production-openbsd/etc/unbound.conf

# /var/unbound/etc/unbound.conf — recursive DNS resolver
#
# Listens on:
#   127.0.0.1:53          — for local apps (acme-client, relayd)
#   10.10.10.1:53         — for nullstone over WG tunnel
#   192.168.0.50:53       — for LAN clients (LAN IP of T5600; adjust)
#
# Pi-hole stays on the Pi for LAN ad-blocking; Pi-hole's upstream is set
# to THIS unbound instance (10.10.10.1 via tunnel OR LAN IP direct).
#
# Reload: rcctl reload unbound
# Test:   dig @127.0.0.1 example.com

server:
    interface: 127.0.0.1
    interface: 10.10.10.1
    interface: 192.168.0.50

    # Restrict who can query
    access-control: 127.0.0.0/8 allow
    access-control: 10.10.10.0/29 allow      # WG mesh
    access-control: 192.168.0.0/24 allow     # LAN
    access-control: 0.0.0.0/0 refuse         # block public recursive abuse

    # Hide identity
    hide-identity: yes
    hide-version: yes

    # Cache + perf
    msg-cache-size: 64m
    rrset-cache-size: 128m
    cache-min-ttl: 60
    cache-max-ttl: 86400
    prefetch: yes
    prefetch-key: yes

    # DNSSEC validation
    auto-trust-anchor-file: "/var/unbound/db/root.key"
    val-clean-additional: yes

    # Privacy
    qname-minimisation: yes
    aggressive-nsec: yes
    minimal-responses: yes
    do-not-query-localhost: no   # allow forwarding to local Pi-hole if you do that later

    # Drop common bogus
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    # ... but allow our own ranges to be returned in answers
    private-domain: "s8n.ru"
    private-domain: "veilor.uk"

    # Local zone for internal hosts (nullstone, edge, etc.) — fill from /etc/hosts
    local-zone: "s8n.ru." typetransparent
    local-data: "edge.s8n.ru.   IN A 10.10.10.1"
    local-data: "nullstone.s8n.ru. IN A 10.10.10.2"

    # Logs
    use-syslog: yes
    log-queries: no
    log-replies: no

remote-control:
    control-enable: yes
    control-interface: /var/run/unbound.sock
feat: production-openbsd v0.1 scaffold Sister to s8n/production-deb. Edge-box config + provision script for running the OpenBSD-edge role per s8n/production-setup-audit Topology 02. v0.1 = stock OpenBSD install ISO (interactive, 5 min) + scripted provision from onyx. Autoinstall ISO build deferred to v0.2. Layout: README.md workflow + service mapping (Debian → OpenBSD) flash.sh burn stock install76.iso to USB etc/ pf / relayd / acme-client / unbound / hostname.wg0.example / sshd_config / doas.conf scripts/ provision.sh from onyx: SSH+git clone+run install.sh install.sh on edge: copy /etc/, validate, restart, cron cert-renew-check.sh weekly LE renewal read-logs.sh pull /var/log/ for offline diagnostics docs/ setup-checklist.md 7-phase first-time install walkthrough Hardware target: Dell Precision T5600 per s8n/production-setup-audit/hardware/dell-t5600.md WG mesh: 10.10.10.0/29 between edge (.1) and nullstone (.2). UDP 51820. Keys generated per-host (NEVER committed to repo). Public traffic flow after migration: Internet → router → edge T5600 (relayd TLS term) → wg0 → nullstone Traefik (10.10.10.2:8443, private only) CVE delta vs single-host Debian: regreSSHion + xz backdoor mitigated; public IP runs OpenBSD base only — no systemd, no glibc, no Docker. 2026-05-08 14:10:29 +01:00			`# /var/unbound/etc/unbound.conf — recursive DNS resolver`
			`#`
			`# Listens on:`
			`# 127.0.0.1:53 — for local apps (acme-client, relayd)`
			`# 10.10.10.1:53 — for nullstone over WG tunnel`
			`# 192.168.0.50:53 — for LAN clients (LAN IP of T5600; adjust)`
			`#`
			`# Pi-hole stays on the Pi for LAN ad-blocking; Pi-hole's upstream is set`
			`# to THIS unbound instance (10.10.10.1 via tunnel OR LAN IP direct).`
			`#`
			`# Reload: rcctl reload unbound`
			`# Test: dig @127.0.0.1 example.com`

			`server:`
			`interface: 127.0.0.1`
			`interface: 10.10.10.1`
			`interface: 192.168.0.50`

			`# Restrict who can query`
			`access-control: 127.0.0.0/8 allow`
			`access-control: 10.10.10.0/29 allow # WG mesh`
			`access-control: 192.168.0.0/24 allow # LAN`
			`access-control: 0.0.0.0/0 refuse # block public recursive abuse`

			`# Hide identity`
			`hide-identity: yes`
			`hide-version: yes`

			`# Cache + perf`
			`msg-cache-size: 64m`
			`rrset-cache-size: 128m`
			`cache-min-ttl: 60`
			`cache-max-ttl: 86400`
			`prefetch: yes`
			`prefetch-key: yes`

			`# DNSSEC validation`
			`auto-trust-anchor-file: "/var/unbound/db/root.key"`
			`val-clean-additional: yes`

			`# Privacy`
			`qname-minimisation: yes`
			`aggressive-nsec: yes`
			`minimal-responses: yes`
			`do-not-query-localhost: no # allow forwarding to local Pi-hole if you do that later`

			`# Drop common bogus`
			`private-address: 10.0.0.0/8`
			`private-address: 172.16.0.0/12`
			`private-address: 192.168.0.0/16`
			`# ... but allow our own ranges to be returned in answers`
			`private-domain: "s8n.ru"`
			`private-domain: "veilor.uk"`

			`# Local zone for internal hosts (nullstone, edge, etc.) — fill from /etc/hosts`
			`local-zone: "s8n.ru." typetransparent`
			`local-data: "edge.s8n.ru. IN A 10.10.10.1"`
			`local-data: "nullstone.s8n.ru. IN A 10.10.10.2"`

			`# Logs`
			`use-syslog: yes`
			`log-queries: no`
			`log-replies: no`

			`remote-control:`
			`control-enable: yes`
			`control-interface: /var/run/unbound.sock`