nmenon/unbound_00_srv.conf

## unbound_00_srv.conf
# This is the DNS Server settings hosting DNS Cache for the rest of the home network.
# File on rpi /etc/unbound/unbound.conf.d/unbound_00_srv.conf
# Variant of http://blog.thestateofme.com/2018/04/04/howto-secure-your-dns-with-a-raspberry-pi-unbound-and-cloudflare-1-1-1-1/
# Assuming that you have a Raspberry pi (3 or 4) with wifi (or prefer it to be ethernet) -> ethernet is setup as a staic IP.
# OS used here is raspbian buster https://www.raspberrypi.org/downloads/ on uSD card

server:
    # Hookup on all interfaces (both wifi and ethernet - depends on what is actually connected)..
    interface: 0.0.0.0

    logfile: "/var/log/unbound.log"
    pidfile: "/var/log/unbound.pid"
    use-syslog: yes
    verbosity: 1

    access-control: 127.0.0.0/16 allow
    access-control: 192.168.1.0/16 allow

    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

    # enable to not answer id.server and hostname.bind queries.
    hide-identity: no
    # enable to not answer version.server and version.bind queries.
    hide-version: no
    # time to live (in seconds)
    cache-max-ttl: 14400
    cache-min-ttl: 1200
    do-tcp: yes
    do-udp: yes
    do-ip6: yes
    qname-minimisation: yes
    prefetch: yes
    prefetch-key: yes
    rrset-roundrobin: yes
    use-caps-for-id: yes

    # number of threads to create. 1 disables threading. This should equal the number
    # of CPU cores in the machine. Our example machine has 4 CPU cores.
    num-threads: 4

    ## Unbound Optimization and Speed Tweaks ###

    # the number of slabs to use for cache and must be a power of 2 times the
    # number of num-threads set above. more slabs reduce lock contention, but
    # fragment memory usage.
    msg-cache-slabs: 8
    rrset-cache-slabs: 8
    infra-cache-slabs: 8
    key-cache-slabs: 8

    # Increase the memory size of the cache. Use roughly twice as much rrset cache
    # memory as you use msg cache memory. Due to malloc overhead, the total memory
    # usage is likely to rise to double (or 2.5x) the total cache memory. The test
    # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
    rrset-cache-size: 256m
    msg-cache-size: 128m

    # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
    # the kernel buffer larger so that no messages are lost in spikes in the traffic.
    so-rcvbuf: 1m

    # If nonzero, unwanted replies are not only reported in statistics, but also
    # a running total is kept per thread. If it reaches the threshold, a warning
    # is printed and a defensive action is taken, the cache is cleared to flush
    # potential poison out of it.  A suggested value is 10000000, the default is
    # 0 (turned off). We think 10K is a good value.
    unwanted-reply-threshold: 10000

    # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND  on
    # localhost you will want to allow the resolver to send queries to localhost.
    # Make sure to set do-not-query-localhost: yes . If yes, the above default
    # do-not-query-address entries are present.  if no, localhost can be queried
    # (for testing and debugging).
    do-not-query-localhost: no

    ## Unbound Optimization and Speed Tweaks ###
    # Enforce privacy of these addresses. Strips them away from answers.  It may
    # cause DNSSEC validation to additionally mark it as bogus.  Protects against
    # 'DNS Rebinding' (uses browser as network proxy).  Only 'private-domain' and
    # 'local-data' names are allowed to have these private addresses. No default.
    private-address: 192.168.1.0/16
    # private-address: 172.16.0.0/12
    # private-address: 10.0.0.0/8

## unbound_50_local.conf
# Use this if you'd like to resolve local devices by name instead of IP -> just use it for "local domain"
# File on rpi /etc/unbound/unbound.conf.d/unbound_50_local.conf
forward-zone:
    # Configuration in frontier -> Advanced -> System settings (under configuration settings) -> Local Domain:
    name: "local."
    # The IP address of frontier router with DNS enabled Advanced -> DNS Settings Advanced -> DNS Settings
    forward-addr: 192.168.1.1
    forward-ssl-upstream: no
    forward-tls-upstream: no

## unbound_99_ext.conf
# This is the lookup we do to external DNS servers.
# File on rpi /etc/unbound/unbound.conf.d/unbound_99_ext.conf
forward-zone:
    name: "."
    # DNS_TLS https://en.wikipedia.org/wiki/DNS_over_TLS
    forward-addr: 1.1.1.1@853 # cloudflare-dns.com primary
    forward-addr: 8.8.8.8@853 # dns.google.com primary
    forward-addr: 9.9.9.9@853 # quad9.net primary
    forward-addr: 1.0.0.1@853 # cloudflare-dns.com secondary
    forward-addr: 8.8.8.4@853 # dns.google.com secondary
    forward-addr: 149.112.112.112@853 # quad9.net secondary

