connectivity

6.6 KB•J2

unbound.conf.j2

6.6 KB • 218 lines • plaintext

1# ==============================================================================
2# Unbound DNS Resolver Configuration
3# ==============================================================================
4#
5# Description: Unbound configuration file for recursive DNS resolution
6# Generated by Ansible - DO NOT EDIT MANUALLY
7# Template: unbound.conf.j2
8#
9# Reference: https://nlnetlabs.nl/documentation/unbound/unbound.conf/
10#
11# ==============================================================================
12
13server:
14    # ========================================================================
15    # BASIC SETTINGS
16    # ========================================================================
17    
18    # Time to live maximum for RRsets and messages in the cache
19    cache-max-ttl: 86400
20    
21    # Time to live minimum for RRsets and messages in the cache
22    cache-min-ttl: 300
23    
24    # Set the working directory for the program
25    directory: "/opt/unbound/etc/unbound"
26    
27    # EDNS buffer size for UDP responses
28    edns-buffer-size: 1232
29    
30    # Interface and port to listen on
31    interface: {{ unbound_interface }}@{{ unbound_port }}
32    
33    # Rotate RRSet order in response for load balancing
34    rrset-roundrobin: yes
35    
36    # Drop user privileges after binding the port
37    username: "_unbound"
38    
39    # ========================================================================
40    # LOGGING CONFIGURATION
41    # ========================================================================
42    
43    # Reduce logging verbosity for production use
44    log-local-actions: no
45    log-queries: no
46    log-replies: no
47    log-servfail: no
48    logfile: /dev/null
49    verbosity: 0
50    
51    # ========================================================================
52    # PRIVACY AND SECURITY SETTINGS
53    # ========================================================================
54    
55    # Use NSEC chain to synthesize negative answers
56    aggressive-nsec: yes
57    
58    # Delay for timeouted UDP ports before closing
59    delay-close: 10000
60    
61    # Run in foreground (managed by Docker)
62    do-daemonize: no
63    
64    # Allow localhost queries
65    do-not-query-localhost: no
66    
67    # Size of aggressive negative cache
68    neg-cache-size: 4M
69    
70    # Enable QNAME minimization for privacy
71    qname-minimisation: yes
72    
73    # ========================================================================
74    # ACCESS CONTROL
75    # ========================================================================
76    
77    # Restrict access to local networks only
78    {% for acl in unbound_access_control %}
79    access-control: {{ acl }}
80    {% endfor %}
81    
82    # ========================================================================
83    # SECURITY HARDENING
84    # ========================================================================
85    
86    # Trust anchor file for DNSSEC validation
87    auto-trust-anchor-file: "var/root.key"
88    
89    # Chroot directory for security
90    chroot: "/opt/unbound/etc/unbound"
91    
92    # Deny ANY queries with empty response
93    deny-any: yes
94    
95    # Harden against algorithm downgrade attacks
96    harden-algo-downgrade: yes
97    
98    # Harden against below-nxdomain attacks
99    harden-below-nxdomain: yes
100    
101    # Require DNSSEC data for trust-anchored zones
102    harden-dnssec-stripped: yes
103    
104    # Only trust glue within server's authority
105    harden-glue: yes
106    
107    # Ignore very large queries
108    harden-large-queries: yes
109    
110    # Ignore very small EDNS buffer sizes
111    harden-short-bufsize: yes
112    
113    # Hide HTTP user agent for outgoing requests
114    hide-http-user-agent: no
115    
116    # Refuse id.server and hostname.bind queries
117    hide-identity: yes
118    
119    # Refuse version.server and version.bind queries
120    hide-version: yes
121    
122    # Set HTTP User-Agent header
123    http-user-agent: "DNS"
124    
125    # Set server identity
126    identity: "DNS"
127    
128    # Protect against DNS rebinding attacks
129    private-address: 10.0.0.0/8
130    private-address: 172.16.0.0/12
131    private-address: 192.168.0.0/16
132    private-address: 169.254.0.0/16
133    
134    # Rate limiting to prevent abuse
135    ratelimit: 1000
136    
137    # TLS certificate bundle for external connections
138    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
139    
140    # Threshold for unwanted replies cache clearing
141    unwanted-reply-threshold: 10000
142    
143    # Use 0x20-encoded random bits to foil spoofing
144    use-caps-for-id: yes
145    
146    # Clean additional section of secure messages
147    val-clean-additional: yes
148    
149    # ========================================================================
150    # PERFORMANCE OPTIMIZATION
151    # ========================================================================
152    
153    # Infrastructure cache slabs for thread contention reduction
154    infra-cache-slabs: 4
155    
156    # Number of incoming TCP buffers per thread
157    incoming-num-tcp: 10
158    
159    # Key cache slabs for thread contention reduction
160    key-cache-slabs: 4
161    
162    # Message cache size (adjusted based on available memory)
163    msg-cache-size: 64m
164    
165    # Message cache slabs for thread contention reduction
166    msg-cache-slabs: 4
167    
168    # Number of queries per thread
169    num-queries-per-thread: 1024
170    
171    # Number of threads (auto-detected by Unbound)
172    num-threads: auto
173    
174    # Outgoing range (number of ports to open)
175    outgoing-range: 1024
176    
177    # RRset cache size (roughly 2x message cache)
178    rrset-cache-size: 128m
179    
180    # RRset cache slabs for thread contention reduction
181    rrset-cache-slabs: 4
182    
183    # Minimal responses to reduce size
184    minimal-responses: yes
185    
186    # Prefetch popular records
187    prefetch: yes
188    
189    # Prefetch DNSKEYs for faster validation
190    prefetch-key: yes
191    
192    # Serve expired responses while resolving
193    serve-expired: yes
194    
195    # Use SO_REUSEPORT for better load distribution
196    so-reuseport: yes
197    
198    # ========================================================================
199    # FORWARD ZONE CONFIGURATION
200    # ========================================================================
201    
202    # Forward DNS-over-TLS to upstream resolvers
203    {% for server in unbound_forward_zone_servers %}
204    forward-zone:
205        name: "."
206        forward-addr: {{ server }}
207    {% endfor %}
208    
209    # ========================================================================
210    # REMOTE CONTROL (DISABLED FOR SECURITY)
211    # ========================================================================
212    
213    remote-control:
214        control-enable: no
215
216# ==============================================================================
217# END OF UNBOUND CONFIGURATION
218# ==============================================================================

