Maintained by: NLnet Labs

[Unbound-users] Is It Correct Unbound Config as Validating DNS Server/Resolver ?

Bright Star
Fri May 24 00:21:13 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello, Unbound Mailing List users & experts,

Please check this below configuration, and let me know, IF this is
fit and CORRECTLY CONFIGURED to work as a complete Validating
DNS-Server / DNS-Resolver / DNS-Client for a Windows (7) OS based
computer (which has 2GB RAM, 1 CPU Core), where it is currently
installed and will run, and it will also have to serve, as a
DNS-Server, for other computers and VMs (with different OSes) in
local LAN.

(Amount of free RAM memory size is large, so not a factor).

Windows DNS Client service is set onto "Manual Startup" mode, so it
is not running, and, local network adapter/interface is configured
to use 127.0.0.1 as it's DNS-Server, in this (Win7) computer.

And LAN network adapter/interface of this (Win7) computer is also
using fixed/static IP address 192.168.0.10.

And other computer's in LAN, VMs are configured to use 192.168.0.10
as their's DNS-Server.

Most websites/domains/zones are not yet signed with DNSSEC. I want
this DNS-Server, still be able to send DNS query results for such
unsigned websites to its users/clients. (DNS query answer will not
have "AD" flag).

I do NOT want this DNS-Server to completely block (or stop sending)
DNS query results for ANY sites/zones which are not yet DNSSEC signed.

Firefox will have DNSSEC Validation based addons which will be
configured to use this DNS-Server. Firefox addons will display
colored icon or message, when a website is visited, and icon will
indicate if a website is signed or secured with DNSSEC yet or not.
(DNS query answer will have "AD" flag and "NOERROR" status for
DNSSEC signed sites/zones).

There are other software which we are using, they do not have
built-in support for doing any DNSSEC based query and cannot
understand DNSSEC based answer, those software still need to be able
to function (that is: sending regular DNS query, and receiving
regular response via this DNS-Server).

So IF CORRECTION is NEEDED to be done on this config, please provide
correct + practical + real config line that can be used, please do
not give examples, or confusing comments/response. I'm looking for
practical configuration that will serve my purpose and work right
now.  PLEASE describe ACCURATELY for what reason why a specific real
config line is better or should be used what you are suggesting, and
PLEASE describe what else need to be changed, exactly.

Please do not assume, i will do or i'm suppose to do something
automatically, so pls describe & explain.

WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
"TO:" FIELD/Text-Box:
unbound-users at unbound.net

Please do not send any email directly to me, Thanks.

PLEASE DO NOT SEND ANY EMAIL DIRECTLY TO ME, THANKS.

Thanks (again) in advance,
- -- Bright Star (Bry8Star).


