mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-19 23:43:00 +02:00
Currently, Unbound only prints statistics if it is being shutdown (mostly because of a machine reboot). This makes detecting DNS anomalies hard as no intermediate statistic result is being logged. This patch changes Unbound's behaviour in order to log statistics every 86,400 seconds (i.e. 24 hours). Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
95 lines
1.9 KiB
Plaintext
95 lines
1.9 KiB
Plaintext
#
|
|
# Unbound configuration file for IPFire
|
|
#
|
|
# The full documentation is available at:
|
|
# https://www.unbound.net/documentation/unbound.conf.html
|
|
#
|
|
|
|
server:
|
|
# Common Server Options
|
|
chroot: ""
|
|
directory: "/etc/unbound"
|
|
username: "nobody"
|
|
port: 53
|
|
do-ip4: yes
|
|
do-ip6: no
|
|
do-udp: yes
|
|
do-tcp: yes
|
|
so-reuseport: yes
|
|
do-not-query-localhost: yes
|
|
|
|
# System Tuning
|
|
include: "/etc/unbound/tuning.conf"
|
|
|
|
# Logging Options
|
|
verbosity: 1
|
|
use-syslog: yes
|
|
log-time-ascii: yes
|
|
log-queries: no
|
|
|
|
# Unbound Statistics
|
|
statistics-interval: 86400
|
|
statistics-cumulative: yes
|
|
extended-statistics: yes
|
|
|
|
# Prefetching
|
|
prefetch: yes
|
|
prefetch-key: yes
|
|
|
|
# Randomise any cached responses
|
|
rrset-roundrobin: yes
|
|
|
|
# Privacy Options
|
|
hide-identity: yes
|
|
hide-version: yes
|
|
qname-minimisation: yes
|
|
minimal-responses: yes
|
|
|
|
# DNSSEC
|
|
auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
|
val-permissive-mode: no
|
|
val-clean-additional: yes
|
|
val-log-level: 1
|
|
|
|
# Hardening Options
|
|
harden-glue: yes
|
|
harden-short-bufsize: no
|
|
harden-large-queries: yes
|
|
harden-dnssec-stripped: yes
|
|
harden-below-nxdomain: yes
|
|
harden-referral-path: yes
|
|
harden-algo-downgrade: no
|
|
use-caps-for-id: yes
|
|
aggressive-nsec: yes
|
|
|
|
# Harden against DNS cache poisoning
|
|
unwanted-reply-threshold: 1000000
|
|
|
|
# Listen on all interfaces
|
|
interface-automatic: yes
|
|
interface: 0.0.0.0
|
|
|
|
# Allow access from everywhere
|
|
access-control: 0.0.0.0/0 allow
|
|
|
|
# Bootstrap root servers
|
|
root-hints: "/etc/unbound/root.hints"
|
|
|
|
# Include DHCP leases
|
|
include: "/etc/unbound/dhcp-leases.conf"
|
|
|
|
# Include any forward zones
|
|
include: "/etc/unbound/forward.conf"
|
|
|
|
remote-control:
|
|
control-enable: yes
|
|
control-use-cert: yes
|
|
control-interface: 127.0.0.1
|
|
server-key-file: "/etc/unbound/unbound_server.key"
|
|
server-cert-file: "/etc/unbound/unbound_server.pem"
|
|
control-key-file: "/etc/unbound/unbound_control.key"
|
|
control-cert-file: "/etc/unbound/unbound_control.pem"
|
|
|
|
# Import any local configurations
|
|
include: "/etc/unbound/local.d/*.conf"
|