1# ============================================================================== 2# Unbound DNS Resolver Configuration 3# ============================================================================== 4# 5# Description: Unbound configuration file for recursive DNS resolution 6# Generated by Ansible - DO NOT EDIT MANUALLY 7# Template: unbound.conf.j2 8# 9# Reference: https://nlnetlabs.nl/documentation/unbound/unbound.conf/ 10# 11# ============================================================================== 12 13server: 14 # ======================================================================== 15 # BASIC SETTINGS 16 # ======================================================================== 17 18 # Time to live maximum for RRsets and messages in the cache 19 cache-max-ttl: 86400 20 21 # Time to live minimum for RRsets and messages in the cache 22 cache-min-ttl: 300 23 24 # Set the working directory for the program 25 directory: "/opt/unbound/etc/unbound" 26 27 # EDNS buffer size for UDP responses 28 edns-buffer-size: 1232 29 30 # Interface and port to listen on 31 interface: {{ unbound_interface }}@{{ unbound_port }} 32 33 # Rotate RRSet order in response for load balancing 34 rrset-roundrobin: yes 35 36 # Drop user privileges after binding the port 37 username: "_unbound" 38 39 # ======================================================================== 40 # LOGGING CONFIGURATION 41 # ======================================================================== 42 43 # Reduce logging verbosity for production use 44 log-local-actions: no 45 log-queries: no 46 log-replies: no 47 log-servfail: no 48 logfile: /dev/null 49 verbosity: 0 50 51 # ======================================================================== 52 # PRIVACY AND SECURITY SETTINGS 53 # ======================================================================== 54 55 # Use NSEC chain to synthesize negative answers 56 aggressive-nsec: yes 57 58 # Delay for timeouted UDP ports before closing 59 delay-close: 10000 60 61 # Run in foreground (managed by Docker) 62 do-daemonize: no 63 64 # Allow localhost queries 65 do-not-query-localhost: no 66 67 # Size of aggressive negative cache 68 neg-cache-size: 4M 69 70 # Enable QNAME minimization for privacy 71 qname-minimisation: yes 72 73 # ======================================================================== 74 # ACCESS CONTROL 75 # ======================================================================== 76 77 # Restrict access to local networks only 78 {% for acl in unbound_access_control %} 79 access-control: {{ acl }} 80 {% endfor %} 81 82 # ======================================================================== 83 # SECURITY HARDENING 84 # ======================================================================== 85 86 # Trust anchor file for DNSSEC validation 87 auto-trust-anchor-file: "var/root.key" 88 89 # Chroot directory for security 90 chroot: "/opt/unbound/etc/unbound" 91 92 # Deny ANY queries with empty response 93 deny-any: yes 94 95 # Harden against algorithm downgrade attacks 96 harden-algo-downgrade: yes 97 98 # Harden against below-nxdomain attacks 99 harden-below-nxdomain: yes 100 101 # Require DNSSEC data for trust-anchored zones 102 harden-dnssec-stripped: yes 103 104 # Only trust glue within server's authority 105 harden-glue: yes 106 107 # Ignore very large queries 108 harden-large-queries: yes 109 110 # Ignore very small EDNS buffer sizes 111 harden-short-bufsize: yes 112 113 # Hide HTTP user agent for outgoing requests 114 hide-http-user-agent: no 115 116 # Refuse id.server and hostname.bind queries 117 hide-identity: yes 118 119 # Refuse version.server and version.bind queries 120 hide-version: yes 121 122 # Set HTTP User-Agent header 123 http-user-agent: "DNS" 124 125 # Set server identity 126 identity: "DNS" 127 128 # Protect against DNS rebinding attacks 129 private-address: 10.0.0.0/8 130 private-address: 172.16.0.0/12 131 private-address: 192.168.0.0/16 132 private-address: 169.254.0.0/16 133 134 # Rate limiting to prevent abuse 135 ratelimit: 1000 136 137 # TLS certificate bundle for external connections 138 tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt 139 140 # Threshold for unwanted replies cache clearing 141 unwanted-reply-threshold: 10000 142 143 # Use 0x20-encoded random bits to foil spoofing 144 use-caps-for-id: yes 145 146 # Clean additional section of secure messages 147 val-clean-additional: yes 148 149 # ======================================================================== 150 # PERFORMANCE OPTIMIZATION 151 # ======================================================================== 152 153 # Infrastructure cache slabs for thread contention reduction 154 infra-cache-slabs: 4 155 156 # Number of incoming TCP buffers per thread 157 incoming-num-tcp: 10 158 159 # Key cache slabs for thread contention reduction 160 key-cache-slabs: 4 161 162 # Message cache size (adjusted based on available memory) 163 msg-cache-size: 64m 164 165 # Message cache slabs for thread contention reduction 166 msg-cache-slabs: 4 167 168 # Number of queries per thread 169 num-queries-per-thread: 1024 170 171 # Number of threads (auto-detected by Unbound) 172 num-threads: auto 173 174 # Outgoing range (number of ports to open) 175 outgoing-range: 1024 176 177 # RRset cache size (roughly 2x message cache) 178 rrset-cache-size: 128m 179 180 # RRset cache slabs for thread contention reduction 181 rrset-cache-slabs: 4 182 183 # Minimal responses to reduce size 184 minimal-responses: yes 185 186 # Prefetch popular records 187 prefetch: yes 188 189 # Prefetch DNSKEYs for faster validation 190 prefetch-key: yes 191 192 # Serve expired responses while resolving 193 serve-expired: yes 194 195 # Use SO_REUSEPORT for better load distribution 196 so-reuseport: yes 197 198 # ======================================================================== 199 # FORWARD ZONE CONFIGURATION 200 # ======================================================================== 201 202 # Forward DNS-over-TLS to upstream resolvers 203 {% for server in unbound_forward_zone_servers %} 204 forward-zone: 205 name: "." 206 forward-addr: {{ server }} 207 {% endfor %} 208 209 # ======================================================================== 210 # REMOTE CONTROL (DISABLED FOR SECURITY) 211 # ======================================================================== 212 213 remote-control: 214 control-enable: no 215 216# ============================================================================== 217# END OF UNBOUND CONFIGURATION 218# ==============================================================================