pf-bedtime

1 # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $ 2 3 server: 4 interface: 10.0.0.1 # treebeard setting 5 interface: 127.0.0.1 6 #interface: 127.0.0.1@5353 # listen on alternative port 7 #interface: ::1 8 do-ip6: no 9 10 # override the default "any" address to send queries; if multiple 11 # addresses are available, they are used randomly to counter spoofing 12 #outgoing-interface: 192.0.2.1 13 #outgoing-interface: 2001:db8::53 14 15 # treebeard: 16 access-control: 10.0.0.0/24 allow 17 access-control: 0.0.0.0/0 refuse 18 access-control: 127.0.0.0/8 allow 19 access-control: ::0/0 refuse 20 access-control: ::1 allow 21 22 hide-identity: yes 23 hide-version: yes 24 25 # Perform DNSSEC validation. 26 # 27 auto-trust-anchor-file: "/var/unbound/db/root.key" 28 val-log-level: 2 29 30 # Synthesize NXDOMAINs from DNSSEC NSEC chains. 31 # https://tools.ietf.org/html/rfc8198 32 # 33 aggressive-nsec: yes 34 35 # treebeard: reverse dns zone 36 local-zone: "0.0.10.in-addr.arpa." static 37 38 # treebeard: .home.arpa name resolution 39 # No need to set local-zone for .arpa.home zone since it is a default 40 # zone: 41 # arpa.home. 42 # See man unbound.conf 43 local-data: "treebeard.home.arpa. IN A 10.0.0.1" 44 local-data-ptr: "10.0.0.1 treebeard.home.arpa" 45 local-data: "phobos2.home.arpa. IN A 10.0.0.144" 46 local-data-ptr: "10.0.0.144 phobos2.home.arpa" 47 48 # Use TCP for "forward-zone" requests. Useful if you are making 49 # DNS requests over an SSH port forwarding. 50 # 51 #tcp-upstream: yes 52 53 # CA Certificates used for forward-tls-upstream (RFC7858) hostname 54 # verification. Since it's outside the chroot it is only loaded at 55 # startup and thus cannot be changed via a reload. 56 #tls-cert-bundle: "/etc/ssl/cert.pem" 57 58 remote-control: 59 control-enable: yes 60 control-interface: /var/run/unbound.sock 61 62 # Use an upstream forwarder (recursive resolver) for some or all zones. 63 # 64 #forward-zone: 65 # name: "." # use for ALL queries 66 # forward-addr: 192.0.2.53 # example address only 67 # forward-first: yes # try direct if forwarder fails 68 69 forward-zone: # treebeard: 70 name: "." # treebeard: use for ALL queries 71 forward-addr: 64.6.64.6 # treebeard: verisign 72 forward-addr: 94.75.228.29 # treebeard: ccc 73 forward-first: yes # treebeard: try direct if forwarder fails 74 75 # Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext 76 # if that fails. 77 #forward-zone: 78 # name: "." 79 # forward-tls-upstream: yes # use DNS-over-TLS forwarder 80 # forward-first: no # do NOT send direct 81 # # the hostname after "#" is not a comment, it is used for TLS checks: 82 # forward-addr: 192.0.2.53@853#resolver.hostname.example