sterlenjohnson
827f8bbf9d
- Multi-arch support (x86_64 and ARM64) - ~50MB image size vs ~500MB for Ubuntu version - DNSSEC validation with root hints - Health checks and resource limits - Security hardening (hide identity/version, harden-glue, etc.) - Build script for easy single/multi-arch builds
75 lines
1.6 KiB
Plaintext
75 lines
1.6 KiB
Plaintext
# Unbound configuration for Alpine container
|
|
# Optimized for recursive DNS resolution with DNSSEC
|
|
|
|
server:
|
|
# Basic settings
|
|
verbosity: 1
|
|
num-threads: 2
|
|
|
|
# Interface binding
|
|
interface: 0.0.0.0
|
|
port: 5335
|
|
do-ip4: yes
|
|
do-ip6: yes
|
|
do-udp: yes
|
|
do-tcp: yes
|
|
|
|
# Access control - allow all private networks
|
|
access-control: 127.0.0.0/8 allow
|
|
access-control: 10.0.0.0/8 allow
|
|
access-control: 172.16.0.0/12 allow
|
|
access-control: 192.168.0.0/16 allow
|
|
access-control: ::1/128 allow
|
|
access-control: fd00::/8 allow
|
|
|
|
# Root hints for DNSSEC
|
|
root-hints: /etc/unbound/root.hints
|
|
|
|
# Trust anchor for DNSSEC validation
|
|
auto-trust-anchor-file: /var/lib/unbound/root.key
|
|
|
|
# Hide identity and version
|
|
hide-identity: yes
|
|
hide-version: yes
|
|
|
|
# Harden settings
|
|
harden-glue: yes
|
|
harden-dnssec-stripped: yes
|
|
harden-referral-path: yes
|
|
use-caps-for-id: yes
|
|
|
|
# Prefetch settings for performance
|
|
prefetch: yes
|
|
prefetch-key: yes
|
|
|
|
# Cache settings
|
|
cache-min-ttl: 3600
|
|
cache-max-ttl: 86400
|
|
msg-cache-size: 50m
|
|
rrset-cache-size: 100m
|
|
key-cache-size: 50m
|
|
neg-cache-size: 10m
|
|
|
|
# Privacy settings
|
|
qname-minimisation: yes
|
|
aggressive-nsec: yes
|
|
|
|
# Logging
|
|
logfile: ""
|
|
log-queries: no
|
|
log-replies: no
|
|
log-local-actions: no
|
|
log-servfail: yes
|
|
|
|
# User/group (Alpine uses 'unbound' user)
|
|
username: "unbound"
|
|
directory: "/etc/unbound"
|
|
chroot: ""
|
|
|
|
# PID file
|
|
pidfile: "/var/run/unbound.pid"
|
|
|
|
# Remote control (disabled for security)
|
|
remote-control:
|
|
control-enable: no
|