├── .gitignore ├── README.md ├── remote-control.conf ├── stub-zone.conf ├── forward-zone.conf └── unbound.conf /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Unbound-DNSSEC-DNS-over-TLS 2 | Configuration files for Unbound as a caching DNS server with DNSSEC validation and DNS over TLS forwarding. 3 | 4 | ___ 5 | 6 | This repository is associated with the following blog post (in Japanese). 7 | 8 | - [UnboundでDNSSEC & DNS over TLS対応のキャッシュDNSサーバを構築する](https://blog.c6h12o6.org/post/unbound-dnssec-dns-over-tls/) 9 | -------------------------------------------------------------------------------- /remote-control.conf: -------------------------------------------------------------------------------- 1 | # Remote control config section. 2 | remote-control: 3 | # Enable remote control with unbound-control(8) here. 4 | # set up the keys and certificates with unbound-control-setup. 5 | control-enable: yes 6 | 7 | # what interfaces are listened to for remote control. 8 | # give 0.0.0.0 and ::0 to listen to all interfaces. 9 | # set to an absolute path to use a unix local name pipe, certificates 10 | # are not used for that, so key and cert files need not be present. 11 | control-interface: /var/run/unbound.ctl 12 | 13 | # for localhost, you can disable use of TLS by setting this to "no" 14 | # For local sockets this option is ignored, and TLS is not used. 15 | control-use-cert: "no" 16 | -------------------------------------------------------------------------------- /stub-zone.conf: -------------------------------------------------------------------------------- 1 | # Stub zones. 2 | # Create entries like below, to make all queries for 'example.com' and 3 | # 'example.org' go to the given list of nameservers. list zero or more 4 | # nameservers by hostname or by ipaddress. If you set stub-prime to yes, 5 | # the list is treated as priming hints (default is no). 6 | # With stub-first yes, it attempts without the stub if it fails. 7 | # Consider adding domain-insecure: name and local-zone: name nodefault 8 | # to the server: section if the stub is a locally served zone. 9 | # stub-zone: 10 | # name: "example.com" 11 | # stub-addr: 192.0.2.68 12 | # stub-prime: no 13 | # stub-first: no 14 | # stub-tls-upstream: no 15 | # stub-zone: 16 | # name: "example.org" 17 | # stub-host: ns.example.com. 18 | stub-zone: 19 | name: "example.jp" 20 | stub-addr: 2001:db8::53 21 | stub-addr: 192.168.0.53 22 | stub-zone: 23 | name: "0.168.192.in-addr.arpa" 24 | stub-addr: 2001:db8::53 25 | stub-addr: 192.168.0.53 26 | stub-zone: 27 | name: "0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa" 28 | stub-addr: 2001:db8::53 29 | stub-addr: 192.168.0.53 30 | -------------------------------------------------------------------------------- /forward-zone.conf: -------------------------------------------------------------------------------- 1 | # Forward zones 2 | # Create entries like below, to make all queries for 'example.com' and 3 | # 'example.org' go to the given list of servers. These servers have to handle 4 | # recursion to other nameservers. List zero or more nameservers by hostname 5 | # or by ipaddress. Use an entry with name "." to forward all queries. 6 | # If you enable forward-first, it attempts without the forward if it fails. 7 | # forward-zone: 8 | # name: "example.com" 9 | # forward-addr: 192.0.2.68 10 | # forward-addr: 192.0.2.73@5355 # forward to port 5355. 11 | # forward-first: no 12 | # forward-tls-upstream: no 13 | # forward-zone: 14 | # name: "example.org" 15 | # forward-host: fwd.example.com 16 | forward-zone: 17 | name: "." 18 | forward-first: no 19 | forward-tls-upstream: yes 20 | forward-addr: 2606:4700:4700::1111@853 # CloudFlare primary 21 | forward-addr: 2606:4700:4700::1001@853 # CloudFlare secondary 22 | forward-addr: 2620:fe::fe@853 # Quad9 primary 23 | forward-addr: 2620:fe::9@853 # Quad9 secondary 24 | forward-addr: 2001:4860:4860::8888@853 # Google primary 25 | forward-addr: 2001:4860:4860::8844@853 # Google secondary 26 | forward-addr: 1.1.1.1@853 # CloudFlare primary 27 | forward-addr: 1.0.0.1@853 # CloudFlare secondary 28 | forward-addr: 9.9.9.9@853 # Quad9 primary 29 | forward-addr: 149.112.112.112@853 # Quad9 secondary 30 | forward-addr: 8.8.8.8@853 # Google primary 31 | forward-addr: 8.8.4.4@853 # Google secondary 32 | -------------------------------------------------------------------------------- /unbound.conf: -------------------------------------------------------------------------------- 1 | # 2 | # Example configuration file. 3 | # 4 | # See unbound.conf(5) man page, version 1.7.3. 5 | # 6 | # this is a comment. 7 | 8 | #Use this to include other text into the file. 9 | #include: "otherfile.conf" 10 | 11 | # The server clause sets the main parameters. 12 | server: 13 | # verbosity number, 0 is least verbose. 1 is default. 14 | verbosity: 1 15 | 16 | # print statistics to the log (for every thread) every N seconds. 