Haack's Wiki

User Tools

Site Tools

Trace:
computing:unbounddns

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
computing:unbounddns [2025/04/04 03:23] oemb1905computing:unbounddns [2025/05/04 06:01] (current) oemb1905
Line 136: Line 136:
       do-udp: yes       do-udp: yes
  
-Then, just add ''nameserver 127.0.0.1'' to /etc/resolv.conf. This latter step only works on classic/minimal Debian. Use netplan properly and/or resolvconf package and the correct ''.d'' directory if not using proper DNS management.+Then, just add ''nameserver 127.0.0.1'' to /etc/resolv.conf. This latter step only works on classic/minimal Debian. Use netplan properly and/or resolvconf package and the correct ''.d'' directory if not using proper DNS management.The latest wan-based is: 
 + 
 +  include-toplevel: "/etc/unbound/unbound.conf.d/*.conf" 
 +  server: 
 +    # Bind to localhost only 
 +    interface: 127.0.0.1 
 +    interface: ::1 
 +    port: 53 
 +    do-ip4: yes 
 +    do-ip6: yes 
 +    prefer-ip6: yes 
 +    access-control: 127.0.0.0/8 allow 
 +    access-control: 0.0.0.0/0 refuse 
 +    access-control: ::0/0 refuse   
 +    # Optimize for 8 cores 
 +    num-threads:
 +    msg-cache-slabs:
 +    rrset-cache-slabs:
 +    infra-cache-slabs:
 +    key-cache-slabs:
 +    # Cache settings for high query volume 
 +    cache-max-ttl: 86400 
 +    cache-min-ttl: 3600 
 +    rrset-cache-size: 128m 
 +    msg-cache-size: 64m 
 +    key-cache-size: 32m 
 +    neg-cache-size: 8m 
 +    # Enable prefetch and expired responses 
 +    prefetch: yes 
 +    prefetch-key: yes 
 +    serve-expired: yes 
 +    serve-expired-ttl: 3600 
 +    # DNSSEC validation for DANE 
 +    #do-dnssec: yes 
 +    harden-dnssec-stripped: yes 
 +    harden-referral-path: yes 
 +    harden-below-nxdomain: yes 
 +    harden-algo-downgrade: no 
 +    # Performance tweaks 
 +    #so-rcvbuf: 4m 
 +    #so-sndbuf: 4m 
 +    edns-buffer-size: 1232 
 +    outgoing-range: 4096 
 +    num-queries-per-thread: 1024 
 +    jostle-timeout: 200 
 +    #low-resolver-mem: no 
 +    # Logging (minimal) 
 +    verbosity: 1 
 +    log-queries: no 
 +    log-replies: no 
 +    use-syslog: yes 
 +    # Security and privacy 
 +    hide-identity: yes 
 +    hide-version: yes 
 +    use-caps-for-id: yes 
 +    qname-minimisation: yes 
 +    harden-large-queries: yes 
 +    harden-glue: yes 
 +    aggressive-nsec: yes 
 +    # Protocol settings 
 +    do-tcp: yes 
 +    do-udp: yes 
 +    # Enable full recursion - no longer needed, retained for history 
 +    # do-not-query-localhost: no 
 +    # root-hints: "/usr/share/dns/root.hints" 
 +    # Disable subnetcache 
 +    module-config: "validator iterator" 
 +    # Forward to upstream resolvers 
 +    # forward-zone: 
 +    #    name: "." 
 +    #    forward-addr: 1.1.1.1  # Cloudflare 
 +    #    forward-addr: 8.8.8.8  # Google 
 +    #legacy 
 +    #server: 
 +    #    interface: 127.0.0.1 
 +    #    cache-max-ttl: 14400 
 +    #    cache-min-ttl: 1200 
 +    #    num-threads:
 +    #    msg-cache-slabs:
 +    #    rrset-cache-slabs:
 +    #    infra-cache-slabs:
 +    #    key-cache-slabs:
 +    #    rrset-cache-size: 256m 
 +    #    msg-cache-size: 128m 
 +    #    #prefetch: yes 
 +    #    harden-dnssec-stripped: yes 
 +    #    use-syslog: yes 
 +    #    aggressive-nsec: yes 
 +    #    hide-identity: yes 
 +    #    hide-version: yes 
 +    #    use-caps-for-id: yes 
 +    #    do-tcp: yes 
 +    #    do-udp: yes 
 +    #    do-ip4: yes 
 +    #    do-ip6: yes 
 +    #    prefer-ip6: no 
 +   
 +And now, the current lan-based config, in ''sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf'' is: 
 + 
 +  server: 
 +    # Logging (minimal) 
 +    use-syslog: yes 
 +    verbosity: 1 
 +    directory: "/etc/unbound" 
 +    username: unbound   
 +    # Bind to all interfaces, non-standard port 
 +    interface: 0.0.0.0 
 +    interface: ::0 
 +    port: 5335 
 +    do-ip4: yes 
 +    do-ip6: yes 
 +    prefer-ip6: no 
 +    do-udp: yes 
 +    do-tcp: yes 
 +    # Module configuration 
 +    module-config: "validator iterator" 
 +    # Security and DNSSEC 
 +    harden-glue: yes 
 +    harden-dnssec-stripped: yes 
 +    use-caps-for-id: no 
 +    aggressive-nsec: yes 
 +    hide-identity: yes 
 +    hide-version: yes 
 +    qname-minimisation: yes 
 +    harden-large-queries: yes 
 +    # Cache settings 
 +    cache-max-ttl: 86400 
 +    cache-min-ttl: 3600 
 +    rrset-cache-size: 256m 
 +    msg-cache-size: 128m 
 +    key-cache-size: 64m 
 +    neg-cache-size: 16m 
 +    # Performance tweaks 
 +    num-threads:
 +    msg-cache-slabs:
 +    rrset-cache-slabs:
 +    infra-cache-slabs:
 +    key-cache-slabs:
 +    outgoing-range: 4096 
 +    num-queries-per-thread: 1024 
 +    infra-cache-numhosts: 10000 
 +    prefetch: yes 
 +    prefetch-key: yes 
 +    serve-expired: yes 
 +    serve-expired-ttl: 3600 
 +    so-reuseport: yes 
 +    edns-buffer-size: 4096 
 +    # Block private address ranges (excluding own subnets) 
 +    private-address: 192.168.0.0/16 
 +    private-address: 169.254.0.0/16 
 +    private-address: 172.16.0.0/12 
 +    private-address: fd00::/8 
 +    private-address: fe80::/10 
 +    # Access control for LAN and VPN subnets 
 +    access-control: 127.0.0.1/32 allow 
 +    access-control: ::1 allow 
 +    access-control: 10.67.67.0/24 allow 
 +    access-control: 10.99.99.0/24 allow
  
  --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/04/04 03:20//  --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/04/04 03:20//
computing/unbounddns.1743736981.txt.gz · Last modified: 2025/04/04 03:23 by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki