xref: /openbsd/etc/unbound.conf (revision e5dd7070) 
1# $OpenBSD: unbound.conf,v 1.20 2020/06/21 16:59:45 sthen Exp $
2
3server:
4	interface: 127.0.0.1
5	#interface: 127.0.0.1@5353	# listen on alternative port
6	interface: ::1
7	#do-ip6: no
8
9	# override the default "any" address to send queries; if multiple
10	# addresses are available, they are used randomly to counter spoofing
11	#outgoing-interface: 192.0.2.1
12	#outgoing-interface: 2001:db8::53
13
14	access-control: 0.0.0.0/0 refuse
15	access-control: 127.0.0.0/8 allow
16	access-control: ::0/0 refuse
17	access-control: ::1 allow
18
19	hide-identity: yes
20	hide-version: yes
21
22	# Perform DNSSEC validation.
23	#
24	auto-trust-anchor-file: "/var/unbound/db/root.key"
25	val-log-level: 2
26
27	# Synthesize NXDOMAINs from DNSSEC NSEC chains.
28	# https://tools.ietf.org/html/rfc8198
29	#
30	aggressive-nsec: yes
31
32	# Serve zones authoritatively from Unbound to resolver clients.
33	# Not for external service.
34	#
35	#local-zone: "local." static
36	#local-data: "mycomputer.local. IN A 192.0.2.51"
37	#local-zone: "2.0.192.in-addr.arpa." static
38	#local-data-ptr: "192.0.2.51 mycomputer.local"
39
40	# UDP EDNS reassembly buffer advertised to peers. Default 4096.
41	# May need lowering on broken networks with fragmentation/MTU issues,
42	# particularly if validating DNSSEC.
43	#
44	#edns-buffer-size: 1480
45
46	# Use TCP for "forward-zone" requests. Useful if you are making
47	# DNS requests over an SSH port forwarding.
48	#
49	#tcp-upstream: yes
50
51	# CA Certificates used for forward-tls-upstream (RFC7858) hostname
52	# verification.  Since it's outside the chroot it is only loaded at
53	# startup and thus cannot be changed via a reload.
54	#tls-cert-bundle: "/etc/ssl/cert.pem"
55
56remote-control:
57	control-enable: yes
58	control-interface: /var/run/unbound.sock
59
60# Use an upstream forwarder (recursive resolver) for some or all zones.
61#
62#forward-zone:
63#	name: "."				# use for ALL queries
64#	forward-addr: 192.0.2.53		# example address only
65#	forward-first: yes			# try direct if forwarder fails
66
67# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
68# if that fails.
69#forward-zone:
70#	name: "."
71#	forward-tls-upstream: yes		# use DNS-over-TLS forwarder
72#	forward-first: no			# do NOT send direct
73#	# the hostname after "#" is not a comment, it is used for TLS checks:
74#	forward-addr: 192.0.2.53@853#resolver.hostname.example
75