From 144d4a726f027a1a5e394477ae9870d46a60376d Mon Sep 17 00:00:00 2001 From: BBaoVanC Date: Sat, 14 Aug 2021 19:49:52 -0500 Subject: [PATCH] Add files --- .gitignore | 4 +++ unbound.conf | 10 ++++++ unbound.conf.d/boba.conf | 36 +++++++++++++++++++ unbound.conf.d/qname-minimisation.conf | 9 +++++ .../root-auto-trust-anchor-file.conf | 4 +++ 5 files changed, 63 insertions(+) create mode 100644 .gitignore create mode 100644 unbound.conf create mode 100644 unbound.conf.d/boba.conf create mode 100644 unbound.conf.d/qname-minimisation.conf create mode 100644 unbound.conf.d/root-auto-trust-anchor-file.conf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..88ee4ec --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +unbound_control.key +unbound_control.pem +unbound_server.key +unbound_server.pem diff --git a/unbound.conf b/unbound.conf new file mode 100644 index 0000000..b2d7672 --- /dev/null +++ b/unbound.conf @@ -0,0 +1,10 @@ +# Unbound configuration file for Debian. +# +# See the unbound.conf(5) man page. +# +# See /usr/share/doc/unbound/examples/unbound.conf for a commented +# reference config file. +# +# The following line includes additional configuration files from the +# /etc/unbound/unbound.conf.d directory. +include: "/etc/unbound/unbound.conf.d/*.conf" diff --git a/unbound.conf.d/boba.conf b/unbound.conf.d/boba.conf new file mode 100644 index 0000000..7b96fc8 --- /dev/null +++ b/unbound.conf.d/boba.conf @@ -0,0 +1,36 @@ +# Based on https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound +server: + verbosity: 0 + + interface: 0.0.0.0 + interface: :: + #interface: 127.0.0.1 + #interface: ::1 + port: 53 + do-ip4: yes + do-udp: yes + do-tcp: yes + do-ip6: yes + prefer-ip6: yes + + # Reduce EDNS reassembly buffer size. + # Suggested by the unbound man page to reduce fragmentation reassembly problems + edns-buffer-size: 1472 + + # Perform prefetching of close to expired message cache entries + # This only applies to domains that have been frequently queried + prefetch: yes + + # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. + #num-threads: 1 + + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + so-rcvbuf: 1m + + # Ensure privacy of local IP ranges + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: 172.16.0.0/12 + private-address: 10.0.0.0/8 + private-address: fd00::/8 + private-address: fe80::/10 diff --git a/unbound.conf.d/qname-minimisation.conf b/unbound.conf.d/qname-minimisation.conf new file mode 100644 index 0000000..94a2ab0 --- /dev/null +++ b/unbound.conf.d/qname-minimisation.conf @@ -0,0 +1,9 @@ +server: + # Send minimum amount of information to upstream servers to enhance + # privacy. Only sends minimum required labels of the QNAME and sets + # QTYPE to NS when possible. + + # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for + # details. + + qname-minimisation: yes diff --git a/unbound.conf.d/root-auto-trust-anchor-file.conf b/unbound.conf.d/root-auto-trust-anchor-file.conf new file mode 100644 index 0000000..433eff9 --- /dev/null +++ b/unbound.conf.d/root-auto-trust-anchor-file.conf @@ -0,0 +1,4 @@ +server: + # The following line will configure unbound to perform cryptographic + # DNSSEC validation using the root trust anchor. + auto-trust-anchor-file: "/var/lib/unbound/root.key"