Skip to content

Instantly share code, notes, and snippets.

Created December 31, 2022 20:27
What would you like to do?
Unbound for IPv6 enabled home network
# Set to number of big ARM cores on my board RockPro64
# TODO: adjust it for your machine but no reasons to make it more then 4-8 as it will increase lock contention
num-threads: 2
# Listen on all interfaces for IPv4
# Listen on all interfaces for IPv6
interface: ::0
# Set this to yes to prefer ipv6 upstream servers over ipv4.
prefer-ip6: yes
# use SO_REUSEPORT to distribute queries over threads.
# at extreme load it could be better to turn it off to distribute even.
so-reuseport: yes
# the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
rrset-cache-size: 256m
# the number of slabs to use for the RRset cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
rrset-cache-slabs: 4
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
cache-max-ttl: 86400
# the time to live (TTL) value cap for negative responses in the cache
# I do lots of testing and prefer to have it this way to refresh data faster
cache-max-negative-ttl: 60
# the time to live (TTL) value for cached roundtrip times, lameness and
# EDNS version information for hosts. In seconds.
infra-host-ttl: 900
# the number of slabs to use for the Infrastructure cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
infra-cache-slabs: 4
# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
infra-cache-numhosts: 10000
# Enable IPv4, "yes" or "no".
do-ip4: yes
# Enable IPv6, "yes" or "no".
do-ip6: yes
# Enable UDP, "yes" or "no".
do-udp: yes
# Enable TCP, "yes" or "no".
do-tcp: yes
# Detach from the terminal, run in background, "yes" or "no".
# Set the value to "no" when Unbound runs as systemd service.
# do-daemonize: yes
# control which clients are allowed to make (recursive) queries
# to this server. Specify classless netblocks with /size and action.
# By default everything is refused, except for localhost.
# Choose deny (drop message), refuse (polite error reply),
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
# allow_snoop (recursive and nonrecursive ok)
# deny_non_local (drop queries unless can be answered from local-data)
# refuse_non_local (like deny_non_local but polite error reply).
# TODO: change your prefixes here
access-control: allow
access-control: allow
access-control: ::1 allow
access-control: xxxxxx::/56 allow
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
# log to. If yes, it overrides the logfile.
use-syslog: yes
# Sent minimum amount of information to upstream servers to enhance
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
# to A when possible.
qname-minimisation: yes
# if yes, perform prefetching of almost expired message cache entries.
prefetch: yes
# if yes, perform key lookups adjacent to normal lookups.
# prefetch-key: no
# deny queries of type ANY with an empty response.
deny-any: yes
# if yes, Unbound rotates RRSet order in response.
# rrset-roundrobin: yes
# if yes, Unbound doesn't insert authority/additional sections
# into response messages when those sections are not required.
minimal-responses: yes
# module configuration of the server. A string with identifiers
# separated by spaces. Syntax: "[dns64] [validator] iterator"
# most modules have to be listed at the beginning of the line,
# except cachedb(just before iterator), and python (at the beginning,
# or, just before the iterator).
# Default conifiguration
module-config: "validator iterator"
# module-config: "dns64 validator iterator"
# File with trusted keys, kept uptodate using RFC5011 probes,
# initial file like trust-anchor-file, then it stores metadata.
# Use several entries, one per domain name, to track multiple zones.
# If you want to perform DNSSEC validation, run unbound-anchor before
# you start Unbound (i.e. in the system boot scripts).
# And then enable the auto-trust-anchor-file config item.
# Please note usage of unbound-anchor root anchor is at your own risk
# and under the terms of our LICENSE (see that file in the source).
auto-trust-anchor-file: "/usr/share/dns/root.key"
# trust anchor signaling sends a RFC8145 key tag query after priming.
trust-anchor-signaling: yes
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
root-key-sentinel: yes
# DNS64 prefix for NAT64:
dns64-prefix: 64:ff9b::/96
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment