commit
40472ae6f7
@ -0,0 +1 @@ |
|||||||
|
volumes/unbound/etc/unbound/var |
@ -0,0 +1,56 @@ |
|||||||
|
version: "3" |
||||||
|
|
||||||
|
services: |
||||||
|
dnscrypt-server: |
||||||
|
image: jedisct1/dnscrypt-server:latest |
||||||
|
container_name: dnscrypt-server |
||||||
|
restart: unless-stopped |
||||||
|
expose: |
||||||
|
- "8443/tcp" |
||||||
|
ports: |
||||||
|
- "8443:8443/udp" |
||||||
|
networks: |
||||||
|
- dnscrypt |
||||||
|
volumes: |
||||||
|
- ./encrypted-dns.toml.in:/opt/encrypted-dns/etc/encrypted-dns.toml.in:ro |
||||||
|
- ${LOCAL_STACK_DIR}/dnscrypt-server/keys:/opt/encrypted-dns/etc/keys |
||||||
|
- ${LOCAL_STACK_DIR}/dnscrypt-server/lists:/opt/encrypted-dns/etc/lists |
||||||
|
command: "init -N dncr.eracolatore.tk -E 173.249.32.7:8443" |
||||||
|
environment: |
||||||
|
- TZ='Europe/Berlin' |
||||||
|
|
||||||
|
unbound: |
||||||
|
image: mvance/unbound:latest |
||||||
|
container_name: unbound |
||||||
|
restart: unless-stopped |
||||||
|
expose: |
||||||
|
- "53/tcp" |
||||||
|
- "53/udp" |
||||||
|
networks: |
||||||
|
- default |
||||||
|
- dnscrypt |
||||||
|
volumes: |
||||||
|
- ./volumes/unbound/etc/unbound:/opt/unbound/etc/unbound |
||||||
|
|
||||||
|
dnscrypt-server-doh: |
||||||
|
image: satishweb/doh-server:latest |
||||||
|
container_name: dnscrypt-server-doh |
||||||
|
environment: |
||||||
|
- DEBUG=0 |
||||||
|
- UPSTREAM_DNS_SERVER=udp:unbound:53 |
||||||
|
- DOH_HTTP_PREFIX=/dns-query |
||||||
|
- DOH_SERVER_LISTEN=0.0.0.0:8053 |
||||||
|
- DOH_SERVER_TIMEOUT=10 |
||||||
|
- DOH_SERVER_TRIES=3 |
||||||
|
- DOH_SERVER_VERBOSE=true |
||||||
|
- VIRTUAL_HOST=doh.dns.eracolatore.tk |
||||||
|
- VIRTUAL_PORT=8053 |
||||||
|
- LETSENCRYPT_HOST=doh.dns.eracolatore.tk |
||||||
|
- LETSENCRYPT_EMAIL=meliurwen+letsencrypt@gmail.com |
||||||
|
|
||||||
|
networks: |
||||||
|
default: |
||||||
|
external: |
||||||
|
name: ${NETWORK:-webservices} |
||||||
|
dnscrypt: |
||||||
|
|
@ -0,0 +1,257 @@ |
|||||||
|
#################################################### |
||||||
|
# # |
||||||
|
# Encrypted DNS Server configuration # |
||||||
|
# # |
||||||
|
#################################################### |
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
################################## |
||||||
|
# Global settings # |
||||||
|
################################## |
||||||
|
|
||||||
|
|
||||||
|
## IP addresses and ports to listen to, as well as their external IP |
||||||
|
## If there is no NAT involved, `local` and `external` can be the same. |
||||||
|
## As many addresses as needed can be configured here, IPv4 and/or IPv6. |
||||||
|
## You should at least change the `external` IP address. |
||||||
|
|
||||||
|
### Example with both IPv4 and IPv6 addresses: |
||||||
|
# listen_addrs = [ |
||||||
|
# { local = "0.0.0.0:443", external = "198.51.100.1:443" }, |
||||||
|
# { local = "[::]:443", external = "[2001:db8::1]:443" } |
||||||
|
# ] |
||||||
|
|
||||||
|
listen_addrs = [ |
||||||
|
@LISTEN_ADDRESSES@ |
||||||
|
] |
||||||
|
|
||||||
|
## Upstream DNS server and port |
||||||
|
|
||||||
|
upstream_addr = "172.30.0.3:53" |
||||||
|
|
||||||
|
|
||||||
|
## File name to save the state to |
||||||
|
|
||||||
|
state_file = "/opt/encrypted-dns/etc/keys/state/encrypted-dns.state" |
||||||
|
|
||||||
|
|
||||||
|
## UDP timeout in seconds |
||||||
|
|
||||||
|
udp_timeout = 10 |
||||||
|
|
||||||
|
|
||||||
|
## TCP timeout in seconds |
||||||
|
|
||||||
|
tcp_timeout = 10 |
||||||
|
|
||||||
|
|
||||||
|
## Maximum active UDP sockets |
||||||
|
|
||||||
|
udp_max_active_connections = 1000 |
