rc.conf

hostname="dns-01"
ifconfig_igb0="inet 192.168.99.10 netmask 255.255.255.0"
ifconfig_igb0_ipv6="inet6 2001:470:e1e1:1:20d:b9ff:fe49:bfbc prefixlen 64"
defaultrouter="192.168.99.1"
ipv6_defaultrouter="2001:470:e1e1:1::1"
sshd_enable="YES"
ntpd_enable="YES"
ntpd_flags="-g"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
sendmail_enable="NONE"
unbound_enable="YES"

unbound.conf

server:
	logfile: "unbound.log"
	verbosity: 1
	interface: 0.0.0.0
	interface: ::0
	logfile: "unbound.log"
	log-queries: yes
	access-control: 192.168.99.0/24 allow
	access-control: 2001:470:e1e1::/48 allow

	###########################
	#### Generic hardening ####
	###########################
	harden-algo-downgrade: yes
	harden-glue: yes
	harden-referral-path: yes
	harden-short-bufsize: yes
	hide-identity: yes
	use-caps-for-id: yes
	ignore-cd-flag: yes

	###################################
	#### Validator-based hardening ####
	###################################
	val-clean-additional: yes
	val-permissive-mode: no

	#################################################################
	#### Prevent DNS rebinding attacks by stripping private IPs #####
	#################################################################
	private-address: 10.0.0.0/8
	private-address: 172.16.0.0/12
	private-address: 192.168.0.0/16
	private-address: 169.254.0.0/16
	private-address: fd00::/8
	private-address: fe80::/10
	private-address: ::ffff:0:0/96

	unwanted-reply-threshold: 10000000

	module-config: "validator iterator"
	auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"

include: /var/unbound/local-void.zones

# Disable DoH/DoT
local-zone: "use-application-dns.net." static

include: /usr/local/etc/unbound/zones/md.hardenedbsd.net
include: /usr/local/etc/unbound/zones/hawksense.dev