95 lines
3.0 KiB
Diff
95 lines
3.0 KiB
Diff
diff --git a/doc/example.conf.in b/doc/example.conf.in
|
|
index 5396029..cbb51ec 100644
|
|
--- a/doc/example.conf.in
|
|
+++ b/doc/example.conf.in
|
|
@@ -1,9 +1,10 @@
|
|
-#
|
|
-# Example configuration file.
|
|
-#
|
|
-# See unbound.conf(5) man page, version 1.7.0.
|
|
-#
|
|
-# this is a comment.
|
|
+##############################################################################
|
|
+# MEMORY CONTROL EXAMPLE
|
|
+# In the example config settings below memory usage is reduced. Some ser-
|
|
+# vice levels are lower, notable very large data and a high TCP load are
|
|
+# no longer supported ... are exceptional for the DNS.
|
|
+# (http://unbound.net/documentation/unbound.conf.html)
|
|
+##############################################################################
|
|
|
|
#Use this to include other text into the file.
|
|
#include: "otherfile.conf"
|
|
@@ -12,9 +13,71 @@
|
|
server:
|
|
# whitespace is not necessary, but looks cleaner.
|
|
|
|
- # verbosity number, 0 is least verbose. 1 is default.
|
|
+ # verbosity 1 is default
|
|
verbosity: 1
|
|
|
|
+ # Self jail Unbound with user "unbound" to /var/lib/unbound
|
|
+ # The script /etc/init.d/unbound will setup the location
|
|
+ username: "unbound"
|
|
+ directory: "/var/lib/unbound"
|
|
+ chroot: "/var/lib/unbound"
|
|
+
|
|
+ # The pid file is created before privleges drop so no concern
|
|
+ pidfile: "/var/run/unbound.pid"
|
|
+
|
|
+ # no threads and no memory slabs for threads
|
|
+ num-threads: 1
|
|
+ msg-cache-slabs: 1
|
|
+ rrset-cache-slabs: 1
|
|
+ infra-cache-slabs: 1
|
|
+ key-cache-slabs: 1
|
|
+
|
|
+ # don't be picky about interfaces but consider your firewall
|
|
+ interface: 0.0.0.0
|
|
+ interface: ::0
|
|
+ access-control: 0.0.0.0/0 allow
|
|
+ access-control: ::0/0 allow
|
|
+
|
|
+ # this limits TCP service but uses less buffers
|
|
+ outgoing-num-tcp: 1
|
|
+ incoming-num-tcp: 1
|
|
+
|
|
+ # use somewhat higher port numbers versus possible NAT issue
|
|
+ outgoing-port-permit: "10240-65335"
|
|
+
|
|
+ # uses less memory but less performance
|
|
+ outgoing-range: 60
|
|
+ num-queries-per-thread: 30
|
|
+
|
|
+ # exclude large responses
|
|
+ msg-buffer-size: 8192
|
|
+
|
|
+ # tiny memory cache
|
|
+ infra-cache-numhosts: 200
|
|
+ msg-cache-size: 100k
|
|
+ rrset-cache-size: 100k
|
|
+ key-cache-size: 100k
|
|
+ neg-cache-size: 10k
|
|
+
|
|
+ # gentle on recursion
|
|
+ target-fetch-policy: "2 1 0 0 0 0"
|
|
+ harden-large-queries: yes
|
|
+ harden-short-bufsize: yes
|
|
+
|
|
+ # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
|
|
+ # -anchor-file:" The init script will copy root key to /var/lib/unbound.
|
|
+ # See package documentation for crontab entry to copy RFC5011 results back.
|
|
+ #module-config: "validator iterator"
|
|
+ #auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
|
+
|
|
+ # DNSSEC needs real time to validate signatures. If your device does not
|
|
+ # have power off clock (reboot), then you may need this work around.
|
|
+ #domain-insecure: "pool.ntp.org"
|
|
+
|
|
+##############################################################################
|
|
+# Resume Stock example.conf.in
|
|
+##############################################################################
|
|
+
|
|
# print statistics to the log (for every thread) every N seconds.
|
|
# Set to "" or 0 to disable. Default is disabled.
|
|
# statistics-interval: 0
|