1
0

100-example-conf-in.patch 2.8 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283
  1. OpenWrt (modification):
  2. Patch the default configuration file with the tiny memory
  3. configuration example from Unbound documentation. This is the best
  4. starting point for embedded routers if one is not going to use UCI.
  5. --- a/doc/example.conf.in
  6. +++ b/doc/example.conf.in
  7. @@ -19,6 +19,76 @@ server:
  8. # verbosity number, 0 is least verbose. 1 is default.
  9. # verbosity: 1
  10. + ############################################################################
  11. + # MEMORY CONTROL EXAMPLE
  12. + # In the example config settings below memory usage is reduced. Some ser-
  13. + # vice levels are lower, notable very large data and a high TCP load are
  14. + # no longer supported ... are exceptional for the DNS.
  15. + # (http://unbound.net/documentation/unbound.conf.html)
  16. + ############################################################################
  17. +
  18. + # Self jail Unbound with user "unbound" to /var/lib/unbound
  19. + # The script /etc/init.d/unbound will setup the location
  20. + username: "unbound"
  21. + directory: "/var/lib/unbound"
  22. + chroot: "/var/lib/unbound"
  23. +
  24. + # The pid file is created before privleges drop so no concern
  25. + pidfile: "/var/run/unbound.pid"
  26. +
  27. + # no threads and no memory slabs for threads
  28. + num-threads: 1
  29. + msg-cache-slabs: 1
  30. + rrset-cache-slabs: 1
  31. + infra-cache-slabs: 1
  32. + key-cache-slabs: 1
  33. +
  34. + # don't be picky about interfaces but consider your firewall
  35. + interface: 0.0.0.0
  36. + interface: ::0
  37. + access-control: 0.0.0.0/0 allow
  38. + access-control: ::0/0 allow
  39. +
  40. + # this limits TCP service but uses less buffers
  41. + outgoing-num-tcp: 1
  42. + incoming-num-tcp: 1
  43. +
  44. + # use somewhat higher port numbers versus possible NAT issue
  45. + outgoing-port-permit: "10240-65335"
  46. +
  47. + # uses less memory but less performance
  48. + outgoing-range: 60
  49. + num-queries-per-thread: 30
  50. +
  51. + # exclude large responses
  52. + msg-buffer-size: 8192
  53. +
  54. + # tiny memory cache
  55. + infra-cache-numhosts: 200
  56. + msg-cache-size: 100k
  57. + rrset-cache-size: 100k
  58. + key-cache-size: 100k
  59. + neg-cache-size: 10k
  60. +
  61. + # gentle on recursion
  62. + target-fetch-policy: "2 1 0 0 0 0"
  63. + harden-large-queries: yes
  64. + harden-short-bufsize: yes
  65. +
  66. + # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
  67. + # -anchor-file:" The init script will copy root key to /var/lib/unbound.
  68. + # See package documentation for crontab entry to copy RFC5011 results back.
  69. + #module-config: "validator iterator"
  70. + #auto-trust-anchor-file: "/var/lib/unbound/root.key"
  71. +
  72. + # DNSSEC needs real time to validate signatures. If your device does not
  73. + # have power off clock (reboot), then you may need this work around.
  74. + #domain-insecure: "pool.ntp.org"
  75. +
  76. + ############################################################################
  77. + # Resume Stock example.conf.in
  78. + ############################################################################
  79. +
  80. # print statistics to the log (for every thread) every N seconds.
  81. # Set to "" or 0 to disable. Default is disabled.
  82. # statistics-interval: 0