-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, Unbound Mailing List users & experts,
Please check this below configuration, and let me know, IF this is fit and CORRECTLY CONFIGURED to work as a complete Validating DNS-Server / DNS-Resolver / DNS-Client for a Windows (7) OS based computer (which has 2GB RAM, 1 CPU Core), where it is currently installed and will run, and it will also have to serve, as a DNS-Server, for other computers and VMs (with different OSes) in local LAN. (Amount of free RAM memory size is large, so not a factor). Windows DNS Client service is set onto "Manual Startup" mode, so it is not running, and, local network adapter/interface is configured to use 127.0.0.1 as it's DNS-Server, in this (Win7) computer. And LAN network adapter/interface of this (Win7) computer is also using fixed/static IP address 192.168.0.10. And other computer's in LAN, VMs are configured to use 192.168.0.10 as their's DNS-Server. Most websites/domains/zones are not yet signed with DNSSEC. I want this DNS-Server, still be able to send DNS query results for such unsigned websites to its users/clients. (DNS query answer will not have "AD" flag). I do NOT want this DNS-Server to completely block (or stop sending) DNS query results for ANY sites/zones which are not yet DNSSEC signed. Firefox will have DNSSEC Validation based addons which will be configured to use this DNS-Server. Firefox addons will display colored icon or message, when a website is visited, and icon will indicate if a website is signed or secured with DNSSEC yet or not. (DNS query answer will have "AD" flag and "NOERROR" status for DNSSEC signed sites/zones). There are other software which we are using, they do not have built-in support for doing any DNSSEC based query and cannot understand DNSSEC based answer, those software still need to be able to function (that is: sending regular DNS query, and receiving regular response via this DNS-Server). So IF CORRECTION is NEEDED to be done on this config, please provide correct + practical + real config line that can be used, please do not give examples, or confusing comments/response. I'm looking for practical configuration that will serve my purpose and work right now. PLEASE describe ACCURATELY for what reason why a specific real config line is better or should be used what you are suggesting, and PLEASE describe what else need to be changed, exactly. Please do not assume, i will do or i'm suppose to do something automatically, so pls describe & explain. WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE "TO:" FIELD/Text-Box: [email protected] Please do not send any email directly to me, Thanks. PLEASE DO NOT SEND ANY EMAIL DIRECTLY TO ME, THANKS. Thanks (again) in advance, - -- Bright Star (Bry8Star). # ======================================== # BEGIN of service.conf / unbound.conf file of 'unbound'. # # Created by Bright Star. Bry8Star. 2012-08-02 (y-m-d). # # Configuration command-lines or comment sentence which # starts with # symbol, are disabled/not-active. # verbosity: 1 statistics-interval: 0 statistics-cumulative: "no" extended-statistics: "no" num-threads: 1 interface: 127.0.0.1 # Assuming, your Network Adapter/Interface # configured to use below fixed Ip-adrs: interface: 192.168.0.10 interface-automatic: "no" port: 53 # Assuming, your Network Adapter/Interface # configured to have this/below fixed IP-adrs: outgoing-interface: 192.168.0.10 outgoing-range: 950 # when thread = 1 outgoing-port-permit: 46000-62384 # I'm