cache-slabs: 16
#key-cache-slabs: 16
# If yes, Unbound rotates RRSet order in response (random number taken from query ID, for speed and thread safety).
rrset-roundrobin: yes
# Increase the memory size of the cache. Use roughly twice as much rrset cache
# memory as you use msg cache memory. Due to malloc overhead, the total memory
# usage is likely to rise to double (or 2.5x) the total cache memory. The test
# box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
rrset-cache-size: 512m
msg-cache-size: 256m
# buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
# the kernel buffer larger so that no messages are lost in spikes in the traffic.
so-rcvbuf: 1m
# UDP EDNS reassembly buffer advertised to peers. Default 4096.
# May need lowering on broken networks with fragmentation/MTU issues,
# particularly if validating DNSSEC.
#
#edns-buffer-size: 1400
# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
#
#tcp-upstream: yes
# DNS64 options, synthesizes AAAA records for hosts that don't have
# them. For use with NAT64 (PF "af-to").
#dns64-prefix: 64:ff9b::/96 # well-known prefix (default)
#dns64-synthall: no
# Settings for DNS over TLS
# tls-cert-bundle: /etc/ssl/cert.pem
# ssl-upstream: yes
module-config: "validator python iterator"
### END SERVER SECTION
### BEGIN EXTERNAL INTERFACES SECTION
python:
python-script: "/var/unbound/etc/pfui_unbound.py"
# Socket remote control useful with many monitoring systems as Unbound exposes many statistics here
#remote-control:
# control-enable: yes
# control-use-cert: no
# control-interface: /var/run/unbound.sock
### BEGIN FORWARDERS SECTION
# Recommended to run fully recursive DNS servers in enterprise environments to minimise domain leakage.
# Use upstream forwarder (recursive resolver) for only specific domains/zones.
# Example addresses given below are public resolvers valid as of 2019/01.
# DNS_over_TLS (DoT) forward-zone example, use with ssl-upstream: and tls-cert-bundle:
# https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
#forward-zone:
# name: "."
# forward-tls-upstream: yes
# forward-addr: 1.0.0.1@853 #Cloudflare one.one.one.one
# forward-addr: 1.1.1.1@853 #Cloudflare one.one.one.one
# forward-addr: 9.9.9.9@853 #dns.quad9.net
# forward-addr: 149.112.112.112@853 #dns.quad9.net
# Standard forwarders
forward-zone:
name: "." # use for ALL queries
forward-addr: 1.1.1.1 # Cloudflare
forward-addr: 208.67.222.222 # opendns.com
# forward-first: yes # Try direct lookup if forwarder fails