mirror of
https://github.com/ookangzheng/blahdns.git
synced 2025-12-15 13:45:37 +07:00
128 lines
5.0 KiB
Plaintext
Executable File
128 lines
5.0 KiB
Plaintext
Executable File
server:
|
|
interface: 127.0.0.1@48
|
|
interface: ::1@48
|
|
access-control: 127.0.0.1 allow
|
|
access-control: ::1 allow
|
|
#access-control: 0.0.0.0/0 allow
|
|
#access-control: ::/0 allow
|
|
prefer-ip6: yes
|
|
delay-close: 1500
|
|
do-ip4: yes
|
|
do-ip6: yes
|
|
do-tcp: yes
|
|
do-udp: yes
|
|
do-not-query-localhost: no
|
|
verbosity: 0
|
|
log-time-ascii: no
|
|
log-servfail: no
|
|
client-subnet-always-forward: yes
|
|
aggressive-nsec: yes
|
|
harden-dnssec-stripped: yes # if 'no', disable dnssec
|
|
harden-short-bufsize: yes
|
|
harden-large-queries: yes
|
|
harden-glue: yes
|
|
harden-below-nxdomain: yes
|
|
harden-referral-path: yes
|
|
use-caps-for-id: yes
|
|
qname-minimisation: yes
|
|
qname-minimisation-strict: no #some domain might be failed to request
|
|
so-reuseport: yes
|
|
minimal-responses: yes
|
|
deny-any: yes
|
|
|
|
rrset-roundrobin: yes
|
|
prefetch: yes
|
|
prefetch-key: yes
|
|
|
|
serve-expired: yes
|
|
serve-expired-ttl: 86400 # max 1 day
|
|
#serve-expired-ttl-reset: no
|
|
hide-identity: yes
|
|
hide-version: yes
|
|
hide-trustanchor: yes
|
|
edns-tcp-keepalive: yes
|
|
#edns-tcp-keepalive-timeout: 12000 # 2min
|
|
#tcp-idle-timeout: 30000 # 30 sec
|
|
|
|
num-threads: 1
|
|
msg-cache-slabs: 1
|
|
rrset-cache-slabs: 1
|
|
key-cache-slabs: 1
|
|
infra-cache-slabs: 1
|
|
|
|
msg-cache-size: 54m # default 4m
|
|
rrset-cache-size: 108m # rrset=msg*2 # default 4m
|
|
key-cache-size: 54m # default 4m
|
|
neg-cache-size: 27m # default 1m
|
|
infra-cache-numhosts: 50000
|
|
# dnscrypt-shared-secret-cache-size: 13m # default 4m
|
|
# dnscrypt-nonce-cache-size: 13m # default 4m
|
|
|
|
outgoing-range: 4096
|
|
incoming-num-tcp: 100
|
|
outgoing-num-tcp: 100
|
|
neg-cache-size: 25m
|
|
|
|
unwanted-reply-threshold: 10000000
|
|
cache-min-ttl: 90
|
|
cache-max-ttl: 900
|
|
infra-host-ttl: 3600
|
|
val-bogus-ttl: 120
|
|
cache-max-negative-ttl: 10 # Time to live maximum for negative responses, these have a SOA in the authority section that is limited in time. Default is 3600. This applies to nxdomain and nodata answers.
|
|
infra-cache-numhosts: 50000
|
|
|
|
auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
|
|
|
# Refence: https://github.com/publicarray/dns-resolver-infra/blob/master/unbound/unbound.conf
|
|
|
|
local-zone: example. static
|
|
local-zone: local. static
|
|
local-zone: i2p. static
|
|
local-zone: home. static
|
|
local-zone: zghjccbob3n0. static
|
|
local-zone: dhcp. static
|
|
local-zone: lan. static
|
|
local-zone: localdomain. static
|
|
local-zone: ip. static
|
|
local-zone: internal. static
|
|
local-zone: openstacklocal. static
|
|
local-zone: dlink. static
|
|
local-zone: gateway. static
|
|
local-zone: corp. static
|
|
local-zone: workgroup. static
|
|
local-zone: belkin. static
|
|
local-zone: davolink. static
|
|
local-zone: z. static
|
|
local-zone: domain. static
|
|
local-zone: virtualmin. static
|
|
|
|
private-address: 0.0.0.0/8 # Should not be on the Internet (only valid as source address)
|
|
private-address: 10.0.0.0/8 # Private networks
|
|
private-address: 127.0.0.0/8 # Loopback, spam-blocklists (RBL) (https://www.dnsbl.info/) e.g. "dig +short 0.0.0.0.zen.spamhaus.org" will stop working (https://www.spamhaus.org/zen/, https://www.spamhaus.org/faq/section/DNSBL%20Usage#202)
|
|
private-address: 169.254.0.0/16 # link-local (networks without DHCP)
|
|
private-address: 172.16.0.0/12 # Private networks
|
|
private-address: 192.168.0.0/16 # Private networks
|
|
private-address: 255.255.255.255/32 # Broadcast destination
|
|
## IPv6
|
|
private-address: ::/128 # Unspecified addresses (only valid as source address)
|
|
private-address: ::1/128 # Loopback
|
|
private-address: 2001:db8::/32 # Documentation addresses used for documentation purposes such as user manuals, RFCs, etc. (RFC3849)
|
|
# private-address: ::ffff:0:0/96 # IPv4-mapped IPv6 addresses (depreciated and should not be on the public internet) (blocks potentially valid addresses / gives wrong result from DNS Benchmark)
|
|
private-address: fe80::/10 # IP address autoconfiguration (link-local unicast, Private network)
|
|
private-address: fc00::/7 # Unique Local Addresses (Private network)
|
|
# private-address: fec0::/10 # Depreciated site networks
|
|
# private-address: 2002::/16 # 6to4 (deprecated)
|
|
# private-address: 64:ff9b::/96 # 6to4 "Well-Known" Prefix
|
|
# private-address: 2001::/32 # Teredo
|
|
private-address: 2001:10::/28 # ORCHID
|
|
# private-address: ff00::/8 # Multicast
|
|
## Selected IPv4 mapped addresses from IPv4 above (fixes potentially wrong result from DNS Benchmark if blocking all of ::ffff:0:0/96)
|
|
private-address: ::ffff:0.0.0.0/120 # Private IPv4-mapped addresses
|
|
private-address: ::ffff:10.0.0.0/120 # Private IPv4-mapped addresses
|
|
private-address: ::ffff:127.0.0.1/120 # Loopback IPv4-mapped addresses, spam-blocklists (RBL)
|
|
private-address: ::ffff:169.254.0.0/112 # Link-local IPv4-mapped addresses
|
|
private-address: ::ffff:172.16.0.0/116 # Private IPv4-mapped addresses
|
|
private-address: ::ffff:192.168.0.0/112 # Private IPv4-mapped addresses
|
|
private-address: ::ffff:255.255.255.255/128 # Broadcast IPv4-mapped addresses
|
|
|