# https://linux.die.net/man/5/unbound.conf
# https://docs.pi-hole.net/guides/unbound/
server:
# Enable or disable whether the unbound server forks into the background
# as a daemon. Default is yes.
do-daemonize: no
# If given, after binding the port the user privileges are dropped.
# Default is "unbound". If you give username: "" no user change is performed.
username: ""
# No need to chroot as this container has been stripped of all other binaries.
chroot: ""
# If "" is given, logging goes to stderr, or nowhere once daemonized.
logfile: ""
# The process id is written to the file. Not required since we are running
# in a container with one process.
pidfile: ""
# The verbosity number, level 0 means no verbosity, only errors.
# Level 1 gives operational information.
# Level 2 gives detailed operational information.
# Level 3 gives query level information, output per query.
# Level 4 gives algorithm level information.
# Level 5 logs client identification for cache misses.
# Default is level 1. The verbosity can also be increased from the commandline.
verbosity: 1
# Listen on all ipv4 interfaces, answer queries from the local subnet.
interface: 0.0.0.0
# The port number, default 53, on which the server responds to queries.
port: 53
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size (see also https://docs.pi-hole.net/guides/dns/unbound/ )
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines.
# In reality for most users running on small networks or on a single machine,
# it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
# (requires CAP_NET_ADMIN or privileged)
# so-rcvbuf: 1m
# The netblock is given as an IP4 or IP6 address with /size appended for a
# classless network block. The action can be deny, refuse, allow or allow_snoop.
access-control: 127.0.0.1/32 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: 100.64.0.0/10 allow
access-control: 10.21.21.0/24 allow
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
# Read the root hints from this file. Default is nothing, using built in
# hints for the IN class. The file has the format of zone files, with root
# nameserver names and addresses only. The default may become outdated,
# when servers change, therefore it is good practice to use a root-hints
# file. get one from https://www.internic.net/domain/named.root
root-hints: /etc/unbound/root.hints
# File with trust anchor for one zone, which is tracked with RFC5011 probes.
# The probes are several times per month, thus the machine must be online frequently.
# The initial file can be one with contents as described in trust-anchor-file.
# The file is written to when the anchor is updated, so the unbound user must
# have write permission.
auto-trust-anchor-file: /etc/unbound/root.key
# Number of ports to open. This number of file descriptors can be opened per thread.
# Must be at least 1. Default depends on compile options. Larger numbers need extra
# resources from the operating system. For performance a very large value is best,
# use libevent to make this possible.
outgoing-range: 8192
# The number of queries that every thread will service simultaneously. If more queries
# arrive that need servicing, and no queries can be jostled out (see jostle-timeout),
# then the queries are dropped. This forces the client to resend after a timeout;
# allowing the server time to work on the existing queries. Default depends on
# compile options, 512 or 1024.
num-queries-per-thread: 4096
include: /etc/unbound/a-records.conf
# forward-zone:
# name: "."
# forward-addr: 194.242.2.3@853 # Mullvad primary
# forward-addr: 193.19.108.3@853 # Mullvad secondary