# ========================================
# BEGIN of service.conf / unbound.conf file of 'unbound'.
#
# Created by Bright Star. Bry8Star. 2012-08-02 (y-m-d).
#
# Configuration command-lines or comment sentence which
# starts with # symbol, are disabled/not-active.
#
verbosity: 1
statistics-interval: 0
statistics-cumulative: "no"
extended-statistics: "no"
num-threads: 1
interface: 127.0.0.1
# Assuming, your Network Adapter/Interface
# configured to use below fixed Ip-adrs:
interface: 192.168.0.10
interface-automatic: "no"
port: 53
# Assuming, your Network Adapter/Interface
# configured to have this/below fixed IP-adrs:
outgoing-interface: 192.168.0.10
outgoing-range: 950  # when thread = 1
outgoing-port-permit: 46000-62384
# I'm breaking one long line containing list of ports
# into small lines, to show here. In real config file
# combine all ports into one single line, and do not
# place any space character in-between them:
outgoing-port-avoid:	
"1025,1863,1935,2400,4242,4400,4421,4444,4445,4480,
4500,4569,5038,5050,5060,5061,5062,5063,5064,5065,
5198,5199,5200,5222,5555,5800,5801,5900,5901,6666,
6667,6668,6669,7000,7001,7002,7003,7004,7005,7006,
7658,7659,7660,7777,8050,8052,8054,8056,8058,8060,
8080,8110,8118,8120,8123,8125,8143,8953,8955,8998,
9001,9022,9030,9050,9051,9052,9053,9054,9055,9056,
9057,9058,9059,9060,9080,9150,9151,10000,10001,15000,
15001,15002,15003,15004,16001,16999,20000,20001,25000,
26999,29998,30600,31000,32000,36999,50300"
outgoing-num-tcp: 6  # default is 10
incoming-num-tcp: 6  # default is 10
so-rcvbuf: 8m  # "m" = "MegaBytes".
so-sndbuf: 8m
edns-buffer-size: 4096
msg-buffer-size: 65552
msg-cache-size: 24m
msg-cache-slabs: 2
num-queries-per-thread: 475  # when thread = 1
rrset-cache-size: 48m
rrset-cache-slabs: 2
cache-min-ttl: 0
cache-max-ttl: 21600  # 6 Hours
infra-host-ttl: 900
infra-cache-slabs: 2
infra-cache-numhosts: 10000
do-ip4: "yes"
do-ip6: "no"
do-udp: "yes"
do-tcp: "yes"
tcp-upstream: "yes"
do-daemonize: "yes"
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: ::1 refuse
access-control: ::ffff:127.0.0.1 refuse
access-control: 127.0.0.1 allow
# Assuming, your Network Adapter/Interface
# configured with below IP:
access-control: 192.168.0.10 allow
# chroot: ""
# username: "unbound"
# directory: ""
# pidfile: ""
logfile:	
"C:\Program Files\Unbound\unbound.log"
use-syslog: "yes"
log-time-ascii: "yes"
log-queries: "no"
# root-hints:	
# "C:\Program Files\Unbound\named.cache"
# root-hints:	
# "C:\Program Files\Unbound\named.root"
hide-identity: "yes"
hide-version: "yes"
identity: "DNS"
version: "1.0.0"
# target-fetch-policy: "3 2 1 1 0 0"
target-fetch-policy: "3 2 2 2 2 2"
# harden-short-bufsize: "no"
# harden-large-queries: "no"
# harden-glue: "yes"
# harden-dnssec-stripped: "yes"
# harden-below-nxdomain: "no"
# harden-referral-path: "no"
# use-caps-for-id: "no"
# unwanted-reply-threshold: 8000
# prefetch: "no"
# prefetch-key: "no"
# prefetch-key: "yes"
rrset-roundrobin: "yes"
minimal-responses: "no"
module-config: "validator iterator"
auto-trust-anchor-file:	
"C:\Program Files\Unbound\root.key"
dlv-anchor-file:	
"C:\Program Files\Unbound\dlv.isc.org.key"
val-bogus-ttl: 60
val-sig-skew-min: 3600
val-sig-skew-max: 86400
val-clean-additional: "yes"
val-permissive-mode: "no"
ignore-cd-flag: "no"
val-log-level: 1
# val-nsec3-keysize-iterations:	
# "1024 150 2048 500 4096 2500"
# add-holddown: 2592000 # 30 days
# del-holddown: 2592000 # 30 days
# keep-missing: 31622400 # 366 days
key-cache-size: 24m
key-cache-slabs: 2
neg-cache-size: 18m
# ssl-upstream: no
# ssl-service-key: "path/to/privatekeyfile.key"
server: # Other TLDs
domain-insecure: "bit"  # BitDomains. Namecoin. Bitcoin.
domain-insecure: "geek"  # OpenNICProject.
domain-insecure: "free"  # OpenNICProject.
domain-insecure: "africa"  # CesidianRoot.
server:  # Blocking DNS leaks via this DNS-Resolver:
local-zone: "onion." refuse  # blocking DNS leaks.
local-zone: "exit." refuse  # blocking DNS leaks.
local-zone: "noconnect." refuse  # blocking DNS leaks.
local-zone: "i2p." refuse  # blocking DNS leaks.
server:
stub-zone:
	name: "geek"  # OpenNICProject.
	stub-host: ns2.opennic.glue.
	stub-host: ns3.opennic.glue.
	stub-host: ns4.opennic.glue.
	stub-host: ns5.opennic.glue.
	stub-host: ns6.opennic.glue.
	stub-host: ns7.opennic.glue.
	stub-host: ns8.opennic.glue.
	stub-host: ns21.opennic.glue.
stub-zone:
	name: "free"  # OpenNICProject.
	stub-host: ns2.opennic.glue.
	stub-host: ns3.opennic.glue.
	stub-host: ns4.opennic.glue.
	stub-host: ns5.opennic.glue.
	stub-host: ns6.opennic.glue.
	stub-host: ns7.opennic.glue.
	stub-host: ns8.opennic.glue.
	stub-host: ns21.opennic.glue.
stub-zone:
	name: "africa"  # CesidianRoot.
	stub-host: eu.crtldns.world-dns.net.
	stub-host: jp.crtldns.world-dns.net.
	stub-host: nz.crtldns.world-dns.net.
	stub-host: us.crtldns.world-dns.net.
	stub-host: za.crtldns.world-dns.net.
	stub-host: crtldns.world-dns.net.
server:
forward-zone:
	name: "ns.dot-bit.bit"
	forward-addr: 178.32.31.41
	forward-addr: 2001:41d0:2:a5d9::101
forward-zone:  # NameCoin/BitCoin/BitDomains
	name: "bit"
	forward-host: ns.dot-bit.bit.
	forward-addr: 178.32.31.41  # ns.dot-bit.bit, FR.
	forward-addr: 108.174.61.249  # USA.
	forward-addr: 78.47.86.43  # DE/GR.
	forward-addr: 96.127.133.37  # USA.
	forward-addr: 69.194.226.23  # USA.
	forward-addr: 194.71.109.237  # Sweden.
	forward-addr: 2001:41d0:2:a5d9::101 # ns.dot-bit.bit
forward-zone:
	name: "ns2.opennic.glue"
	forward-addr: 216.87.84.210
	forward-addr: 2001:470:8388:10:0:100:53:10
forward-zone:
	name: "ns21.opennic.glue"
	forward-addr: 202.83.95.229
forward-zone:
	name: "ns3.opennic.glue"
	forward-addr: 199.30.58.57
	forward-addr: 2001:470:8ca1::53
forward-zone:
	name: "ns4.opennic.glue"
	forward-addr: 84.200.228.200
forward-zone:
	name: "ns5.opennic.glue"
	forward-addr: 128.177.28.254
forward-zone:
	name: "ns6.opennic.glue"
	forward-addr: 207.192.71.13
	forward-addr: 2002:cfc0:470d::1
forward-zone:
	name: "ns7.opennic.glue"
	forward-addr: 66.244.95.11
	forward-addr: 2001:470:1f10:c6::11
forward-zone:
	name: "ns8.opennic.glue"
	forward-addr: 178.63.116.152
	forward-addr: 2a01:4f8:110:6221::999
# server:
# forward-zone:
# 	name: "."
# forward-addr: 149.20.64.20  # OARC. DNSSEC.
# forward-addr: 149.20.64.21  # OARC. DNSSEC.
# forward-addr: 217.31.204.130  # CZ.NIC. DNSSEC.
# forward-addr: 193.29.206.206  # CZ.NIC. DNSSEC.
# forward-addr: IP-Adrs # OpenNICProject. DNSSEC.
# forward-addr: IP-Adrs # German Privacy Foundation. DNSSEC.
# forward-addr: IP-Adrs # Swiss Priv. Fndtn. DNSSEC.
server:
remote-control:
control-enable: "yes"
control-interface: 127.0.0.1
control-port: 8953
server-key-file:	
"C:\Program Files\Unbound\unbound_server.key"
server-cert-file:	
"C:\Program Files\Unbound\unbound_server.pem"
control-key-file:	
"C:\Program Files\Unbound\unbound_control.key"
control-cert-file:	
"C:\Program Files\Unbound\unbound_control.pem"
# END of 'service.conf' / 'unbound.conf' file of 'unbound'.
# ========================================

