# https://linux.die.net/man/5/unbound.conf # https://docs.pi-hole.net/guides/unbound/ server: # Enable or disable whether the unbound server forks into the background # as a daemon. Default is yes. do-daemonize: no # If given, after binding the port the user privileges are dropped. # Default is "unbound". If you give username: "" no user change is performed. username: "" # No need to chroot as this container has been stripped of all other binaries. chroot: "" # If "" is given, logging goes to stderr, or nowhere once daemonized. logfile: "" # The process id is written to the file. Not required since we are running # in a container with one process. pidfile: "" # The verbosity number, level 0 means no verbosity, only errors. # Level 1 gives operational information. # Level 2 gives detailed operational information. # Level 3 gives query level information, output per query. # Level 4 gives algorithm level information. # Level 5 logs client identification for cache misses. # Default is level 1. The verbosity can also be increased from the commandline. verbosity: 1 # Listen on all ipv4 interfaces, answer queries from the local subnet. interface: 0.0.0.0 # The port number, default 53, on which the server responds to queries. port: 53 do-ip4: yes do-udp: yes do-tcp: yes do-ip6: no # You want to leave this to no unless you have *native* IPv6. With 6to4 and # Terredo tunnels your web browser should favor IPv4 for the same reasons prefer-ip6: no # Trust glue only if it is within the server's authority harden-glue: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped: yes # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details use-caps-for-id: no # Reduce EDNS reassembly buffer size (see also https://docs.pi-hole.net/guides/dns/unbound/ ) # IP fragmentation is unreliable on the Internet today, and can cause # transmission failures when large DNS messages are sent via UDP. Even # when fragmentation does work, it may not be secure; it is theoretically # possible to spoof parts of a fragmented DNS message, without easy # detection at the receiving end. Recently, there was an excellent study # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) # in collaboration with NLnet Labs explored DNS using real world data from the # the RIPE Atlas probes and the researchers suggested different values for # IPv4 and IPv6 and in different scenarios. They advise that servers should # be configured to limit DNS messages sent over UDP to a size that will not # trigger fragmentation on typical network links. DNS servers can switch # from UDP to TCP when a DNS response is too big to fit in this limited # buffer size. This value has also been suggested in DNS Flag Day 2020. edns-buffer-size: 1232 # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch: yes # One thread should be sufficient, can be increased on beefy machines. # In reality for most users running on small networks or on a single machine, # it should be unnecessary to seek performance enhancement by increasing num-threads above 1. num-threads: 1 # Ensure kernel buffer is large enough to not lose messages in traffic spikes # (requires CAP_NET_ADMIN or privileged) # so-rcvbuf: 1m # The netblock is given as an IP4 or IP6 address with /size appended for a # classless network block. The action can be deny, refuse, allow or allow_snoop. access-control: 127.0.0.1/32 allow access-control: 192.168.0.0/16 allow access-control: 172.16.0.0/12 allow access-control: 10.0.0.0/8 allow access-control: 100.64.0.0/10 allow access-control: 10.21.21.0/24 allow # Ensure privacy of local IP ranges private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 private-address: fd00::/8 private-address: fe80::/10 # Read the root hints from this file. Default is nothing, using built in # hints for the IN class. The file has the format of zone files, with root # nameserver names and addresses only. The default may become outdated, # when servers change, therefore it is good practice to use a root-hints # file. get one from https://www.internic.net/domain/named.root root-hints: /etc/unbound/root.hints # File with trust anchor for one zone, which is tracked with RFC5011 probes. # The probes are several times per month, thus the machine must be online frequently. # The initial file can be one with contents as described in trust-anchor-file. # The file is written to when the anchor is updated, so the unbound user must # have write permission. auto-trust-anchor-file: /etc/unbound/root.key # Number of ports to open. This number of file descriptors can be opened per thread. # Must be at least 1. Default depends on compile options. Larger numbers need extra # resources from the operating system. For performance a very large value is best, # use libevent to make this possible. outgoing-range: 8192 # The number of queries that every thread will service simultaneously. If more queries # arrive that need servicing, and no queries can be jostled out (see jostle-timeout), # then the queries are dropped. This forces the client to resend after a timeout; # allowing the server time to work on the existing queries. Default depends on # compile options, 512 or 1024. num-queries-per-thread: 4096 include: /etc/unbound/a-records.conf # forward-zone: # name: "." # forward-addr: 194.242.2.3@853 # Mullvad primary # forward-addr: 193.19.108.3@853 # Mullvad secondary