unbound.conf

server:
    module-config: "subnetcache validator iterator"
    chroot: "/usr/local/etc/unbound"
    directory: "/usr/local/etc/unbound"
    username: "unbound"
    port: 5353
    do-ip4: yes
    do-ip6: no
    do-udp: yes
    do-tcp: yes
    do-daemonize: yes
    interface: 127.0.0.1@5353
    #interface: ::0@5353
    # Only give access to recursion clients from LAN IPs
    #access-control: 127.0.0.1/32 allow
    #access-control: 192.168.0.0/16 allow
    #access-control: 172.16.0.0/12 allow
    access-control: 10.0.0.0/24 allow
    # access-control: fc00::/7 allow
    # access-control: ::1/128 allow

    # Use this only when you downloaded the list of primary root servers!
    # Location of root.hints use the build in
    root-hints: "/usr/local/etc/unbound/trust/root.hints"
    auto-trust-anchor-file: "/usr/local/etc/unbound/trust/root.key"

    # https://github.com/MatthewVance/unbound-docker
    deny-any: yes

    # Ensure privacy of local IP ranges
    #private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    #private-address: 172.16.0.0/12
    private-address: 10.0.0.0/24
    #private-address: fd00::/8
    #private-address: fe80::/10

    # Rotates RRSet order in response (the pseudo-random number is taken from the query ID, for speed and thread safety).
    rrset-roundrobin: yes

    ##################
    # LOG FILE STUFF #
    ##################
    verbosity: 0
    # Do not print log lines to inform about local zone actions
    log-local-actions: no
    # Do not print one line per query to the log
    log-queries: no
    # Do not print one line per reply to the log
    log-replies: no
    # Do not print log lines that say why queries return SERVFAIL to clients
    log-servfail: no
    # Further limit logging
    logfile: "unbound.log"
    
    
    
    # Add localhost to the do-not-query-address list.
    do-not-query-localhost: no
    # Number of bytes size of the aggressive negative cache.
    neg-cache-size: 4M
    # Harden against algorithm downgrade when multiple algorithms are advertised in the DS record.
    harden-algo-downgrade: yes
    # Ignore very large queries.
    harden-large-queries: yes
    # Perform additional queries for infrastructure data to harden the referral path. Validates the replies if trust anchors are configured and the zones are                                                                                signed. This enforces DNSSEC validation on
    # nameserver NS sets and the nameserver addresses that are encountered on the referral path to the answer. Experimental option.
    harden-referral-path: no
    # Ignore very small EDNS buffer sizes from queries.
    harden-short-bufsize: yes
    # Refuse id.server and hostname.bind queries
    hide-identity: yes
    # Refuse version.server and version.bind queries
    hide-version: yes
    # Report this identity rather than the hostname of the server.
    identity: "DNS"
    # Enable ratelimiting of queries (per second) sent to nameserver for performing recursion. More queries are turned away with an error (servfail). This sto                                                                               ps recursive floods (e.g., random query names),
    # but not spoofed reflection floods. Cached responses are not rate limited by this setting. Experimental option.
    ratelimit: 1000
    # Set the total number of unwanted replies to eep track of in every thread. When it reaches the threshold, a defensive action of clearing the rrset and me                                                                               ssage caches is taken, hopefully flushing away
    # any poison. Unbound suggests a value of 10 million.
    unwanted-reply-threshold: 10000
    # Help protect users that rely on this validator for authentication from potentially bad data in the additional section. Instruct the validator to remove                                                                                data from the additional section of secure
    # messages that are not signed properly. Messages that are insecure, bogus, indeterminate or unchecked are not affected.
    val-clean-additional: yes
    ###########################################################################
    # PERFORMANCE SETTINGS https://nlnetlabs.nl/documentation/unbound/howto-optimise/ Number of slabs in the infrastructure cache. Slabs reduce lock contentio                                                                               n by threads. Must be set to a power of 2.
    infra-cache-slabs: 2
    # Number of slabs in the key cache. Slabs reduce lock contention by threads. Must be set to a power of 2. Setting (close) to the number of cpus is a reaso                                                                               nable guess.
    key-cache-slabs: 2
    # Number of bytes size of the message cache. Unbound recommendation is to Use roughly twice as much rrset cache memory as you use msg cache memory.
    # Number of slabs in the message cache. Slabs reduce lock contention by threads. Must be set to a power of 2. Setting (close) to the number of cpus is a r                                                                               easonable guess.
    msg-cache-slabs: 2
    # The number of queries that every thread will service simultaneously. If more queries arrive that need servicing, and no queries can be jostled out (see                                                                                jostle-timeout), then the queries are dropped.
    # This is best set at half the number of the outgoing-range. This Unbound instance was compiled with libevent so it can efficiently use more than 1024 fil                                                                               e descriptors.
    num-queries-per-thread: 4096
    # Number of ports to open. This number of file descriptors can be opened per thread.
    outgoing-range: 8192
    # Number of slabs in the RRset cache. Slabs reduce lock contention by threads. Must be set to a power of 2.
    rrset-cache-slabs: 2
    # Do no insert authority/additional sections into response messages when those sections are not required. This reduces response size significantly, and ma                                                                               y avoid TCP fallback for some responses. This
    # may cause a slight speedup.
    minimal-responses: yes
    # Fetch the DNSKEYs earlier in the validation process, when a DS record is encountered. This lowers the latency of requests at the expense of little more                                                                                CPU usage.
    prefetch-key: yes
    # Have unbound attempt to serve old responses from cache with a TTL of 0 in the response without waiting for the actual resolution to finish. The actual r                                                                               esolution answer ends up in the cache later on.
    serve-expired: yes
    #serve-exipred-ttl: 3600
    aggressive-nsec: yes
    delay-close: 10000
    #ECS Support
    client-subnet-zone: "."
    client-subnet-always-forward: yes
    max-client-subnet-ipv4: 24
    max-client-subnet-ipv6: 48
    # Trust glue only if it is within the servers authority
    harden-glue: yes
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS If you want to disable DNSSEC, set harden-dnssec stripped:                                                                                no
    harden-dnssec-stripped: yes
    qname-minimisation: yes
    harden-below-nxdomain: yes
    # Use Capitalization randomization This is an experimental resilience method which uses upper and lower case letters in the question hostname to obtain ra                                                                               ndomness. Two names with the same spelling but
    # different case should be treated as identical. Attackers hoping to poison a DNS cache must guess the mixed-case encoding of the query. This increases th                                                                               e difficulty of such an attack significantly
    use-caps-for-id: yes
    # Reduce EDNS reassembly buffer size. Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472
    # TTL bounds for cache (Domains will be cach    # https://www.reddit.com/r/pihole/comments/d9ed for minimum of 3600 seconds)
    # https://www.reddit.com/r/pihole/comments/d9j1z6/unbound_as_recursive_dns_server_slow_performance/
    #cache-min-ttl: 300
    cache-min-ttl: 3600
    cache-max-ttl: 86400
    # Perform prefetching of close to expired message cache entries This only applies to domains that have been frequently queried This flag updates the cache                                                                               d domains
    prefetch: yes
    # One thread should be sufficient, can be increased on beefy machines
    num-threads: 1
    # more cache memory. rrset-cache-size should twice what msg-cache-size is.
    # https://www.reddit.com/r/pihole/comments/d9j1z6/unbound_as_recursive_dns_server_slow_performance/
    msg-cache-size: 128m
    rrset-cache-size: 256m
    #msg-cache-size: 50m
    #rrset-cache-size: 100m
    # Faster UDP with multithreading (only on Linux).
    so-reuseport: yes
    # Ensure kernel buffer is large enough to not loose messages in traffix spikes
    so-rcvbuf: 1m
    # Number of incoming TCP buffers to allocate per thread. Default
    # is 10. If set to 0, or if do-tcp is "no", no  TCP  queries  from
    # clients  are  accepted. For larger installations increasing this
    # value is a good idea.
    incoming-num-tcp: 20