    forward-ssl-upstream: yes
# If we want to use external DNS without security (TLS)..
# For example: many 3rd party DNS providers..
#    forward-addr: 1.1.1.1@53#cloudflare-dns.com
#    forward-addr: 1.0.0.1@53#cloudflare-dns.com
#    forward-ssl-upstream: no
	# This is the DNS Server settings hosting DNS Cache for the rest of the home network.
	# File on rpi /etc/unbound/unbound.conf.d/unbound_00_srv.conf
	# Variant of http://blog.thestateofme.com/2018/04/04/howto-secure-your-dns-with-a-raspberry-pi-unbound-and-cloudflare-1-1-1-1/
	# Assuming that you have a Raspberry pi (3 or 4) with wifi (or prefer it to be ethernet) -> ethernet is setup as a staic IP.
	# OS used here is raspbian buster https://www.raspberrypi.org/downloads/ on uSD card

	server:
	# Hookup on all interfaces (both wifi and ethernet - depends on what is actually connected)..
	interface: 0.0.0.0

	logfile: "/var/log/unbound.log"
	pidfile: "/var/log/unbound.pid"
	use-syslog: yes
	verbosity: 1

	access-control: 127.0.0.0/16 allow
	access-control: 192.168.1.0/16 allow

	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

	# enable to not answer id.server and hostname.bind queries.
	hide-identity: no
	# enable to not answer version.server and version.bind queries.
	hide-version: no
	# time to live (in seconds)
	cache-max-ttl: 14400
	cache-min-ttl: 1200
	do-tcp: yes
	do-udp: yes
	do-ip6: yes
	qname-minimisation: yes
	prefetch: yes
	prefetch-key: yes
	rrset-roundrobin: yes
	use-caps-for-id: yes

	# number of threads to create. 1 disables threading. This should equal the number
	# of CPU cores in the machine. Our example machine has 4 CPU cores.
	num-threads: 4

	## Unbound Optimization and Speed Tweaks ###

	# the number of slabs to use for cache and must be a power of 2 times the
	# number of num-threads set above. more slabs reduce lock contention, but
	# fragment memory usage.
	msg-cache-slabs: 8
	rrset-cache-slabs: 8
	infra-cache-slabs: 8
	key-cache-slabs: 8

	# Increase the memory size of the cache. Use roughly twice as much rrset cache
	# memory as you use msg cache memory. Due to malloc overhead, the total memory
	# usage is likely to rise to double (or 2.5x) the total cache memory. The test
	# box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
	rrset-cache-size: 256m
	msg-cache-size: 128m

	# buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
	# the kernel buffer larger so that no messages are lost in spikes in the traffic.
	so-rcvbuf: 1m

	# If nonzero, unwanted replies are not only reported in statistics, but also
	# a running total is kept per thread. If it reaches the threshold, a warning
	# is printed and a defensive action is taken, the cache is cleared to flush
	# potential poison out of it. A suggested value is 10000000, the default is
	# 0 (turned off). We think 10K is a good value.
	unwanted-reply-threshold: 10000

	# IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
	# localhost you will want to allow the resolver to send queries to localhost.
	# Make sure to set do-not-query-localhost: yes . If yes, the above default
	# do-not-query-address entries are present. if no, localhost can be queried
	# (for testing and debugging).
	do-not-query-localhost: no

	## Unbound Optimization and Speed Tweaks ###
	# Enforce privacy of these addresses. Strips them away from answers. It may
	# cause DNSSEC validation to additionally mark it as bogus. Protects against
	# 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain' and
	# 'local-data' names are allowed to have these private addresses. No default.
	private-address: 192.168.1.0/16
	# private-address: 172.16.0.0/12
	# private-address: 10.0.0.0/8
	# Use this if you'd like to resolve local devices by name instead of IP -> just use it for "local domain"
	# File on rpi /etc/unbound/unbound.conf.d/unbound_50_local.conf
	forward-zone:
	# Configuration in frontier -> Advanced -> System settings (under configuration settings) -> Local Domain:
	name: "local."
	# The IP address of frontier router with DNS enabled Advanced -> DNS Settings Advanced -> DNS Settings
	forward-addr: 192.168.1.1
	forward-ssl-upstream: no
	forward-tls-upstream: no
	# This is the lookup we do to external DNS servers.
	# File on rpi /etc/unbound/unbound.conf.d/unbound_99_ext.conf
	forward-zone:
	name: "."
	# DNS_TLS https://en.wikipedia.org/wiki/DNS_over_TLS
	forward-addr: 1.1.1.1@853 # cloudflare-dns.com primary
	forward-addr: 8.8.8.8@853 # dns.google.com primary
	forward-addr: 9.9.9.9@853 # quad9.net primary
	forward-addr: 1.0.0.1@853 # cloudflare-dns.com secondary
	forward-addr: 8.8.8.4@853 # dns.google.com secondary
	forward-addr: 149.112.112.112@853 # quad9.net secondary

	forward-ssl-upstream: yes
	# If we want to use external DNS without security (TLS)..
	# For example: many 3rd party DNS providers..
	# forward-addr: 1.1.1.1@53#cloudflare-dns.com
	# forward-addr: 1.0.0.1@53#cloudflare-dns.com
	# forward-ssl-upstream: no