pavel-odintsov/unbound.conf

## unbound.conf
server:
 	# Set to number of big ARM cores on my board RockPro64
	# TODO: adjust it for your machine but no reasons to make it more then 4-8 as it will increase lock contention
	num-threads: 2

        # Listen on all interfaces for IPv4
	interface: 0.0.0.0

	# Listen on all interfaces for IPv6
        interface: ::0

	# Set this to yes to prefer ipv6 upstream servers over ipv4.
	prefer-ip6: yes

	# use SO_REUSEPORT to distribute queries over threads.
	# at extreme load it could be better to turn it off to distribute even.
	so-reuseport: yes

	# the amount of memory to use for the RRset cache.
	# plain value in bytes or you can append k, m or G. default is "4Mb".
	rrset-cache-size: 256m

	# the number of slabs to use for the RRset cache.
	# the number of slabs must be a power of 2.
	# more slabs reduce lock contention, but fragment memory usage.
	rrset-cache-slabs: 4

	# the time to live (TTL) value cap for RRsets and messages in the
	# cache. Items are not cached for longer. In seconds.
	cache-max-ttl: 86400

	# the time to live (TTL) value cap for negative responses in the cache
	# I do lots of testing and prefer to have it this way to refresh data faster
	cache-max-negative-ttl: 60

	# the time to live (TTL) value for cached roundtrip times, lameness and
	# EDNS version information for hosts. In seconds.
	infra-host-ttl: 900

	# the number of slabs to use for the Infrastructure cache.
	# the number of slabs must be a power of 2.
	# more slabs reduce lock contention, but fragment memory usage.
	infra-cache-slabs: 4

	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
	infra-cache-numhosts: 10000

	# Enable IPv4, "yes" or "no".
	do-ip4: yes

	# Enable IPv6, "yes" or "no".
	do-ip6: yes

	# Enable UDP, "yes" or "no".
	do-udp: yes

	# Enable TCP, "yes" or "no".
	do-tcp: yes

	# Detach from the terminal, run in background, "yes" or "no".
	# Set the value to "no" when Unbound runs as systemd service.
	# do-daemonize: yes

	# control which clients are allowed to make (recursive) queries
	# to this server. Specify classless netblocks with /size and action.
	# By default everything is refused, except for localhost.
	# Choose deny (drop message), refuse (polite error reply),
	# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
	# allow_snoop (recursive and nonrecursive ok)
	# deny_non_local (drop queries unless can be answered from local-data)
	# refuse_non_local (like deny_non_local but polite error reply).
	# TODO: change your prefixes here
	access-control: 127.0.0.0/8 allow
	access-control: 192.168.1.0/24 allow
	access-control: ::1 allow
	access-control: xxxxxx::/56 allow

	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
	# log to. If yes, it overrides the logfile.
	use-syslog: yes

	# Sent minimum amount of information to upstream servers to enhance
	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
	# to A when possible.
	qname-minimisation: yes

	# if yes, perform prefetching of almost expired message cache entries.
	prefetch: yes

	# if yes, perform key lookups adjacent to normal lookups.
	# prefetch-key: no

	# deny queries of type ANY with an empty response.
	deny-any: yes

	# if yes, Unbound rotates RRSet order in response.
	# rrset-roundrobin: yes

	# if yes, Unbound doesn't insert authority/additional sections
	# into response messages when those sections are not required.
	minimal-responses: yes

	# module configuration of the server. A string with identifiers
	# separated by spaces. Syntax: "[dns64] [validator] iterator"
	# most modules have to be listed at the beginning of the line,
	# except cachedb(just before iterator), and python (at the beginning,
	# or, just before the iterator).
	# Default conifiguration
	module-config: "validator iterator"
        # module-config: "dns64 validator iterator"

	# File with trusted keys, kept uptodate using RFC5011 probes,
	# initial file like trust-anchor-file, then it stores metadata.
	# Use several entries, one per domain name, to track multiple zones.
	#
	# If you want to perform DNSSEC validation, run unbound-anchor before
	# you start Unbound (i.e. in the system boot scripts).
	# And then enable the auto-trust-anchor-file config item.
	# Please note usage of unbound-anchor root anchor is at your own risk
	# and under the terms of our LICENSE (see that file in the source).
	auto-trust-anchor-file: "/usr/share/dns/root.key"

	# trust anchor signaling sends a RFC8145 key tag query after priming.
	trust-anchor-signaling: yes

	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
	root-key-sentinel: yes

	# DNS64 prefix for NAT64:
	dns64-prefix: 64:ff9b::/96
	server:
	# Set to number of big ARM cores on my board RockPro64
	# TODO: adjust it for your machine but no reasons to make it more then 4-8 as it will increase lock contention
	num-threads: 2

	# Listen on all interfaces for IPv4
	interface: 0.0.0.0

	# Listen on all interfaces for IPv6
	interface: ::0

	# Set this to yes to prefer ipv6 upstream servers over ipv4.
	prefer-ip6: yes

	# use SO_REUSEPORT to distribute queries over threads.
	# at extreme load it could be better to turn it off to distribute even.
	so-reuseport: yes

	# the amount of memory to use for the RRset cache.
	# plain value in bytes or you can append k, m or G. default is "4Mb".
	rrset-cache-size: 256m

	# the number of slabs to use for the RRset cache.
	# the number of slabs must be a power of 2.
	# more slabs reduce lock contention, but fragment memory usage.
	rrset-cache-slabs: 4

	# the time to live (TTL) value cap for RRsets and messages in the
	# cache. Items are not cached for longer. In seconds.
	cache-max-ttl: 86400

	# the time to live (TTL) value cap for negative responses in the cache
	# I do lots of testing and prefer to have it this way to refresh data faster
	cache-max-negative-ttl: 60

	# the time to live (TTL) value for cached roundtrip times, lameness and
	# EDNS version information for hosts. In seconds.
	infra-host-ttl: 900

	# the number of slabs to use for the Infrastructure cache.
	# the number of slabs must be a power of 2.
	# more slabs reduce lock contention, but fragment memory usage.
	infra-cache-slabs: 4

	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
	infra-cache-numhosts: 10000

	# Enable IPv4, "yes" or "no".
	do-ip4: yes

	# Enable IPv6, "yes" or "no".
	do-ip6: yes

	# Enable UDP, "yes" or "no".
	do-udp: yes

	# Enable TCP, "yes" or "no".
	do-tcp: yes

	# Detach from the terminal, run in background, "yes" or "no".
	# Set the value to "no" when Unbound runs as systemd service.
	# do-daemonize: yes

	# control which clients are allowed to make (recursive) queries
	# to this server. Specify classless netblocks with /size and action.
	# By default everything is refused, except for localhost.
	# Choose deny (drop message), refuse (polite error reply),
	# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
	# allow_snoop (recursive and nonrecursive ok)
	# deny_non_local (drop queries unless can be answered from local-data)
	# refuse_non_local (like deny_non_local but polite error reply).
	# TODO: change your prefixes here
	access-control: 127.0.0.0/8 allow
	access-control: 192.168.1.0/24 allow
	access-control: ::1 allow
	access-control: xxxxxx::/56 allow

	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
	# log to. If yes, it overrides the logfile.
	use-syslog: yes

	# Sent minimum amount of information to upstream servers to enhance
	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
	# to A when possible.
	qname-minimisation: yes

	# if yes, perform prefetching of almost expired message cache entries.
	prefetch: yes

	# if yes, perform key lookups adjacent to normal lookups.
	# prefetch-key: no

	# deny queries of type ANY with an empty response.
	deny-any: yes

	# if yes, Unbound rotates RRSet order in response.
	# rrset-roundrobin: yes

	# if yes, Unbound doesn't insert authority/additional sections
	# into response messages when those sections are not required.
	minimal-responses: yes

	# module configuration of the server. A string with identifiers
	# separated by spaces. Syntax: "[dns64] [validator] iterator"
	# most modules have to be listed at the beginning of the line,
	# except cachedb(just before iterator), and python (at the beginning,
	# or, just before the iterator).
	# Default conifiguration
	module-config: "validator iterator"
	# module-config: "dns64 validator iterator"

	# File with trusted keys, kept uptodate using RFC5011 probes,
	# initial file like trust-anchor-file, then it stores metadata.
	# Use several entries, one per domain name, to track multiple zones.
	#
	# If you want to perform DNSSEC validation, run unbound-anchor before
	# you start Unbound (i.e. in the system boot scripts).
	# And then enable the auto-trust-anchor-file config item.
	# Please note usage of unbound-anchor root anchor is at your own risk
	# and under the terms of our LICENSE (see that file in the source).
	auto-trust-anchor-file: "/usr/share/dns/root.key"

	# trust anchor signaling sends a RFC8145 key tag query after priming.
	trust-anchor-signaling: yes

	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
	root-key-sentinel: yes

	# DNS64 prefix for NAT64:
	dns64-prefix: 64:ff9b::/96