d3dc6c74d8
- Unbound ran as `nonrootuser` - Readme updated - auth.conf replaced by `USER` and `PASSWORD` env variables - Removed Nginx section from readme for now - Reworked entrypoint with more checks - Malicious IPs and hostnames building is done at Docker build to gain time at launch - docker-compose updated to reflect changes
58 lines
1.3 KiB
Plaintext
58 lines
1.3 KiB
Plaintext
server:
|
|
# See https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/
|
|
# logging
|
|
verbosity: 0
|
|
val-log-level: 0
|
|
use-syslog: yes
|
|
|
|
# performance
|
|
num-threads: 1
|
|
prefetch: yes
|
|
prefetch-key: yes
|
|
key-cache-size: 16m
|
|
key-cache-slabs: 4
|
|
msg-cache-size: 4m
|
|
msg-cache-slabs: 4
|
|
rrset-cache-size: 4m
|
|
rrset-cache-slabs: 4
|
|
cache-min-ttl: 3600
|
|
cache-max-ttl: 9000
|
|
|
|
# privacy
|
|
rrset-roundrobin: yes
|
|
hide-identity: yes
|
|
hide-version: yes
|
|
|
|
# security
|
|
root-hints: "/etc/unbound/root.hints"
|
|
trust-anchor-file: "/etc/unbound/root.key"
|
|
harden-below-nxdomain: yes
|
|
harden-referral-path: yes
|
|
harden-algo-downgrade: yes
|
|
# set above to no if there is any problem
|
|
# Prevent DNS rebinding
|
|
private-address: 127.0.0.1/8
|
|
private-address: 10.0.0.0/8
|
|
private-address: 172.16.0.0/12
|
|
private-address: 192.168.0.0/16
|
|
private-address: 169.254.0.0/16
|
|
private-address: ::1/128
|
|
private-address: fc00::/7
|
|
private-address: fe80::/10
|
|
private-address: ::ffff:0:0/96
|
|
|
|
# network
|
|
do-ip4: yes
|
|
do-ip6: no
|
|
interface: 127.0.0.1
|
|
port: 53
|
|
username: "nonrootuser"
|
|
|
|
# other files
|
|
include: "/etc/unbound/blocks-malicious.conf"
|
|
forward-zone:
|
|
name: "."
|
|
forward-addr: 1.1.1.1@853#cloudflare-dns.com
|
|
forward-addr: 1.0.0.1@853#cloudflare-dns.com
|
|
forward-tls-upstream: yes
|