-
Notifications
You must be signed in to change notification settings - Fork 3
/
unbound.conf
57 lines (45 loc) · 1.61 KB
/
unbound.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
server:
# Blindly following https://nlnetlabs.nl/documentation/unbound/howto-optimise/
num-threads: 1
msg-cache-slabs: 1
rrset-cache-slabs: 1
infra-cache-slabs: 1
key-cache-slabs: 1
# Targeting ~1.5Gi of free RAM right-after-reboot
rrset-cache-size: 410m
msg-cache-size: 205m
# Well, we have one core...
outgoing-range: 950
num-queries-per-thread: 475
so-rcvbuf: 4m
so-sndbuf: 4m
so-reuseport: yes
# </howto-optimise>
auto-trust-anchor-file: "/var/lib/unbound/root.key"
use-syslog: no
logfile: "/srv/kabysdoh/unbound.log"
# Going throuh https://nlnetlabs.nl/documentation/unbound/unbound.conf/ and changing defaults:
statistics-interval: 3600
statistics-cumulative: no
outgoing-port-permit: 1024-60999
cache-min-ttl: 5 # like https://knot-resolver.readthedocs.io/en/v5.2.1/daemon-bindings-cache.html#cache.min_ttl
tls-service-key: "/srv/kabysdoh/ssl/privkey.pem"
tls-service-pem: "/srv/kabysdoh/ssl/fullchain.pem"
https-port: 443
tls-port: 853
interface: 0.0.0.0@443
interface: ::@443
interface: 0.0.0.0@853
interface: ::@853
# that's ~okay for TLS
access-control: 0.0.0.0/0 allow
access-control: ::/0 allow
prefetch: yes
prefetch-key: yes
# kabysdoh plugin essence. Unfortunately `private-address` or `Response Policy Zone` are
# not enough as some CDNs need fake IP addresses being returned. Sigh. IT is doomed.
send-client-subnet: 0.0.0.0/0
send-client-subnet: ::/0
module-config: "subnetcache python validator iterator"
python:
python-script: "/opt/kabysdoh.py"