1*4c3a6c80Ssthen# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $ 2345b33b1Ssthen 3345b33b1Ssthenserver: 4345b33b1Ssthen interface: 127.0.0.1 5345b33b1Ssthen #interface: 127.0.0.1@5353 # listen on alternative port 6345b33b1Ssthen interface: ::1 7345b33b1Ssthen #do-ip6: no 8345b33b1Ssthen 9e4afc0caSsthen # override the default "any" address to send queries; if multiple 10e4afc0caSsthen # addresses are available, they are used randomly to counter spoofing 11e4afc0caSsthen #outgoing-interface: 192.0.2.1 12e4afc0caSsthen #outgoing-interface: 2001:db8::53 13e4afc0caSsthen 14345b33b1Ssthen access-control: 0.0.0.0/0 refuse 15345b33b1Ssthen access-control: 127.0.0.0/8 allow 16345b33b1Ssthen access-control: ::0/0 refuse 17345b33b1Ssthen access-control: ::1 allow 18345b33b1Ssthen 19345b33b1Ssthen hide-identity: yes 20345b33b1Ssthen hide-version: yes 21345b33b1Ssthen 22bf6955b0Ssthen # Perform DNSSEC validation. 23c7e7f6ecSflorian # 241e3cc862Sjob auto-trust-anchor-file: "/var/unbound/db/root.key" 255effc14aSsthen val-log-level: 2 26345b33b1Ssthen 27bf6955b0Ssthen # Synthesize NXDOMAINs from DNSSEC NSEC chains. 28c7e7f6ecSflorian # https://tools.ietf.org/html/rfc8198 29c7e7f6ecSflorian # 305effc14aSsthen aggressive-nsec: yes 31311db512Sflorian 32345b33b1Ssthen # Serve zones authoritatively from Unbound to resolver clients. 334c60f2a9Smillert # Not for external service. 34345b33b1Ssthen # 35345b33b1Ssthen #local-zone: "local." static 36345b33b1Ssthen #local-data: "mycomputer.local. IN A 192.0.2.51" 374c60f2a9Smillert #local-zone: "2.0.192.in-addr.arpa." static 38345b33b1Ssthen #local-data-ptr: "192.0.2.51 mycomputer.local" 39345b33b1Ssthen 40345b33b1Ssthen # Use TCP for "forward-zone" requests. Useful if you are making 41345b33b1Ssthen # DNS requests over an SSH port forwarding. 42345b33b1Ssthen # 43345b33b1Ssthen #tcp-upstream: yes 44345b33b1Ssthen 453c5ab776Sdtucker # CA Certificates used for forward-tls-upstream (RFC7858) hostname 463c5ab776Sdtucker # verification. Since it's outside the chroot it is only loaded at 473c5ab776Sdtucker # startup and thus cannot be changed via a reload. 483c5ab776Sdtucker #tls-cert-bundle: "/etc/ssl/cert.pem" 493c5ab776Sdtucker 5026246b6cSsthenremote-control: 5126246b6cSsthen control-enable: yes 5226246b6cSsthen control-interface: /var/run/unbound.sock 5326246b6cSsthen 54ba6f082bSsthen# Use an upstream forwarder (recursive resolver) for some or all zones. 55345b33b1Ssthen# 56345b33b1Ssthen#forward-zone: 57345b33b1Ssthen# name: "." # use for ALL queries 58ba6f082bSsthen# forward-addr: 192.0.2.53 # example address only 59345b33b1Ssthen# forward-first: yes # try direct if forwarder fails 603c5ab776Sdtucker 613c5ab776Sdtucker# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext 623c5ab776Sdtucker# if that fails. 633c5ab776Sdtucker#forward-zone: 643c5ab776Sdtucker# name: "." 653c5ab776Sdtucker# forward-tls-upstream: yes # use DNS-over-TLS forwarder 663c5ab776Sdtucker# forward-first: no # do NOT send direct 673c5ab776Sdtucker# # the hostname after "#" is not a comment, it is used for TLS checks: 687c72bd79Ssthen# forward-addr: 192.0.2.53@853#resolver.hostname.example 69