Compare commits
6 Commits
813878a4de
...
9375b3c2b2
Author | SHA1 | Date |
---|---|---|
Aminda Suomalainen | 9375b3c2b2 | |
Aminda Suomalainen | 2aa221b77f | |
Aminda Suomalainen | 652c11391f | |
Aminda Suomalainen | d3773468fa | |
Aminda Suomalainen | a083a9d704 | |
Aminda Suomalainen | 30a27f980d |
|
@ -0,0 +1,3 @@
|
|||
{
|
||||
"DnsOverHttpsMode": "off"
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
"DnsOverHttpsMode": "automatic",
|
||||
"DnsOverHttpsTemplates": "https://dns.google/dns-query"
|
||||
}
|
|
@ -10,11 +10,13 @@ server:
|
|||
rrset-cache-size: 50m
|
||||
# nxdomain cache, default 1m
|
||||
neg-cache-size: 10m
|
||||
# Cache results for 15 minutes even if they had a shorter TTL. Cloudflare
|
||||
# zone export used to have 1 second, and I have also been seeing 1
|
||||
# minute in the wild, I think 5 mins shouldn't break anything, but bigger
|
||||
# might.
|
||||
cache-min-ttl: 900
|
||||
# Increases TTL of all queries to 900 seconds (5 minutes) if upstream has
|
||||
# a lower one. I have been using this since August 2019 without issues.
|
||||
#cache-min-ttl: 900
|
||||
# https://blog.apnic.net/2019/11/12/stop-using-ridiculously-low-dns-ttls/
|
||||
# dares setting the minimum cache to something between 40 minute and 60,
|
||||
# so how about 50 minutes? However it predates RFC 8767.
|
||||
cache-min-ttl: 3000
|
||||
# Update cache for popular items before they expire. ~10 % traffic
|
||||
# increase according to `man unbound.conf`
|
||||
prefetch: yes
|
||||
|
@ -23,6 +25,16 @@ server:
|
|||
# Allow expired results to be served if they are in cache. The cache will
|
||||
# get updated the next time.
|
||||
serve-expired: yes
|
||||
# Serve expired data up to one day (RFC 8767)
|
||||
serve-expired-ttl: 86400
|
||||
# If serving expired data to client, explicitly give it TTL 30 seconds
|
||||
serve-expired-reply-ttl: 30
|
||||
# Serve expired data to client if there is no answer in 1.8 seconds as per
|
||||
# common timeout 2 seconds according to the RFC 8767
|
||||
#serve-expired-client-timeout: 1800
|
||||
# However my /etc/resolv.conf timeout is 1 second since all my nameservers
|
||||
# are localhost, so let's wait 0.8 seconds instead.
|
||||
serve-expired-client-timeout: 800
|
||||
# DNSSEC errors for valid and expired records
|
||||
ede: yes
|
||||
ede-serve-expired: yes
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
server:
|
||||
# Debian ca-certificates location
|
||||
#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||||
# ctrl.blog says this is the Fedora location
|
||||
#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
|
||||
# Use system certificates no matter where they are
|
||||
tls-system-cert: yes
|
||||
# Quad9 says pointless performance impact on forwarders.
|
||||
# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
|
||||
qname-minimisation: no
|
||||
|
||||
forward-zone:
|
||||
name: "."
|
||||
forward-tls-upstream: yes
|
||||
|
||||
# Default / unfiltered
|
||||
#forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
|
||||
#forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
|
||||
#forward-addr: 1.1.1.1@853#cloudflare-dns.com
|
||||
#forward-addr: 1.0.0.1@853#cloudflare-dns.com
|
||||
|
||||
# Malware blocking
|
||||
forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
|
||||
forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com
|
||||
forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
|
||||
forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
|
||||
|
||||
# Malware and adult content blocking
|
||||
#forward-addr: 2606:4700:4700::1113@853#family.cloudflare-dns.com
|
||||
#forward-addr: 2606:4700:4700::1003@853#family.cloudflare-dns.com
|
||||
#forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
|
||||
#forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
|
||||
|
||||
# vim: filetype=unbound.conf
|
Loading…
Reference in New Issue