breaking one long line containing list of ports # into small lines, to show here. In real config file # combine all ports into one single line, and do not # place any space character in-between them: outgoing-port-avoid: "1025,1863,1935,2400,4242,4400,4421,4444,4445,4480, 4500,4569,5038,5050,5060,5061,5062,5063,5064,5065, 5198,5199,5200,5222,5555,5800,5801,5900,5901,6666, 6667,6668,6669,7000,7001,7002,7003,7004,7005,7006, 7658,7659,7660,7777,8050,8052,8054,8056,8058,8060, 8080,8110,8118,8120,8123,8125,8143,8953,8955,8998, 9001,9022,9030,9050,9051,9052,9053,9054,9055,9056, 9057,9058,9059,9060,9080,9150,9151,10000,10001,15000, 15001,15002,15003,15004,16001,16999,20000,20001,25000, 26999,29998,30600,31000,32000,36999,50300" outgoing-num-tcp: 6 # default is 10 incoming-num-tcp: 6 # default is 10 so-rcvbuf: 8m # "m" = "MegaBytes". so-sndbuf: 8m edns-buffer-size: 4096 msg-buffer-size: 65552 msg-cache-size: 24m msg-cache-slabs: 2 num-queries-per-thread: 475 # when thread = 1 rrset-cache-size: 48m rrset-cache-slabs: 2 cache-min-ttl: 0 cache-max-ttl: 21600 # 6 Hours infra-host-ttl: 900 infra-cache-slabs: 2 infra-cache-numhosts: 10000 do-ip4: "yes" do-ip6: "no" do-udp: "yes" do-tcp: "yes" tcp-upstream: "yes" do-daemonize: "yes" access-control: 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control: ::1 refuse access-control: ::ffff:127.0.0.1 refuse access-control: 127.0.0.1 allow # Assuming, your Network Adapter/Interface # configured with below IP: access-control: 192.168.0.10 allow # chroot: "" # username: "unbound" # directory: "" # pidfile: "" logfile: "C:\Program Files\Unbound\unbound.log" use-syslog: "yes" log-time-ascii: "yes" log-queries: "no" # root-hints: # "C:\Program Files\Unbound\named.cache" # root-hints: # "C:\Program Files\Unbound\named.root" hide-identity: "yes" hide-version: "yes" identity: "DNS" version: "1.0.0" # target-fetch-policy: "3 2 1 1 0 0" target-fetch-policy: "3 2 2 2 2 2" # harden-short-bufsize: "no" # harden-large-queries: "no" # harden-glue: "yes" # harden-dnssec-stripped: "yes" # harden-below-nxdomain: "no" # harden-referral-path: "no" # use-caps-for-id: "no" # unwanted-reply-threshold: 8000 # prefetch: "no" # prefetch-key: "no" # prefetch-key: "yes" rrset-roundrobin: "yes" minimal-responses: "no" module-config: "validator iterator" auto-trust-anchor-file: "C:\Program Files\Unbound\root.key" dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key" val-bogus-ttl: 60 val-sig-skew-min: 3600 val-sig-skew-max: 86400 val-clean-additional: "yes" val-permissive-mode: "no" ignore-cd-flag: "no" val-log-level: 1 # val-nsec3-keysize-iterations: # "1024 150 2048 500 4096 2500" # add-holddown: 2592000 # 30 days # del-holddown: 2592000 # 30 days # keep-missing: 31622400 # 366 days key-cache-size: 24m key-cache-slabs: 2 neg-cache-size: 18m # ssl-upstream: no # ssl-service-key: "path/to/privatekeyfile.key" server: # Other TLDs domain-insecure: "bit" # BitDomains. Namecoin. Bitcoin. domain-insecure: "geek" # OpenNICProject. domain-insecure: "free" # OpenNICProject. domain-insecure: "africa" # CesidianRoot. server: # Blocking DNS leaks via this DNS-Resolver: local-zone: "onion." refuse # blocking DNS leaks. local-zone: "exit." refuse # blocking DNS leaks. local-zone: "noconnect." refuse # blocking DNS leaks. local-zone: "i2p." refuse # blocking DNS leaks. server: stub-zone: name: "geek" # OpenNICProject. stub-host: ns2.opennic.glue. stub-host: ns3.opennic.glue. stub-host: ns4.opennic.glue. stub-host: ns5.opennic.glue. stub-host: ns6.opennic.glue. stub-host: ns7.opennic.glue. stub-host: ns8.opennic.glue. stub-host: ns21.opennic.glue. stub-zone: name: "free" # OpenNICProject. stub-host: ns2.opennic.glue. stub-host: ns3.opennic.glue. stub-host: ns4.opennic.glue. stub-host: ns5.opennic.glue. stub-host: ns6.opennic.glue. stub-host: ns7.opennic.glue. stub-host: ns8.opennic.glue. stub-host: ns21.opennic.glue. stub-zone: name: "africa" # CesidianRoot. stub-host: eu.crtldns.world-dns.net. stub-host: jp.crtldns.world-dns.net. stub-host: nz.crtldns.world-dns.net. stub-host: us.crtldns.world-dns.net. stub-host: za.crtldns.world-dns.net. stub-host: crtldns.world-dns.net. server: forward-zone: name: "ns.dot-bit.bit" forward-addr: 178.32.31.41 forward-addr: 2001:41d0:2:a5d9::101 forward-zone: # NameCoin/BitCoin/BitDomains name: "bit" forward-host: ns.dot-bit.bit. forward-addr: 178.32.31.41 # ns.dot-bit.bit, FR. forward-addr: 108.174.61.249 # USA. forward-addr: 78.47.86.43 # DE/GR. forward-addr: 96.127.133.37 # USA. forward-addr: 69.194.226.23 # USA. forward-addr: 194.71.109.237 # Sweden. forward-addr: 2001:41d0:2:a5d9::101 # ns.dot-bit.bit forward-zone: name: "ns2.opennic.glue" forward-addr: 216.87.84.210 forward-addr: 2001:470:8388:10:0:100:53:10 forward-zone: name: "ns21.opennic.glue" forward-addr: 202.83.95.229 forward-zone: name: "ns3.opennic.glue" forward-addr: 199.30.58.57 forward-addr: 2001:470:8ca1::53 forward-zone: name: "ns4.opennic.glue" forward-addr: 84.200.228.200 forward-zone: name: "ns5.opennic.glue" forward-addr: 128.177.28.254 forward-zone: name: "ns6.opennic.glue" forward-addr: 207.192.71.13 forward-addr: 2002:cfc0:470d::1 forward-zone: name: "ns7.opennic.glue" forward-addr: 66.244.95.11 forward-addr: 2001:470:1f10:c6::11 forward-zone: name: "ns8.opennic.glue" forward-addr: 178.63.116.152 forward-addr: 2a01:4f8:110:6221::999 # server: # forward-zone: # name: "." # forward-addr: 149.20.64.20 # OARC. DNSSEC. # forward-addr: 149.20.64.21 # OARC. DNSSEC. # forward-addr: 217.31.204.130 # CZ.NIC. DNSSEC. # forward-addr: 193.29.206.206 # CZ.NIC. DNSSEC. # forward-addr: IP-Adrs # OpenNICProject. DNSSEC. # forward-addr: IP-Adrs # German Privacy Foundation. DNSSEC. # forward-addr: IP-Adrs # Swiss Priv. Fndtn. DNSSEC. server: remote-control: control-enable: "yes" control-interface: 127.0.0.1 control-port: 8953 server-key-file: "C:\Program Files\Unbound\unbound_server.key" server-cert-file: "C:\Program Files\Unbound\unbound_server.pem" control-key-file: "C:\Program Files\Unbound\unbound_control.key" control-cert-file: "C:\Program Files\Unbound\unbound_control.pem" # END of 'service.conf' / 'unbound.conf' file of 'unbound'. # ======================================== -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJRnpZZAAoJEID2ikYfWSP6rXkQAKP9ywCIv/oMED1iHEqPThTO rahROSiDY/Mvjdd4JYqKo473pUJYllebbIsS0E9L2icUjggjaf2WLQWx2wesH8bU OP56h1cz36rVjHLoUgAF3DMamUENhgl6dwMMifdrEHLHJOf8tDuo9joccOIxVUdi nZFeoSuPgykPmwxBhpcMWNQVRAEYjy7y81X5Fj/njQxWY9ZdNOA2ZO1Bmp1DQNV3 h20Dw1Ee7W81rM8Q57nUe7unzb6JnpydWoCUfx6Vyywt3QlqQsKbRF2kJ0ZyO0cF v8O3rsMCrLFrioWZAMcEnyjRYEjZEpuzgk3NDxTOOVY6otIfIiwvQnViDaVuyUP2 OSqggJGOWMW1TNQHdnNBGJ//KKjM7XRrE/s10q66A0NlC3YbznfkkVTo6e3owikt oywk6hF9tvcvDiDyjYcCHrhszCiIaeqC+BRm6QqLS5PV2OOdDb6s91M684U8mPhP t+FHSboecscWqr6EAEzmWjJO4bo2xdBw/xRxVbtfdMLKOBHT5wQOXP/gaG0PGZK8 GnDtusQPbRHzNy8Q8LFCEAwrcTFAfYZH98BSKSIb+Ti2NKRs9OMz9GIrXXRFPGF4 B95X1n600CKIbKgv+zaJ7HjUSgitFEfVh6SKQOhgEYb8aWT49Lq+BMFBLZxYX7y3 jVGUyYXDmNPziyrz3dZ9 =b7lH -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
