Configuration Unbound avec Cloudflared (DoT)
On va configurer unbound pour utiliser cloudflared.
et collez ça dedans :
server: # The verbosity number, level 0 means no verbosity, only errors. # Level 1 gives operational information. Level 2 gives detailed # operational information. Level 3 gives query level information, # output per query. Level 4 gives algorithm level information. # Level 5 logs client identification for cache misses. Default is # level 1. verbosity: 0 interface: 127.0.0.1 port: 53 do-ip4: yes do-udp: yes do-tcp: yes # May be set to yes if you have IPv6 connectivity do-ip6: no # You want to leave this to no unless you have *native* IPv6. With 6to4 and # Terredo tunnels your web browser should favor IPv4 for the same reasons prefer-ip6: no # Use this only when you downloaded the list of primary root servers! # Read the root hints from this file. Make sure to # update root.hints evry 5-6 months. root-hints: "/var/lib/unbound/root.hints" # Trust glue only if it is within the servers authority harden-glue: yes # Ignore very large queries. harden-large-queries: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS # If you want to disable DNSSEC, set harden-dnssec stripped: no harden-dnssec-stripped: yes # Number of bytes size to advertise as the EDNS reassembly buffer # size. This is the value put into datagrams over UDP towards # peers. The actual buffer size is determined by msg-buffer-size # (both for TCP and UDP). edns-buffer-size: 1232 # Rotates RRSet order in response (the pseudo-random # number is taken from Ensure privacy of local IP # ranges the query ID, for speed and thread safety). # private-address: 192.168.0.0/16 rrset-roundrobin: yes # Time to live minimum for RRsets and messages in the cache. If the minimum # kicks in, the data is cached for longer than the domain owner intended, # and thus less queries are made to look up the data. Zero makes sure the # data in the cache is as the domain owner intended, higher values, # especially more than an hour or so, can lead to trouble as the data in # the cache does not match up with the actual data anymore cache-min-ttl: 300 cache-max-ttl: 86400 # Have unbound attempt to serve old responses from cache with a TTL of 0 in # the response without waiting for the actual resolution to finish. The # actual resolution answer ends up in the cache later on. serve-expired: yes # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. harden-algo-downgrade: yes # Ignore very small EDNS buffer sizes from queries. harden-short-bufsize: yes # Refuse id.server and hostname.bind queries hide-identity: yes # Report this identity rather than the hostname of the server. identity: "Server" # Refuse version.server and version.bind queries hide-version: yes # Prevent the unbound server from forking into the background as a daemon do-daemonize: no # Number of bytes size of the aggressive negative cache. neg-cache-size: 4M # Send minimum amount of information to upstream servers to enhance privacy qname-minimisation: yes # Deny queries of type ANY with an empty response. # Works only on version 1.8 and above deny-any: yes # Do no insert authority/additional sections into response messages when # those sections are not required. This reduces response size # significantly, and may avoid TCP fallback for some responses. This may # cause a slight speedup minimal-responses: yes # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried # This flag updates the cached domains prefetch: yes # Fetch the DNSKEYs earlier in the validation process, when a DS record is # encountered. This lowers the latency of requests at the expense of little # more CPU usage. prefetch-key: yes # One thread should be sufficient, can be increased on beefy machines. In reality for # most users running on small networks or on a single machine, it should be unnecessary # to seek performance enhancement by increasing num-threads above 1. num-threads: 1 # more cache memory. rrset-cache-size should twice what msg-cache-size is. msg-cache-size: 50m rrset-cache-size: 100m # Faster UDP with multithreading (only on Linux). so-reuseport: yes # Ensure kernel buffer is large enough to not lose messages in traffix spikes so-rcvbuf: 4m so-sndbuf: 4m # Set the total number of unwanted replies to keep track of in every thread. # When it reaches the threshold, a defensive action of clearing the rrset # and message caches is taken, hopefully flushing away any poison. # Unbound suggests a value of 10 million. unwanted-reply-threshold: 100000 # Minimize logs # Do not print one line per query to the log log-queries: no # Do not print one line per reply to the log log-replies: no # Do not print log lines that say why queries return SERVFAIL to clients log-servfail: no # Do not print log lines to inform about local zone actions log-local-actions: no # Do not print log lines that say why queries return SERVFAIL to clients logfile: /dev/null # Ensure privacy of local IP ranges private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 private-address: fd00::/8 private-address: fe80::/10 # CLOUDFLARE SETTINGS server: tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt forward-zone: name: "." forward-tls-upstream: yes # Cloudflare DNS forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com forward-addr: 188.8.131.52@853#cloudflare-dns.com forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com forward-addr: 184.108.40.206@853#cloudflare-dns.com # ADBLOCKING server: local-zone: "doubleclick.net" static local-zone: "googlesyndication.com" static local-zone: "googleadservices.com" static local-zone: "google-analytics.com" static local-zone: "ads.youtube.com" static local-zone: "adserver.yahoo.com" static local-zone: "ad-mediation.tuanguwen.com" static local-zone: "ad.adsrvr.org" static local-zone: "ad.doubleclick.net" static local-zone: "ad.lkqd.net" static local-zone: "adc-ad-assets.adtilt.com" static local-zone: "admarvel-d.openx.net" static local-zone: "admediator.unityads.unity3d.com" static local-zone: "adproxy.fyber.com" static local-zone: "ads-roularta.adhese.com" static local-zone: "ads-secure.videohub.tv" static local-zone: "ads.adadapted.com" static local-zone: "ads.adecosystems.net" static local-zone: "ads.admarvel.com" static local-zone: "ads.api.vungle.com" static local-zone: "ads.flurry.com" static local-zone: "ads.heyzap.com" static local-zone: "ads.mopub.com" static local-zone: "ads.nexage.com" static local-zone: "ads.superawesome.tv" static local-zone: "adtrack.king.com" static local-zone: "adwatch.appodeal.com" static local-zone: "amazon-adsystem.com" static local-zone: "adcolony.com" static local-zone: "api.salmonads.com" static local-zone: "app.adjust.com" static local-zone: "init.supersonicads.com" static local-zone: "live.chartboost.com" static local-zone: "marketing-ssl.upsight-api.com" static local-zone: "track.appsflyer.com" static local-zone: "ws.tapjoyads.com" static local-zone: "telemetry.microsoft.com" static local-zone: "data.microsoft.com" static