||||||
|
|
||||||
|
|
||||||
|
## Maximum active TCP connections |
||||||
|
|
||||||
|
tcp_max_active_connections = 100 |
||||||
|
|
||||||
|
|
||||||
|
## Optional IP address to connect to upstream servers from. |
||||||
|
## Leave commented/undefined to automatically select it. |
||||||
|
|
||||||
|
# external_addr = "0.0.0.0" |
||||||
|
|
||||||
|
|
||||||
|
## Built-in DNS cache capacity |
||||||
|
|
||||||
|
cache_capacity = 150000 |
||||||
|
|
||||||
|
|
||||||
|
## DNS cache: minimum TTL |
||||||
|
|
||||||
|
cache_ttl_min = 3600 |
||||||
|
|
||||||
|
|
||||||
|
## DNS cache: max TTL |
||||||
|
|
||||||
|
cache_ttl_max = 86400 |
||||||
|
|
||||||
|
|
||||||
|
## DNS cache: error TTL |
||||||
|
|
||||||
|
cache_ttl_error = 600 |
||||||
|
|
||||||
|
|
||||||
|
## DNS cache: to avoid bursts of traffic for popular queries when an |
||||||
|
## RRSET expires, hold a TTL received from an upstream server for |
||||||
|
## `client_ttl_holdon` seconds before decreasing it in client responses. |
||||||
|
|
||||||
|
client_ttl_holdon = 60 |
||||||
|
|
||||||
|
|
||||||
|
## Run as a background process |
||||||
|
|
||||||
|
daemonize = false |
||||||
|
|
||||||
|
|
||||||
|
## Log file |
||||||
|
|
||||||
|
# log_file = "/tmp/encrypted-dns.log" |
||||||
|
|
||||||
|
|
||||||
|
## PID file |
||||||
|
|
||||||
|
# pid_file = "/tmp/encrypted-dns.pid" |
||||||
|
|
||||||
|
|
||||||
|
## User name to drop privileges to, when started as root. |
||||||
|
|
||||||
|
user = "_encrypted-dns" |
||||||
|
|
||||||
|
|
||||||
|
## Group name to drop privileges to, when started as root. |
||||||
|
|
||||||
|
group = "_encrypted-dns" |
||||||
|
|
||||||
|
|
||||||
|
## Path to chroot() to, when started as root. |
||||||
|
## The path to the state file is relative to the chroot base. |
||||||
|
|
||||||
|
# chroot = "/var/empty" |
||||||
|
|
||||||
|
|
||||||
|
## Queries sent to that name will return the client IP address. |
||||||
|
## This can be very useful for debugging, or to check that relaying works. |
||||||
|
|
||||||
|
# my_ip = "my.ip" |
||||||
|
|
||||||
|
|
||||||
|
#################################### |
||||||
|
# DNSCrypt settings # |
||||||
|
#################################### |
||||||
|
|
||||||
|
[dnscrypt] |
||||||
|
|
||||||
|
## Provider name (with or without the `2.dnscrypt-cert.` prefix) |
||||||
|
|
||||||
|
provider_name = "@PROVIDER_NAME@" |
||||||
|
|
||||||
|
|
||||||
|
## Does the server support DNSSEC? |
||||||
|
|
||||||
|
dnssec = true |
||||||
|
|
||||||
|
|
||||||
|
## Does the server always returns correct answers (no filtering, including ad blocking)? |
||||||
|
|
||||||
|
no_filters = true |
||||||
|
|
||||||
|
|
||||||
|
## Set to `true` if the server doesn't keep any information that can be used to identify users |
||||||
|
|
||||||
|
no_logs = true |
||||||
|
|
||||||
|
|
||||||
|
## Key cache capacity, per certificate |
||||||
|
|
||||||
|
key_cache_capacity = 10000 |
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
############################### |
||||||
|
# TLS settings # |
||||||
|
############################### |
||||||
|
|
||||||
|
[tls] |
||||||
|
|
||||||
|
## Where to proxy TLS connections to (e.g. DoH server) |
||||||
|
|
||||||
|
# upstream_addr = "127.0.0.1:4343" |
||||||
|
|
||||||
|
@TLS_PROXY_CONFIGURATION@ |
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
####################################### |
||||||
|
# Server-side filtering # |
||||||
|
####################################### |
||||||
|
|
||||||
|
[filtering] |
||||||
|
|
||||||
|
## List of domains to block, one per line |
||||||
