# permit unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
-@@ -71,9 +74,11 @@ server:
+@@ -73,9 +76,11 @@ server:
# number of outgoing simultaneous tcp buffers to hold per thread.
# outgoing-num-tcp: 10
# buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
# 0 is system default. Use 4m to catch query spikes for busy servers.
-@@ -90,18 +95,22 @@ server:
+@@ -96,18 +101,22 @@ server:
# buffer size for handling DNS data. No messages larger than this
# size can be sent or received, by UDP or TCP. In bytes.
# msg-buffer-size: 65552
# if very busy, 50% queries run to completion, 50% get timeout in msec
# jostle-timeout: 200
-@@ -109,11 +118,13 @@ server:
+@@ -115,11 +124,13 @@ server:
# the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m
# the time to live (TTL) value lower bound, in seconds. Default 0.
# If more than an hour could easily give trouble due to stale data.
-@@ -131,9 +142,11 @@ server:
+@@ -137,9 +148,11 @@ server:
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# infra-cache-slabs: 4
# Enable IPv4, "yes" or "no".
# do-ip4: yes
-@@ -164,6 +177,8 @@ server:
+@@ -170,6 +183,8 @@ server:
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
-@@ -194,6 +209,7 @@ server:
+@@ -200,6 +215,7 @@ server:
# and the given username is assumed. Default is user "unbound".
# If you give "" no privileges are dropped.
# username: "@UNBOUND_USERNAME@"
# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
-@@ -216,10 +232,12 @@ server:
+@@ -222,10 +238,12 @@ server:
# the pid file. Can be an absolute path outside of chroot/work dir.
# pidfile: "@UNBOUND_PIDFILE@"
# enable to not answer id.server and hostname.bind queries.
# hide-identity: no
-@@ -242,12 +260,15 @@ server:
+@@ -248,12 +266,15 @@ server:
# positive value: fetch that many targets opportunistically.
# Enclose the list of numbers between quotes ("").
# target-fetch-policy: "3 2 1 0 0"
# Harden against out of zone rrsets, to avoid spoofing attempts.
# harden-glue: yes
-@@ -328,7 +349,7 @@ server:
+@@ -334,7 +355,7 @@ server:
# you start unbound (i.e. in the system boot scripts). And enable:
# Please note usage of unbound-anchor root anchor is at your own risk
# and under the terms of our LICENSE (see that file in the source).
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
-@@ -414,15 +435,18 @@ server:
+@@ -420,15 +441,18 @@ server:
# the amount of memory to use for the key cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# key-cache-size: 4m
# neg-cache-size: 1m
+ neg-cache-size: 10k
- # a number of locally served zones can be configured.
- # local-zone: <zone> <type>
+ # By default, for a number of zones a small default 'nothing here'
+ # reply is built-in. Query traffic is thus blocked. If you