b73ad75cde
- Multi stage build - Download and checks Unbound Root anchors - Download and build malicious hostnames block list for Unbound - Healthcheck only based on the current IP being different from the initial IP - IPv6 related completely removed - Multiple checks at launch with $? - Launch openvpn as root (can't change user) - Unbound configured with DNS SEC for DNS over TLS
46 lines
976 B
Plaintext
46 lines
976 B
Plaintext
server:
|
|
# See https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/
|
|
# logging
|
|
verbosity: 0
|
|
val-log-level: 2
|
|
use-syslog: no
|
|
|
|
# performance
|
|
num-threads: 1
|
|
prefetch: yes
|
|
prefetch-key: yes
|
|
key-cache-size: 16m
|
|
key-cache-slabs: 4
|
|
msg-cache-size: 4m
|
|
msg-cache-slabs: 4
|
|
rrset-cache-size: 4m
|
|
rrset-cache-slabs: 4
|
|
cache-min-ttl: 3600
|
|
cache-max-ttl: 9000
|
|
|
|
# privacy
|
|
rrset-roundrobin: yes
|
|
hide-identity: yes
|
|
hide-version: yes
|
|
|
|
# security
|
|
root-hints: "/etc/unbound/root.hints"
|
|
trust-anchor-file: "/etc/unbound/root.key"
|
|
harden-below-nxdomain: yes
|
|
harden-referral-path: yes
|
|
harden-algo-downgrade: yes
|
|
# set above to no if there is any problem
|
|
|
|
# network
|
|
do-ip4: yes
|
|
do-ip6: no
|
|
interface: 127.0.0.1
|
|
|
|
# other files
|
|
include: "/etc/unbound/blocks-malicious.conf"
|
|
forward-zone:
|
|
name: "."
|
|
forward-addr: 1.1.1.1@853#cloudflare-dns.com
|
|
forward-addr: 1.0.0.1@853#cloudflare-dns.com
|
|
forward-tls-upstream: yes
|