bpfire/config/unbound/unbound.conf

#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://www.unbound.net/documentation/unbound.conf.html
#

server:
	# Common Server Options
	chroot: ""
	directory: "/etc/unbound"
	username: "nobody"
	port: 53
	do-ip4: yes
	do-ip6: no
	do-udp: yes
	do-tcp: yes
	so-reuseport: yes
	do-not-query-localhost: yes

	# System Tuning
	include: "/etc/unbound/tuning.conf"

	# Logging Options
	verbosity: 1
	use-syslog: yes
	log-time-ascii: yes
	log-queries: no

	# Unbound Statistics
	statistics-interval: 86400
	statistics-cumulative: yes
	extended-statistics: yes

	# Prefetching
	prefetch: yes
	prefetch-key: yes

	# Randomise any cached responses
	rrset-roundrobin: yes

	# Privacy Options
	hide-identity: yes
	hide-version: yes
	qname-minimisation: yes
	minimal-responses: yes

	# DNSSEC
	auto-trust-anchor-file: "/var/lib/unbound/root.key"
	val-permissive-mode: no
	val-clean-additional: yes
	val-log-level: 1

	# Hardening Options
	harden-glue: yes
	harden-short-bufsize: no
	harden-large-queries: yes
	harden-dnssec-stripped: yes
	harden-below-nxdomain: yes
	harden-referral-path: yes
	harden-algo-downgrade: no
	use-caps-for-id: yes
	aggressive-nsec: yes
	qname-minimisation: yes

	# TLS
	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt

	# EDNS Buffer Size (#12240)
	edns-buffer-size: 1232

	# Harden against DNS cache poisoning
	unwanted-reply-threshold: 1000000

	# Listen on all interfaces
	interface-automatic: yes
	interface: 0.0.0.0

	# Allow access from everywhere
	access-control: 0.0.0.0/0 allow

	# Bootstrap root servers
	root-hints: "/etc/unbound/root.hints"

	# Include DHCP leases
	include: "/etc/unbound/dhcp-leases.conf"

	# Include any forward zones
	include: "/etc/unbound/forward.conf"

	# Include safe search settings
	include: "/etc/unbound/safe-search.conf"

remote-control:
	control-enable: yes
	control-use-cert: no
	control-interface: 127.0.0.1

# Import any local configurations
include: "/etc/unbound/local.d/*.conf"