mvmaasakkers/pi-hole.conf

## pi-hole.conf
server:

    # The  verbosity  number, level 0 means no verbosity, only errors.
    # Level 1 gives operational information. Level  2  gives  detailed
    # operational  information. Level 3 gives query level information,
    # output per query.  Level 4 gives  algorithm  level  information.
    # Level 5 logs client identification for cache misses.  Default is
    # level 1.
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # Read  the  root  hints from this file. Make sure to
    # update root.hints evry 5-6 months.
    root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the servers authority
    harden-glue: yes

    # Ignore very large queries.
    harden-large-queries: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    # If you want to disable DNSSEC, set harden-dnssec stripped: no
    harden-dnssec-stripped: yes

    # Number of bytes size to advertise as the EDNS reassembly buffer
    # size. This is the value put into  datagrams over UDP towards
    # peers. The actual buffer size is determined by msg-buffer-size
    # (both for TCP and UDP).
    edns-buffer-size: 1232

    # Rotates RRSet order in response (the pseudo-random
    # number is taken from Ensure privacy of local IP
    # ranges the query ID, for speed and thread safety).
    # private-address: 192.168.0.0/16
    rrset-roundrobin: yes

    # Time to live minimum for RRsets and messages in the cache. If the minimum
    # kicks in, the data is cached for longer than the domain owner intended,
    # and thus less queries are made to look up the data. Zero makes sure the
    # data in the cache is as the domain owner intended, higher values,
    # especially more than an hour or so, can lead to trouble as the data in
    # the cache does not match up with the actual data anymore
    cache-min-ttl: 300
    cache-max-ttl: 86400

    # Have unbound attempt to serve old responses from cache with a TTL of 0 in
    # the response without waiting for the actual resolution to finish. The
    # actual resolution answer ends up in the cache later on.
    serve-expired: yes

    # Harden against algorithm downgrade when multiple algorithms are
    # advertised in the DS record.
    harden-algo-downgrade: yes

    # Ignore very small EDNS buffer sizes from queries.
    harden-short-bufsize: yes

    # Refuse id.server and hostname.bind queries
    hide-identity: yes

    # Report this identity rather than the hostname of the server.
    identity: "Server"

    # Refuse version.server and version.bind queries
    hide-version: yes

    # Prevent the unbound server from forking into the background as a daemon
    do-daemonize: no

    # Number  of  bytes size of the aggressive negative cache.
    neg-cache-size: 4m

    # Send minimum amount of information to upstream servers to enhance privacy
    qname-minimisation: yes

    # Deny queries of type ANY with an empty response.
    # Works only on version 1.8 and above
    deny-any: yes

    # Do no insert authority/additional sections into response messages when
    # those sections are not required. This reduces response size
    # significantly, and may avoid TCP fallback for some responses. This may
    # cause a slight speedup
    minimal-responses: yes

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    # This flag updates the cached domains
    prefetch: yes

    # Fetch the DNSKEYs earlier in the validation process, when a DS record is
    # encountered. This lowers the latency of requests at the expense of little
    # more CPU usage.
    prefetch-key: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for
    # most users running on small networks or on a single machine, it should be unnecessary
    # to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # more cache memory. rrset-cache-size should twice what msg-cache-size is.
    msg-cache-size: 50m
    rrset-cache-size: 100m

    # Faster UDP with multithreading (only on Linux).
    so-reuseport: yes

    # Ensure kernel buffer is large enough to not lose messages in traffix spikes
    so-rcvbuf: 4m
    so-sndbuf: 4m

    # Set the total number of unwanted replies to keep track of in every thread.
    # When it reaches the threshold, a defensive action of clearing the rrset
    # and message caches is taken, hopefully flushing away any poison.
    # Unbound suggests a value of 10 million.
    unwanted-reply-threshold: 100000

    # Minimize logs
    # Do not print one line per query to the log
    log-queries: no
    # Do not print one line per reply to the log
    log-replies: no
    # Do not print log lines that say why queries return SERVFAIL to clients
    log-servfail: no
    # Do not print log lines to inform about local zone actions
    log-local-actions: no
    # Do not print log lines that say why queries return SERVFAIL to clients
    logfile: /dev/null

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10
	server:

	# The verbosity number, level 0 means no verbosity, only errors.
	# Level 1 gives operational information. Level 2 gives detailed
	# operational information. Level 3 gives query level information,
	# output per query. Level 4 gives algorithm level information.
	# Level 5 logs client identification for cache misses. Default is
	# level 1.
	verbosity: 0

	interface: 127.0.0.1
	port: 5335
	do-ip4: yes
	do-udp: yes
	do-tcp: yes

	# May be set to yes if you have IPv6 connectivity
	do-ip6: no

	# You want to leave this to no unless you have native IPv6. With 6to4 and
	# Terredo tunnels your web browser should favor IPv4 for the same reasons
	prefer-ip6: no

