Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Unbound + DNSCrypt configuration
DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALIP2=127.0.0.2
DNSCRYPT_LOCALPORT=9053
DNSCRYPT_RESOLVERPORT=443
DNSCRYPT_USER=nobody
DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.resolver2.dnscrypt.eu
DNSCRYPT_PROVIDER_NAME2=2.dnscrypt-cert.resolver1.dnscrypt.eu
DNSCRYPT_PROVIDER_KEY=3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A:9955
DNSCRYPT_PROVIDER_KEY2=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
DNSCRYPT_RESOLVERIP=77.66.84.233
DNSCRYPT_RESOLVERIP2=176.56.237.171
local-zone: "home." static
local-data: "raspberry.home. IN A 192.168.0.253"
local-data: "router.home. IN A 192.168.0.254"
local-data-ptr: "192.168.0.253 raspberry.home."
local-data-ptr: "192.168.0.254 router.home."
server:
# Core cpu count
num-threads: 2
# DNSSEC features
# Updated via : unbound-anchor -v -a /etc/unbound/root.key
auto-trust-anchor-file: "/etc/unbound/root.key"
module-config: "validator iterator"
# Downloaded via : wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/unbound/etc/root.hints
root-hints: "/etc/unbound/root.hints"
interface: 0.0.0.0
port: 53 # port to answer queries from
do-ip4: yes # Enable IPv4, "yes" or "no".
do-ip6: no # Enable IPv6, "yes" or "no".
do-udp: yes # Enable UDP, "yes" or "no".
do-tcp: yes
# Hide unbound information
hide-identity: yes
hide-version: yes
# If yes, Unbound rotates RRSet order in response. This is almost
# same as Thijs Kinkhorst's implementation except that random number
# source is query-id.
rrset-roundrobin: yes
# Time to live minimum for RRsets and messages in the cache.
cache-min-ttl: 60
# If yes, Unbound doesn't insert authority/additional sections into
# response message when those sections are not required [1]. This is
# similar to BIND9's minimal-responses or Google Public DNS
# behavior.
minimal-responses: no
# Use 0x20-encoded random bits in the query to foil spoof
# attempts. This perturbs the lowercase and uppercase of query
# names sent to authority servers and checks if the reply still
# has the correct casing. Disabled by default. This feature is
# an experimental implementation of draft dns-0x20.
use-caps-for-id: yes
# If yes, message cache elements are prefetched before they expire
# to keep the cache up to date.
prefetch: yes
# If yes, fetch the DNSKEYs earlier in the validation process,
# when a DS record is encountered.
prefetch-key: yes
# ACL
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/24 allow
access-control: 0.0.0.0/0 refuse
# Enforce privacy
private-address: 192.168.0.0/24
# Local zone definition
private-domain: "home."
include: /etc/unbound/forward.conf
include: /etc/unbound/reverse.conf
# You need this as no for dnscrypt-proxy to work
do-not-query-localhost: no
# Disable remote control
remote-control:
control-enable: no
# Forward all queries to specified servers
forward-zone:
name: "."
# CryptDNS
# forward-addr: 127.0.0.1@9053
# OpenDNS
forward-addr: 208.67.222.222
forward-addr: 208.67.220.220
@felmey

This comment has been minimized.

Copy link

@felmey felmey commented May 31, 2018

Doesn't commenting out line 78 of your "unbound.conf" like you have bypass dnscrypt completely causing all your traffic to go to those OpenDNS servers?

@shatfel

This comment has been minimized.

Copy link

@shatfel shatfel commented Mar 30, 2021

Nice software

@Zenithar

This comment has been minimized.

Copy link
Owner Author

@Zenithar Zenithar commented Mar 30, 2021

Doesn't commenting out line 78 of your "unbound.conf" like you have bypass dnscrypt completely causing all your traffic to go to those OpenDNS servers?

Yes you are right, I forgot to restore it as it was. Now I'm using AdGuardHome + CoreDNS to do the same thing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment