server: verbosity: 1 use-syslog: yes logfile: "/var/log/unbound.log" log-time-ascii: yes # IP addresses on which to listen. interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} # By default, anything other than localhost is refused. # Whitelist some subnets: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow do-ip4: yes # FIXME: IPv6 deployment... someday... do-ip6: no do-udp: yes do-tcp: yes num-threads: {{ ansible_processor_vcpus }} # power of 2 close to num-threads # TODO: compute this dynamically w/ Ansible msg-cache-slabs: 16 rrset-cache-slabs: 16 infra-cache-slabs: 16 key-cache-slabs: 16 # Read the root hints from this file # FIXME: missing file. # root-hints: "/var/lib/unbound/root.hints" harden-referral-path: yes use-caps-for-id: yes hide-identity: yes hide-version: yes harden-glue: yes harden-dnssec-stripped: yes # the time to live (TTL) value lower bound, in seconds. Default 0. # If more than an hour could easily give trouble due to stale data. # WARNING : against protocol rule but efficient against stupidly too low TTLs cache-min-ttl: 3600 # the time to live (TTL) value cap for RRsets and messages in the # cache. Items are not cached for longer. In seconds. cache-max-ttl: 86400 prefetch: yes # If nonzero, unwanted replies are not only reported in statistics, but also # a running total is kept per thread. If it reaches the threshold, a warning # is printed and a defensive action is taken, the cache is cleared to flush # potential poison out of it. A suggested value is 10000000, the default is # 0 (turned off). We think 10K is a good value. unwanted-reply-threshold: 10000 # Should additional section of secure message also be kept clean of unsecure # data. Useful to shield the users of this validator from potential bogus # data in the additional section. All unsigned data in the additional section # is removed from secure messages. val-clean-additional: yes # Log validation failures val-log-level: 2 private-address: 10.0.0.0/8 # Optimise # https://unbound.net/documentation/howto_optimise.html # Faster UDP with multithreading (only on Linux). so-reuseport: yes # Taille du cache rrset-cache-size: 100m msg-cache-size: 50m # gestion DNSSEC harden-below-nxdomain: yes harden-dnssec-stripped: yes