	# Use this only when you downloaded the list of primary root servers!
	# Read the root hints from this file. Make sure to
	# update root.hints evry 5-6 months.
	root-hints: "/var/lib/unbound/root.hints"

	# Trust glue only if it is within the servers authority
	harden-glue: yes

	# Ignore very large queries.
	harden-large-queries: yes

	# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
	# If you want to disable DNSSEC, set harden-dnssec stripped: no
	harden-dnssec-stripped: yes

	# Number of bytes size to advertise as the EDNS reassembly buffer
	# size. This is the value put into datagrams over UDP towards
	# peers. The actual buffer size is determined by msg-buffer-size
	# (both for TCP and UDP).
	edns-buffer-size: 1232

	# Rotates RRSet order in response (the pseudo-random
	# number is taken from Ensure privacy of local IP
	# ranges the query ID, for speed and thread safety).
	# private-address: 192.168.0.0/16
	rrset-roundrobin: yes

	# Time to live minimum for RRsets and messages in the cache. If the minimum
	# kicks in, the data is cached for longer than the domain owner intended,
	# and thus less queries are made to look up the data. Zero makes sure the
	# data in the cache is as the domain owner intended, higher values,
	# especially more than an hour or so, can lead to trouble as the data in
	# the cache does not match up with the actual data anymore
	cache-min-ttl: 300
	cache-max-ttl: 86400

	# Have unbound attempt to serve old responses from cache with a TTL of 0 in
	# the response without waiting for the actual resolution to finish. The
	# actual resolution answer ends up in the cache later on.
	serve-expired: yes

	# Harden against algorithm downgrade when multiple algorithms are
	# advertised in the DS record.
	harden-algo-downgrade: yes

	# Ignore very small EDNS buffer sizes from queries.
	harden-short-bufsize: yes

	# Refuse id.server and hostname.bind queries
	hide-identity: yes

	# Report this identity rather than the hostname of the server.
	identity: "Server"

	# Refuse version.server and version.bind queries
	hide-version: yes

	# Prevent the unbound server from forking into the background as a daemon
	do-daemonize: no

	# Number of bytes size of the aggressive negative cache.
	neg-cache-size: 4m

	# Send minimum amount of information to upstream servers to enhance privacy
	qname-minimisation: yes

	# Deny queries of type ANY with an empty response.
	# Works only on version 1.8 and above
	deny-any: yes

	# Do no insert authority/additional sections into response messages when
	# those sections are not required. This reduces response size
	# significantly, and may avoid TCP fallback for some responses. This may
	# cause a slight speedup
	minimal-responses: yes

	# Perform prefetching of close to expired message cache entries
	# This only applies to domains that have been frequently queried
	# This flag updates the cached domains
	prefetch: yes

	# Fetch the DNSKEYs earlier in the validation process, when a DS record is
	# encountered. This lowers the latency of requests at the expense of little
	# more CPU usage.
	prefetch-key: yes

	# One thread should be sufficient, can be increased on beefy machines. In reality for
	# most users running on small networks or on a single machine, it should be unnecessary
	# to seek performance enhancement by increasing num-threads above 1.
	num-threads: 1

	# more cache memory. rrset-cache-size should twice what msg-cache-size is.
	msg-cache-size: 50m
	rrset-cache-size: 100m

	# Faster UDP with multithreading (only on Linux).
	so-reuseport: yes

	# Ensure kernel buffer is large enough to not lose messages in traffix spikes
	so-rcvbuf: 4m
	so-sndbuf: 4m

	# Set the total number of unwanted replies to keep track of in every thread.
	# When it reaches the threshold, a defensive action of clearing the rrset
	# and message caches is taken, hopefully flushing away any poison.
	# Unbound suggests a value of 10 million.
	unwanted-reply-threshold: 100000

	# Minimize logs
	# Do not print one line per query to the log
	log-queries: no
	# Do not print one line per reply to the log
	log-replies: no
	# Do not print log lines that say why queries return SERVFAIL to clients
	log-servfail: no
	# Do not print log lines to inform about local zone actions
	log-local-actions: no
	# Do not print log lines that say why queries return SERVFAIL to clients
	logfile: /dev/null

	# Ensure privacy of local IP ranges
	private-address: 192.168.0.0/16
	private-address: 169.254.0.0/16
	private-address: 172.16.0.0/12
	private-address: 10.0.0.0/8
	private-address: fd00::/8
	private-address: fe80::/10