1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# ─────────────────────────────────────────────────────────────────────────────
# Runbound — Office / SMB network configuration
#
# Use-case : Office with split-horizon DNS.
# - corp.example.com → internal zone answered authoritatively by Runbound
# - everything else → forwarded to ISP / public DNS
# - Blocks known-malware domains via REST API feeds (URLhaus, etc.)
# - DoT enabled for secure inter-office resolvers
# ─────────────────────────────────────────────────────────────────────────────
server:
interface: 0.0.0.0
port: 53
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
# ── Access control ───────────────────────────────────────────────────────
access-control: 127.0.0.0/8 allow
access-control: 10.10.0.0/16 allow # office LAN
access-control: 172.16.0.0/12 allow # VPN range
access-control: 0.0.0.0/0 refuse
rate-limit: 1000
cache-max-ttl: 3600
# ── DNS rebinding protection ─────────────────────────────────────────────
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 127.0.0.0/8
# ── Internal corporate zone ───────────────────────────────────────────────
local-zone: "corp.example.com." static
# Management plane
local-data: "dns.corp.example.com. 300 IN A 10.10.0.5"
local-data: "ldap.corp.example.com. 300 IN A 10.10.0.10"
local-data: "mail.corp.example.com. 300 IN A 10.10.0.11"
local-data: "intranet.corp.example.com. 300 IN A 10.10.0.20"
local-data: "git.corp.example.com. 300 IN A 10.10.0.21"
local-data: "vpn.corp.example.com. 300 IN A 10.10.0.1"
# ── Blocked internal domains ─────────────────────────────────────────────
# Social media during work hours (manage via REST API in production)
# local-zone: "facebook.com." always_nxdomain
# local-zone: "twitter.com." always_nxdomain
# ── Memory guard (always active — no config needed) ─────────────────────
# At ≥ 80 % system RAM: rate-limiter + resolver cache purged automatically.
# Inflight semaphore: max 4 096 concurrent requests → REFUSED if exceeded.
# ── TLS — DNS-over-TLS on port 853 ──────────────────────────────────────
# Generate with: runbound --gen-cert dns.corp.example.com
# Or use Let's Encrypt:
# certbot certonly --standalone -d dns.corp.example.com
tls-service-pem: /etc/runbound/cert.pem
tls-service-key: /etc/runbound/key.pem
# ── Corporate internal DNS → offices that have an AD/internal zone ────────────
forward-zone:
name: "corp.example.com."
forward-addr: 10.10.0.5@53
# ── Everything else → Cloudflare DoT (encrypted) ─────────────────────────────
forward-zone:
name: "."
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-tls-upstream: yes