You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

94 lines
3.0 KiB

  1. diff --git a/doc/example.conf.in b/doc/example.conf.in
  2. index 5396029..cbb51ec 100644
  3. --- a/doc/example.conf.in
  4. +++ b/doc/example.conf.in
  5. @@ -1,9 +1,10 @@
  6. -#
  7. -# Example configuration file.
  8. -#
  9. -# See unbound.conf(5) man page, version 1.7.0.
  10. -#
  11. -# this is a comment.
  12. +##############################################################################
  13. +# MEMORY CONTROL EXAMPLE
  14. +# In the example config settings below memory usage is reduced. Some ser-
  15. +# vice levels are lower, notable very large data and a high TCP load are
  16. +# no longer supported ... are exceptional for the DNS.
  17. +# (http://unbound.net/documentation/unbound.conf.html)
  18. +##############################################################################
  19. #Use this to include other text into the file.
  20. #include: "otherfile.conf"
  21. @@ -12,9 +13,71 @@
  22. server:
  23. # whitespace is not necessary, but looks cleaner.
  24. - # verbosity number, 0 is least verbose. 1 is default.
  25. + # verbosity 1 is default
  26. verbosity: 1
  27. + # Self jail Unbound with user "unbound" to /var/lib/unbound
  28. + # The script /etc/init.d/unbound will setup the location
  29. + username: "unbound"
  30. + directory: "/var/lib/unbound"
  31. + chroot: "/var/lib/unbound"
  32. +
  33. + # The pid file is created before privleges drop so no concern
  34. + pidfile: "/var/run/unbound.pid"
  35. +
  36. + # no threads and no memory slabs for threads
  37. + num-threads: 1
  38. + msg-cache-slabs: 1
  39. + rrset-cache-slabs: 1
  40. + infra-cache-slabs: 1
  41. + key-cache-slabs: 1
  42. +
  43. + # don't be picky about interfaces but consider your firewall
  44. + interface: 0.0.0.0
  45. + interface: ::0
  46. + access-control: 0.0.0.0/0 allow
  47. + access-control: ::0/0 allow
  48. +
  49. + # this limits TCP service but uses less buffers
  50. + outgoing-num-tcp: 1
  51. + incoming-num-tcp: 1
  52. +
  53. + # use somewhat higher port numbers versus possible NAT issue
  54. + outgoing-port-permit: "10240-65335"
  55. +
  56. + # uses less memory but less performance
  57. + outgoing-range: 60
  58. + num-queries-per-thread: 30
  59. +
  60. + # exclude large responses
  61. + msg-buffer-size: 8192
  62. +
  63. + # tiny memory cache
  64. + infra-cache-numhosts: 200
  65. + msg-cache-size: 100k
  66. + rrset-cache-size: 100k
  67. + key-cache-size: 100k
  68. + neg-cache-size: 10k
  69. +
  70. + # gentle on recursion
  71. + target-fetch-policy: "2 1 0 0 0 0"
  72. + harden-large-queries: yes
  73. + harden-short-bufsize: yes
  74. +
  75. + # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
  76. + # -anchor-file:" The init script will copy root key to /var/lib/unbound.
  77. + # See package documentation for crontab entry to copy RFC5011 results back.
  78. + #module-config: "validator iterator"
  79. + #auto-trust-anchor-file: "/var/lib/unbound/root.key"
  80. +
  81. + # DNSSEC needs real time to validate signatures. If your device does not
  82. + # have power off clock (reboot), then you may need this work around.
  83. + #domain-insecure: "pool.ntp.org"
  84. +
  85. +##############################################################################
  86. +# Resume Stock example.conf.in
  87. +##############################################################################
  88. +
  89. # print statistics to the log (for every thread) every N seconds.
  90. # Set to "" or 0 to disable. Default is disabled.
  91. # statistics-interval: 0