bpfire/config/unbound/unbound.conf

#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
#

server:
	# Common Server Options
	chroot: ""
	directory: "/etc/unbound"
	username: "nobody"
	do-ip6: no

	# System Tuning
	include: "/etc/unbound/tuning.conf"

	# Logging Options
	use-syslog: yes
	log-time-ascii: yes

	# Unbound Statistics
	statistics-interval: 86400
	extended-statistics: yes

	# Prefetching
	prefetch: yes
	prefetch-key: yes

	# Randomise any cached responses
	rrset-roundrobin: yes

	# Privacy Options
	hide-identity: yes
	hide-version: yes

	# DNSSEC
	auto-trust-anchor-file: "/var/lib/unbound/root.key"
	val-log-level: 1
	log-servfail: yes

	# Hardening Options
	harden-large-queries: yes
	harden-referral-path: yes
	aggressive-nsec: yes

	# TLS
	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt

	# EDNS Buffer Size (#12240)
	edns-buffer-size: 1232

	# Harden against DNS cache poisoning
	unwanted-reply-threshold: 1000000

	# Listen on all interfaces
	interface-automatic: yes
	interface: 0.0.0.0

	# Allow access from everywhere
	access-control: 0.0.0.0/0 allow

	# Bootstrap root servers
	root-hints: "/etc/unbound/root.hints"

	# Include DHCP leases
	include: "/etc/unbound/dhcp-leases.conf"

	# Include hosts
	include: "/etc/unbound/hosts.conf"

	# Include any forward zones
	include: "/etc/unbound/forward.conf"

remote-control:
	control-enable: yes
	control-use-cert: no
	control-interface: 127.0.0.1

# Import any local configurations
include: "/etc/unbound/local.d/*.conf"