|
|
||||||
|
@DOMAIN_BLACKLIST_CONFIGURATION@ |
||||||
|
|
||||||
|
|
||||||
|
## List of undelegated TLDs |
||||||
|
## This is the list of nonexistent TLDs that queries are frequently observed for, |
||||||
|
## but will never resolve to anything. The server will immediately return a |
||||||
|
## synthesized NXDOMAIN response instead of hitting root servers. |
||||||
|
|
||||||
|
undelegated_list = "/opt/encrypted-dns/etc/undelegated.txt" |
||||||
|
|
||||||
|
|
||||||
|
## Ignore A and AAAA queries for unqualified host names. |
||||||
|
|
||||||
|
ignore_unqualified_hostnames = true |
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
######################### |
||||||
|
# Metrics # |
||||||
|
######################### |
||||||
|
|
||||||
|
[metrics] |
||||||
|
|
||||||
|
type = "prometheus" |
||||||
|
listen_addr = "@METRICS_ADDRESS@" |
||||||
|
path = "/metrics" |
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
################################ |
||||||
|
# Anonymized DNS # |
||||||
|
################################ |
||||||
|
|
||||||
|
[anonymized_dns] |
||||||
|
|
||||||
|
# Enable relaying support for Anonymized DNS |
||||||
|
|
||||||
|
enabled = @ANONDNS_ENABLED@ |
||||||
|
|
||||||
|
|
||||||
|
# Allowed upstream ports |
||||||
|
# This is a list of commonly used ports for encrypted DNS services |
||||||
|
|
||||||
|
allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ] |
||||||
|
|
||||||
|
|
||||||
|
# Allow all ports >= 1024 in addition to the list above |
||||||
|
|
||||||
|
allow_non_reserved_ports = false |
||||||
|
|
||||||
|
|
||||||
|
# Blacklisted upstream IP addresses |
||||||
|
|
||||||
|
blacklisted_ips = [ @ANONDNS_BLACKLISTED_IPS@ ] |
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
################################ |
||||||
|
# Access control # |
||||||
|
################################ |
||||||
|
|
||||||
|
[access_control] |
||||||
|
|
||||||
|
# Enable access control |
||||||
|
|
||||||
|
enabled = false |
||||||
|
|
||||||
|
# Only allow access to client queries including one of these random tokens |
||||||
|
# Tokens can be configured in the `query_meta` section of `dnscrypt-proxy` as |
||||||
|
# `query_meta = ["token:..."]` -- Replace ... with the token to use by the client. |
||||||
|
# Example: `query_meta = ["token:Y2oHkDJNHz"]` |
||||||
|
|
||||||
|
tokens = ["IQdjF6Cqt2fZuVMF", "CUKJAloBTkTRm2aH", "ZlRuzSNoALoAvxyB"] |
||||||
|
|
@ -0,0 +1,313 @@ |
|||||||
|
server: |
||||||
|
do-ip6: no |
||||||
|
########################################################################### |
||||||
|
# BASIC SETTINGS |
||||||
|
########################################################################### |
||||||
|
# Time to live maximum for RRsets and messages in the cache. If the maximum |
||||||
|
# kicks in, responses to clients still get decrementing TTLs based on the |
||||||
|
# original (larger) values. When the internal TTL expires, the cache item |
||||||
|
# has expired. Can be set lower to force the resolver to query for data |
||||||
|
# often, and not trust (very large) TTL values. |
||||||
|
cache-max-ttl: 86400 |
||||||
|
|
||||||
|
# Time to live minimum for RRsets and messages in the cache. If the minimum |
||||||
|
# kicks in, the data is cached for longer than the domain owner intended, |
||||||
|
# and thus less queries are made to look up the data. Zero makes sure the |
||||||
|
# data in the cache is as the domain owner intended, higher values, |
||||||
|
# especially more than an hour or so, can lead to trouble as the data in |
||||||
|
# the cache does not match up with the actual data any more. |
||||||
|
cache-min-ttl: 300 |
||||||
|
|
||||||
|
# Set the working directory for the program. |
||||||
|
directory: "/opt/unbound/etc/unbound" |
||||||
|
|
||||||
|
# RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer |
||||||
|
# size. This is the value put into datagrams over UDP towards peers. |
||||||
|
# The actual buffer size is determined by msg-buffer-size (both for TCP and |
||||||
|
# UDP). Do not set higher than that value. |
||||||
|
# Default is 1232 which is the DNS Flag Day 2020 recommendation. |
||||||
|
# Setting to 512 bypasses even the most stringent path MTU problems, but |
||||||
|
# is seen as extreme, since the amount of TCP fallback generated is |
||||||
|
# excessive (probably also for this resolver, consider tuning the outgoing |
||||||
|
# tcp number). |
||||||
|
edns-buffer-size: 1232 |
||||||
|
|
||||||
|
# Listen to for queries from clients and answer from this network interface |
||||||
|
# and port. |
||||||
|
interface: 0.0.0.0@53 |
||||||
|
|
||||||
|
# Rotates RRSet order in response (the pseudo-random number is taken from |
||||||
|
# the query ID, for speed and thread safety). |
||||||
|
rrset-roundrobin: yes |
||||||
|
|
||||||
|
# Drop user privileges after binding the port. |
||||||
|
username: "_unbound" |
||||||
|
|
||||||
|
########################################################################### |
||||||
|
# LOGGING |
||||||
|
########################################################################### |
||||||
|
|
||||||
|
# Do not print log lines to inform about local zone actions |
||||||
|
log-local-actions: no |
||||||
|
|
||||||
|
# Do not print one line per query to the log |
||||||
|
log-queries: yes |
||||||
|
|
||||||
|
# Do not print one line per reply to the log |
||||||
|
log-replies: no |
||||||
|
|
||||||
|
# Do not print log lines that say why queries return SERVFAIL to clients |
||||||
|
log-servfail: no |
||||||
|
|
||||||
|
# Further limit logging |
||||||
|
#logfile: /dev/null |
||||||
|
logfile: /var/unbound.log |
||||||
|
|
||||||
|
# Only log errors |
||||||
|
verbosity: 0 |
||||||
|
|
||||||
|
########################################################################### |
||||||
|
# PRIVACY SETTINGS |
||||||
|
########################################################################### |
||||||
|
|
||||||
|
# RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other |
||||||
|
# denials, using information from previous NXDO-MAINs answers. In other |
||||||
|
# words, use cached NSEC records to generate negative answers within a |
||||||
|
# range and positive answers from wildcards. This increases performance, |
||||||
|
# decreases latency and resource utilization on both authoritative and |
||||||
|
# recursive servers, and increases privacy. Also, it may help increase |
||||||
|
# resilience to certain DoS attacks in some circumstances. |
||||||
|
aggressive-nsec: yes |
||||||
|
|
||||||
|
# Extra delay for timeouted UDP ports before they are closed, in msec. |
||||||
|
# This prevents very delayed answer packets from the upstream (recursive) |
||||||
|
# servers from bouncing against closed ports and setting off all sort of |
||||||
|
# close-port counters, with eg. 1500 msec. When timeouts happen you need |
||||||
|
# extra sockets, it checks the ID and remote IP of packets, and unwanted |
||||||
|
# packets are added to the unwanted packet counter. |
||||||
|
delay-close: 10000 |
||||||
|
|
||||||
|
# Prevent the unbound server from forking into the background as a daemon |
||||||
|
do-daemonize: no |
||||||
|
|
||||||
|
# Add localhost to the do-not-query-address list. |
||||||
|
do-not-query-localhost: no |
||||||
|
|
||||||
|
# Number of bytes size of the aggressive negative cache. |
||||||
|
neg-cache-size: 4M |
||||||
|
|
||||||
|
# Send minimum amount of information to upstream servers to enhance |
||||||
|
# privacy (best privacy). |
||||||
|
qname-minimisation: yes |
||||||
|
|
||||||
|
########################################################################### |
||||||
|
# SECURITY SETTINGS |
||||||
|
########################################################################### |
||||||
|
# Only give access to recursion clients from LAN IPs |
||||||
|
access-control: 127.0.0.1/32 allow |
||||||
|
access-control: 192.168.0.0/16 allow |
||||||
|
access-control: 172.16.0.0/12 allow |
||||||
|
access-control: 10.0.0.0/8 allow |
||||||
|
# access-control: fc00::/7 allow |
||||||
|
# access-control: ::1/128 allow |
||||||
|
|
||||||
|
# File with trust anchor for one zone, which is tracked with RFC5011 |
||||||
|
# probes. |
||||||
|
auto-trust-anchor-file: "var/root.key" |
||||||
|
|
||||||
|
# Enable chroot (i.e, change apparent root directory for the current |
||||||
|
# running process and its children) |
||||||
|
chroot: "/opt/unbound/etc/unbound" |
||||||
|
|
||||||
|
# Deny queries of type ANY with an empty response. |
||||||
|
deny-any: yes |
||||||
|
|
||||||
|
# Harden against algorithm downgrade when multiple algorithms are |
||||||
|
# advertised in the DS record. |
||||||
|
harden-algo-downgrade: yes |
||||||
|
|
||||||
|
# RFC 8020. returns nxdomain to queries for a name below another name that |
||||||
|
# is already known to be nxdomain. |
||||||
|
harden-below-nxdomain: yes |
||||||
|
|
||||||
|
# Require DNSSEC data for trust-anchored zones, if such data is absent, the |
||||||
|
# zone becomes bogus. If turned off you run the risk of a downgrade attack |
||||||
|
# that disables security for a zone. |
||||||
|
harden-dnssec-stripped: yes |
||||||
|
|
||||||
|
# Only trust glue if it is within the servers authority. |
||||||
|
harden-glue: yes |
||||||
|
|
||||||
|
# Ignore very large queries. |
||||||
|
harden-large-queries: yes |
||||||
|
|
||||||
|
# Perform additional queries for infrastructure data to harden the referral |
||||||
|
# path. Validates the replies if trust anchors are configured and the zones |
||||||
|
# are signed. This enforces DNSSEC validation on nameserver NS sets and the |
||||||
|
# nameserver addresses that are encountered on the referral path to the |
||||||
|
# answer. Experimental option. |
||||||
|
harden-referral-path: no |
||||||
|
|
||||||
|
# Ignore very small EDNS buffer sizes from queries. |
||||||
|
harden-short-bufsize: yes |
||||||
|
|
||||||
|
# Refuse id.server and hostname.bind queries |
||||||
|
hide-identity: yes |
||||||
|
|
||||||
|
# Refuse version.server and version.bind queries |
||||||
|
hide-version: yes |
||||||
|
|
||||||
|
# Report this identity rather than the hostname of the server. |
||||||
|
identity: "DNS" |
||||||
|
|
||||||
|
# These private network addresses are not allowed to be returned for public |
||||||
|
# internet names. Any occurrence of such addresses are removed from DNS |
||||||
|
# answers. Additionally, the DNSSEC validator may mark the answers bogus. |
||||||
|
# This protects against DNS Rebinding |
||||||
|
private-address: 10.0.0.0/8 |
||||||
|
private-address: 172.16.0.0/12 |
||||||
|
private-address: 192.168.0.0/16 |
||||||
|
private-address: 169.254.0.0/16 |
||||||
|
# private-address: fd00::/8 |
||||||
|
# private-address: fe80::/10 |
||||||
|