#forward-zone:
        # Forward all queries (except those in cache and local zone) to
        # upstream recursive servers
        #name: "."
        # Queries to this forward zone use TLS
        #forward-tls-upstream: yes
        # https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
        # Cloudflare
        #forward-addr: 1.1.1.1@853#cloudflare-dns.com
        #forward-addr: 1.0.0.1@853#cloudflare-dns.com
        #forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
        #forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
        # CleanBrowsing
        #forward-addr: 185.228.168.9@853#security-filter-dns.cleanbrowsing.org
        #forward-addr: 185.228.169.9@853#security-filter-dns.cleanbrowsing.org
        #forward-addr: 2a0d:2a00:1::2@853#security-filter-dns.cleanbrowsing.org
        #forward-addr: 2a0d:2a00:2::2@853#security-filter-dns.cleanbrowsing.org
        # Quad9
        # forward-addr: 9.9.9.9@853#dns.quad9.net
        # forward-addr: 149.112.112.112@853#dns.quad9.net
        # forward-addr: 2620:fe::fe@853#dns.quad9.net
        # forward-addr: 2620:fe::9@853#dns.quad9.net
        # getdnsapi.net
        # forward-addr: 185.49.141.37@853#getdnsapi.net
        # forward-addr: 2a04:b900:0:100::37@853#getdnsapi.net
        # Surfnet
        # forward-addr: 145.100.185.15@853#dnsovertls.sinodun.com
        # forward-addr: 145.100.185.16@853#dnsovertls1.sinodun.com
        # forward-addr: 2001:610:1:40ba:145:100:185:15@853#dnsovertls.sinodun.com
        # forward-addr: 2001:610:1:40ba:145:100:185:16@853#dnsovertls1.sinodun.com

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 8953
    server-key-file: "/usr/local/etc/unbound/trust/unbound_server.key"
    server-cert-file: "/usr/local/etc/unbound/trust/unbound_server.pem"
    control-key-file: "/usr/local/etc/unbound/trust/unbound_control.key"
    control-cert-file: "/usr/local/etc/unbound/trust/unbound_control.pem"