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRnpZZAAoJEID2ikYfWSP6rXkQAKP9ywCIv/oMED1iHEqPThTO
rahROSiDY/Mvjdd4JYqKo473pUJYllebbIsS0E9L2icUjggjaf2WLQWx2wesH8bU
OP56h1cz36rVjHLoUgAF3DMamUENhgl6dwMMifdrEHLHJOf8tDuo9joccOIxVUdi
nZFeoSuPgykPmwxBhpcMWNQVRAEYjy7y81X5Fj/njQxWY9ZdNOA2ZO1Bmp1DQNV3
h20Dw1Ee7W81rM8Q57nUe7unzb6JnpydWoCUfx6Vyywt3QlqQsKbRF2kJ0ZyO0cF
v8O3rsMCrLFrioWZAMcEnyjRYEjZEpuzgk3NDxTOOVY6otIfIiwvQnViDaVuyUP2
OSqggJGOWMW1TNQHdnNBGJ//KKjM7XRrE/s10q66A0NlC3YbznfkkVTo6e3owikt
oywk6hF9tvcvDiDyjYcCHrhszCiIaeqC+BRm6QqLS5PV2OOdDb6s91M684U8mPhP
t+FHSboecscWqr6EAEzmWjJO4bo2xdBw/xRxVbtfdMLKOBHT5wQOXP/gaG0PGZK8
GnDtusQPbRHzNy8Q8LFCEAwrcTFAfYZH98BSKSIb+Ti2NKRs9OMz9GIrXXRFPGF4
B95X1n600CKIbKgv+zaJ7HjUSgitFEfVh6SKQOhgEYb8aWT49Lq+BMFBLZxYX7y3
jVGUyYXDmNPziyrz3dZ9
=b7lH
-----END PGP SIGNATURE-----