# private-address: ::ffff:0:0/96 |
||||||
|
|
||||||
|
# Enable ratelimiting of queries (per second) sent to nameserver for |
||||||
|
# performing recursion. More queries are turned away with an error |
||||||
|
# (servfail). This stops recursive floods (e.g., random query names), but |
||||||
|
# not spoofed reflection floods. Cached responses are not rate limited by |
||||||
|
# this setting. Experimental option. |
||||||
|
ratelimit: 1000 |
||||||
|
|
||||||
|
# Use this certificate bundle for authenticating connections made to |
||||||
|
# outside peers (e.g., auth-zone urls, DNS over TLS connections). |
||||||
|
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt |
||||||
|
|
||||||
|
# Set the total number of unwanted replies to eep track of in every thread. |
||||||
|
# When it reaches the threshold, a defensive action of clearing the rrset |
||||||
|
# and message caches is taken, hopefully flushing away any poison. |
||||||
|
# Unbound suggests a value of 10 million. |
||||||
|
unwanted-reply-threshold: 10000 |
||||||
|
|
||||||
|
# Use 0x20-encoded random bits in the query to foil spoof attempts. This |
||||||
|
# perturbs the lowercase and uppercase of query names sent to authority |
||||||
|
# servers and checks if the reply still has the correct casing. |
||||||
|
# This feature is an experimental implementation of draft dns-0x20. |
||||||
|
# Experimental option. |
||||||
|
use-caps-for-id: yes |
||||||
|
|
||||||
|
# Help protect users that rely on this validator for authentication from |
||||||
|
# potentially bad data in the additional section. Instruct the validator to |
||||||
|
# remove data from the additional section of secure messages that are not |
||||||
|
# signed properly. Messages that are insecure, bogus, indeterminate or |
||||||
|
# unchecked are not affected. |
||||||
|
val-clean-additional: yes |
||||||
|
|
||||||
|
########################################################################### |
||||||
|
# PERFORMANCE SETTINGS |
||||||
|
########################################################################### |
||||||
|
# https://nlnetlabs.nl/documentation/unbound/howto-optimise/ |
||||||
|
# https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/ |
||||||
|
|
||||||
|
# Number of slabs in the infrastructure cache. Slabs reduce lock contention |
||||||
|
# by threads. Must be set to a power of 2. |
||||||
|
infra-cache-slabs: 2 |
||||||
|
|
||||||
|
# Number of incoming TCP buffers to allocate per thread. Default |
||||||
|
# is 10. If set to 0, or if do-tcp is "no", no TCP queries from |
||||||
|
# clients are accepted. For larger installations increasing this |
||||||
|
# value is a good idea. |
||||||
|
incoming-num-tcp: 10 |
||||||
|
|
||||||
|
# Number of slabs in the key cache. Slabs reduce lock contention by |
||||||
|
# threads. Must be set to a power of 2. Setting (close) to the number |
||||||
|
# of cpus is a reasonable guess. |
||||||
|
key-cache-slabs: 2 |
||||||
|
|
||||||
|
# Number of bytes size of the message cache. |
||||||
|
# Unbound recommendation is to Use roughly twice as much rrset cache memory |
||||||
|
# as you use msg cache memory. |
||||||
|
msg-cache-size: 165713237 |
||||||
|
|
||||||
|
# Number of slabs in the message cache. Slabs reduce lock contention by |
||||||
|
# threads. Must be set to a power of 2. Setting (close) to the number of |
||||||
|
# cpus is a reasonable guess. |
||||||
|
msg-cache-slabs: 2 |
||||||
|
|
||||||
|
# The number of queries that every thread will service simultaneously. If |
||||||
|
# more queries arrive that need servicing, and no queries can be jostled |
||||||
|
# out (see jostle-timeout), then the queries are dropped. |
||||||
|
# This is best set at half the number of the outgoing-range. |
||||||
|
# This Unbound instance was compiled with libevent so it can efficiently |
||||||
|
# use more than 1024 file descriptors. |
||||||
|
num-queries-per-thread: 4096 |
||||||
|
|
||||||
|
# The number of threads to create to serve clients. |
||||||
|
# This is set dynamically at run time to effectively use available CPUs |
||||||
|
# resources |
||||||
|
num-threads: 1 |
||||||
|
|
||||||
|
# Number of ports to open. This number of file descriptors can be opened |
||||||
|
# per thread. |
||||||
|
# This Unbound instance was compiled with libevent so it can efficiently |
||||||
|
# use more than 1024 file descriptors. |
||||||
|
outgoing-range: 8192 |
||||||
|
|
||||||
|
# Number of bytes size of the RRset cache. |
||||||
|
# Use roughly twice as much rrset cache memory as msg cache memory |
||||||
|
rrset-cache-size: 331426474 |
||||||
|
|
||||||
|
# Number of slabs in the RRset cache. Slabs reduce lock contention by |
||||||
|
# threads. Must be set to a power of 2. |
||||||
|
rrset-cache-slabs: 2 |
||||||
|
|
||||||
|
# Do no insert authority/additional sections into response messages when |
||||||
|
# those sections are not required. This reduces response size |
||||||
|
# significantly, and may avoid TCP fallback for some responses. This may |
||||||
|
# cause a slight speedup. |
||||||
|
minimal-responses: yes |
||||||
|
|
||||||
|
# # Fetch the DNSKEYs earlier in the validation process, when a DS record |
||||||
|
# is encountered. This lowers the latency of requests at the expense of |
||||||
|
# little more CPU usage. |
||||||
|
prefetch: yes |
||||||
|
|
||||||
|
# Fetch the DNSKEYs earlier in the validation process, when a DS record is |
||||||
|
# encountered. This lowers the latency of requests at the expense of little |
||||||
|
# more CPU usage. |
||||||
|
prefetch-key: yes |
||||||
|
|
||||||
|
# Have unbound attempt to serve old responses from cache with a TTL of 0 in |
||||||
|
# the response without waiting for the actual resolution to finish. The |
||||||
|
# actual resolution answer ends up in the cache later on. |
||||||
|
serve-expired: yes |
||||||
|
|
||||||
|
# Open dedicated listening sockets for incoming queries for each thread and |
||||||
|
# try to set the SO_REUSEPORT socket option on each socket. May distribute |
||||||
|
# incoming queries to threads more evenly. |
||||||
|
so-reuseport: yes |
||||||
|
|
||||||
|
########################################################################### |
||||||
|
# LOCAL ZONE |
||||||
|
########################################################################### |
||||||
|
|
||||||
|
# Include file for local-data and local-data-ptr |
||||||
|
include: /opt/unbound/etc/unbound/a-records.conf |
||||||
|
include: /opt/unbound/etc/unbound/srv-records.conf |
||||||
|
|
||||||
|
########################################################################### |
||||||
|
# FORWARD ZONE |
||||||
|
########################################################################### |
||||||
|
|
||||||
|
include: /opt/unbound/etc/unbound/forward-records.conf |
||||||
|
|
||||||
|
auth-zone: |
||||||
|
name: "." |
||||||
|
url: "https://www.internic.net/domain/root.zone" |
||||||
|
fallback-enabled: yes |
||||||
|
for-downstream: no |
||||||
|
for-upstream: yes |
||||||
|
zonefile: "var/root.zone" |
||||||
|
|
||||||
|
remote-control: |
||||||
|
control-enable: no |
@ -0,0 +1 @@ |
|||||||
|
1 |
Loading…
Reference in new issue