17 | # Set to "" or 0 to disable. Default is disabled. 18 | statistics-interval: 0 19 | 20 | # enable extended statistics (query types, answer codes, status) 21 | # printed from unbound-control. default off, because of speed. 22 | extended-statistics: yes 23 | 24 | # specify the interfaces to answer queries from by ip-address. 25 | # The default is to listen to localhost (127.0.0.1 and ::1). 26 | # specify 0.0.0.0 and ::0 to bind to all available interfaces. 27 | # specify every interface[@port] on a new 'interface:' labelled line. 28 | # The listen interfaces are not changed on reload, only on restart. 29 | interface: ::0 30 | interface: 0.0.0.0 31 | 32 | # Specify a netblock to use remainder 64 bits as random bits for 33 | # upstream queries. Uses freebind option (Linux). 34 | # outgoing-interface: 2001:DB8::/64 35 | # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo 36 | # And: ip -6 route add local 2001:db8::/64 dev lo 37 | # And set prefer-ip6: yes to use the ip6 randomness from a netblock. 38 | # Set this to yes to prefer ipv6 upstream servers over ipv4. 39 | prefer-ip6: yes 40 | 41 | # Enable IPv4, "yes" or "no". 42 | do-ip4: yes 43 | 44 | # Enable IPv6, "yes" or "no". 45 | do-ip6: yes 46 | 47 | # Enable UDP, "yes" or "no". 48 | do-udp: yes 49 | 50 | # Enable TCP, "yes" or "no". 51 | do-tcp: yes 52 | 53 | # control which clients are allowed to make (recursive) queries 54 | # to this server. Specify classless netblocks with /size and action. 55 | # By default everything is refused, except for localhost. 56 | # Choose deny (drop message), refuse (polite error reply), 57 | # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on), 58 | # allow_snoop (recursive and nonrecursive ok) 59 | # deny_non_local (drop queries unless can be answered from local-data) 60 | # refuse_non_local (like deny_non_local but polite error reply). 61 | access-control: 0.0.0.0/0 refuse 62 | access-control: 127.0.0.0/8 allow 63 | access-control: 192.168.0.0/24 allow 64 | access-control: ::0/0 refuse 65 | access-control: ::1 allow 66 | access-control: ::ffff:127.0.0.1 allow 67 | access-control: 2001:db8::/64 allow 68 | 69 | # Sent minimum amount of information to upstream servers to enhance 70 | # privacy. Only sent minimum required labels of the QNAME and set QTYPE 71 | # to A when possible. 72 | qname-minimisation: yes 73 | 74 | # Use 0x20-encoded random bits in the query to foil spoof attempts. 75 | # This feature is an experimental implementation of draft dns-0x20. 76 | use-caps-for-id: yes 77 | 78 | # if yes, perform prefetching of almost expired message cache entries. 79 | prefetch: yes 80 | 81 | # if yes, Unbound rotates RRSet order in response. 82 | rrset-roundrobin: yes 83 | 84 | # if yes, Unbound doesn't insert authority/additional sections 85 | # into response messages when those sections are not required. 86 | minimal-responses: yes 87 | 88 | # File with trusted keys, kept uptodate using RFC5011 probes, 89 | # initial file like trust-anchor-file, then it stores metadata. 90 | # Use several entries, one per domain name, to track multiple zones. 91 | # 92 | # If you want to perform DNSSEC validation, run unbound-anchor before 93 | # you start unbound (i.e. in the system boot scripts). And enable: 94 | # Please note usage of unbound-anchor root anchor is at your own risk 95 | # and under the terms of our LICENSE (see that file in the source). 96 | auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" 97 | 98 | # Have the validator log failed validations for your diagnosis. 99 | # 0: off. 1: A line per failed user query. 2: With reason and bad IP. 100 | val-log-level: 1 101 | 102 | # Certificates used to authenticate connections made upstream. 103 | tls-cert-bundle: "/etc/ssl/cert.pem" 104 | 105 | # Allow the domain (and its subdomains) to contain private addresses. 106 | # local-data statements are allowed to contain private addresses too. 107 | private-domain: "example.jp" 108 | 109 | # Ignore chain of trust. Domain is treated as insecure. 110 | domain-insecure: "example.jp" 111 | domain-insecure: "0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa" 112 | 113 | # By default, for a number of zones a small default 'nothing here' 114 | # reply is built-in. Query traffic is thus blocked. If you 115 | # wish to serve such zone you can unblock them by uncommenting one 116 | # of the nodefault statements below. 117 | # You may also have to use domain-insecure: zone to make DNSSEC work, 118 | # unless you have your own trust anchors for this zone. 119 | local-zone: "168.192.in-addr.arpa." nodefault 120 | 121 | include: /usr/local/etc/unbound/remote-control.conf 122 | include: /usr/local/etc/unbound/forward-zone.conf 123 | include: /usr/local/etc/unbound/stub-zone.conf 124 | --------------------------------------------------------------------------------