diff --git a/network/dns/unbound.conf b/network/dns/unbound.conf index e4f14eb7a334345655a8ea13b12c6db6b203fd30..da40bed641800837e0055d167efd53958d8dc34b 100644 --- a/network/dns/unbound.conf +++ b/network/dns/unbound.conf @@ -176,7 +176,7 @@ server: # The number of retries, per upstream nameserver in a delegation, when # a throwaway response (also timeouts) is received. - # outbound-msg-retry: 5 + outbound-msg-retry: 10 # Hard limit on the number of outgoing queries Unbound will make while # resolving a name, making sure large NS sets do not loop. @@ -446,7 +446,7 @@ server: # log-local-actions: no # print log lines that say why queries return SERVFAIL to clients. - # log-servfail: no + log-servfail: yes # the pid file. Can be an absolute path outside of chroot/work dir. # pidfile: "/run/unbound.pid" @@ -577,6 +577,9 @@ server: domain-insecure: "home" domain-insecure: "lan" + domain-insecure: "dyn.blatto.eu" + domain-insecure: "cdwifi.cz" + # If nonzero, unwanted replies are not only reported in statistics, # but also a running total is kept per thread. If it reaches the # threshold, a warning is printed and a defensive action is taken, @@ -597,7 +600,7 @@ server: prefetch: yes # if yes, perform key lookups adjacent to normal lookups. - # prefetch-key: no + prefetch-key: yes # deny queries of type ANY with an empty response. # deny-any: no @@ -666,7 +669,7 @@ server: # The time to live for bogus data, rrsets and messages. This avoids # some of the revalidation, until the time interval expires. in secs. - # val-bogus-ttl: 60 + val-bogus-ttl: 1 # The signature inception and expiration dates are allowed to be off # by 10% of the signature lifetime (expir-incep) from our local clock. @@ -1344,4 +1347,12 @@ remote-control: # forward-first: yes # forward-no-cache: no -include: "/etc/unbound/resolvconf.conf" +forward-zone: + name: "blatto.eu" + forward-addr: 2a01:510:d504:751b::1 + + +forward-zone: + name: "." + forward-addr: 2a01:510:d504:751b::1 +