This reduces response size # significantly, and may avoid TCP fallback for some responses. # Do no insert authority/additional sections into response messages when # those sections are not required. # Deny queries of type ANY with an empty response. # Send minimum amount of information to upstream servers to enhance privacy # Number of bytes size of the aggressive negative cache. # Prevent the unbound server from forking into the background as a daemon Identity: "Server " # Refuse rver and version.bind queries # Report this identity rather than the hostname of the server. # Refuse id.server and hostname.bind queries # Ignore very small EDNS buffer sizes from queries. # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. The # actual resolution answer ends up in the cache later on. # Have unbound attempt to serve old responses from cache with a TTL of 0 in # the response without waiting for the actual resolution to finish. Zero makes sure the # data in the cache is as the domain owner intended, higher values, # especially more than an hour or so, can lead to trouble as the data in # the cache does not match up with the actual data anymore If the minimum # kicks in, the data is cached for longer than the domain owner intended, # and thus less queries are made to look up the data. # Time to live minimum for RRsets and messages in the cache. # Rotates RRSet order in response (the pseudo-random # number is taken from Ensure privacy of local IP # ranges the query ID, for speed and thread safety). The actual buffer size is determined by msg-buffer-size # (both for TCP and UDP). This is the value put into datagrams over UDP towards # peers. # Number of bytes size to advertise as the EDNS reassembly buffer # size. # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS # If you want to disable DNSSEC, set harden-dnssec stripped: no Root-hints: "/usr/share/dns/root.hints " # Trust glue only if it is within the servers authority Make sure to # update root.hints evry 5-6 months. #access-control: 10.8.0.0/24 allow #access-control: 10.16.0.0/24 allow #access-control: 192.168.6.0/24 allow #access-control: 192.168.8.0/24 allow # Use this only when you downloaded the list of primary root servers! # Read the root hints from this file. Choose deny (drop message), # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive # and nonrecursive ok) By default # everything is refused, except for localhost. Specify classless netblocks with /size and action. # control which client ips are allowed to make (recursive) queries to this # server. With 6to4 and # Terredo tunnels your web browser should favor IPv4 for the same reasons # You want to leave this to no unless you have *native* IPv6. # May be set to yes if you have IPv6 connectivity # Level 5 logs client identification for cache misses. Level 4 gives algorithm level information. Level 3 gives query level information, # output per query. Level 2 gives detailed # operational information. # The verbosity number, level 0 means no verbosity, only errors. SetMaxTCPQueriesPerConnection(100) - set X(int), similiar to addAction(MaxQPSIPRule(X), DropAction()) Enable dnsdist to run on boot Useful for rate limiting the concurrent connections. SetMaxTCPConnectionsPerClient(1000) - set X(int) for number of tcp connections from a single client. Set X(int) for tcp fast open queue size.ĪddTLSLocal( "0.0.0.0 ", "/etc/letsencrypt/live//fullchain.pem ", "/etc/letsencrypt/live//privkey.pem ", ) path for certs and listen address for DoT ipv4, Note: Debian-based installer for Ubuntu 20.04 or 20.10 Update and install software click to show installation instructions Please see Contributing page for more info.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |