56 lines
1.2 KiB
Django/Jinja
56 lines
1.2 KiB
Django/Jinja
# Unbound DNS configuration for Nebula overlay network
|
|
# Deployed by Ansible - do not edit manually
|
|
|
|
server:
|
|
# Network settings - bind to Nebula interface only
|
|
interface: 127.0.0.1
|
|
interface: {{ hostvars['dns']['nebula_ip'] }}
|
|
port: 53
|
|
do-ip4: yes
|
|
do-ip6: no
|
|
do-udp: yes
|
|
do-tcp: yes
|
|
|
|
# Access control - Nebula network only
|
|
access-control: 127.0.0.0/8 allow
|
|
access-control: 10.10.10.0/24 allow
|
|
access-control: 0.0.0.0/0 refuse
|
|
|
|
# Performance tuning
|
|
num-threads: 2
|
|
msg-cache-size: 16m
|
|
rrset-cache-size: 32m
|
|
cache-min-ttl: 300
|
|
cache-max-ttl: 86400
|
|
|
|
# Privacy
|
|
hide-identity: yes
|
|
hide-version: yes
|
|
|
|
# Security hardening
|
|
harden-glue: yes
|
|
harden-dnssec-stripped: yes
|
|
harden-referral-path: yes
|
|
use-caps-for-id: yes
|
|
|
|
# Rate limiting
|
|
ip-ratelimit: 100
|
|
|
|
# Logging
|
|
verbosity: 1
|
|
logfile: ""
|
|
use-syslog: yes
|
|
|
|
# Include local zone definitions
|
|
include: /etc/unbound/local-zones.conf
|
|
|
|
# Forward external queries to public DNS
|
|
# Cloudflare primary (faster - we're behind their proxy)
|
|
# Google fallback
|
|
forward-zone:
|
|
name: "."
|
|
forward-addr: 1.1.1.1
|
|
forward-addr: 1.0.0.1
|
|
forward-addr: 8.8.8.8
|
|
forward-addr: 8.8.4.4
|