Commit 058ebb61 authored by Shawn Webb's avatar Shawn Webb
Browse files

Add raw unbound config and update the article's config


Signed-off-by: Shawn Webb's avatarShawn Webb <shawn.webb@hardenedbsd.org>
parent 15008728
......@@ -348,10 +348,12 @@ server:
verbosity: 1
interface: 0.0.0.0
interface: ::0
#logfile: "unbound.log"
use-syslog: yes
log-identity: "dns-01.ip6.home.lan_unbound"
log-queries: yes
log-replies: yes
log-tag-queryreply: yes
log-servfail: yes
access-control: 192.168.99.0/24 allow
access-control: 2001:470:e1e1::/48 allow
......@@ -394,7 +396,6 @@ include: /var/unbound/local-void.zones
# Disable DoH/DoT
local-zone: "use-application-dns.net." static
# Note: I'm intentionally leaving out the home.lan file.
include: /usr/local/etc/unbound/zones/home.lan
```
......
server:
logfile: "unbound.log"
verbosity: 1
interface: 0.0.0.0
interface: ::0
use-syslog: yes
log-identity: "dns-01.ip6.home.lan_unbound"
log-queries: yes
log-replies: yes
log-tag-queryreply: yes
log-servfail: yes
access-control: 192.168.99.0/24 allow
access-control: 2001:470:e1e1::/48 allow
###########################
#### Generic hardening ####
###########################
harden-algo-downgrade: yes
harden-glue: yes
harden-referral-path: yes
harden-short-bufsize: yes
hide-identity: yes
hide-version: yes
use-caps-for-id: no
ignore-cd-flag: yes
###################################
#### Validator-based hardening ####
###################################
val-clean-additional: yes
val-permissive-mode: no
#################################################################
#### Prevent DNS rebinding attacks by stripping private IPs #####
#################################################################
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
unwanted-reply-threshold: 10000000
module-config: "validator iterator"
auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
include: /var/unbound/local-void.zones
# Disable DoH/DoT
local-zone: "use-application-dns.net." static
include: /usr/local/etc/unbound/zones/home.lan
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment