# Configuration file for Unbound DNS server (usually resides at: /etc/unbound/unbound.conf)
# =========================================================================================
remote-control:
        control-enable: yes               # allows control using "unbound-control"

server:
	# GENERAL SETTINGS:
	interface: 0.0.0.0                # listen on all IPv4 network interfaces
	interface: ::0	                  # listen on all IPv6 network interfaces
	port: 53                          # listen on port 53
	access-control: 127.0.0.1/8 allow # allow IPv4 queries from the local host
	access-control: ::1/64 allow      # allow IPv6 queries from the local host
        access-control: 192.168.0.0/16 allow # allow IPv4 query from the local network
        auto-trust-anchor-file: "/var/lib/unbound/root.key" # location of the trust anchor file that enables DNSSEC
	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt # for encrypted DNS over TLS
	# PRIVACY SETTINGS:
        qname-minimisation: yes           # send minimal amount of information to upstream servers to enhance privacy
	hide-identity: yes                # less verbose responses
	hide-version: yes                 # less verbose responses
	verbosity: 0                      # log nothing
	# PERFORMANCE SETTINGS:
	num-threads: 1			  # number of threads to use (not more than CPU cores)
	msg-cache-size: 100m
	rrset-cache-size: 200m
	aggressive-nsec: yes
	prefetch: yes                     # refresh expiring cache entries, if less than 10% of their TTL remains
	prefetch-key: yes
	cache-min-ttl: 7200               # cache positive responses for 2 hours minimum
	cache-max-ttl: 259200             # cache positive responses for 3 days maximum 
	cache-max-negative-ttl: 3600      # cache negative responses for 1 hour maximum 
	so-reuseport: yes                 # faster UDP with multithreading (only on Linux)

forward-zone:
	name: "fritz.box."
	forward-addr: 192.168.178.1@53 	  # forward "<hostname>.fritz.box" to local Fritz!Box

forward-zone:
	name: "."
	forward-tls-upstream: yes
	forward-addr: 1.1.1.1@853#cloudflare-dns.com # Cloudflare (primary, IPv4, DNS over TLS)
	forward-addr: 1.0.0.1@853#cloudflare-dns.com # Cloudflare (secondary, IPv4, DNS over TLS)
	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com # Cloudflare (primary, IPv6, DNS over TLS)
	forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com # Cloudflare (secondary, IPv6, DNS over TLS)
	# forward-addr: 1.1.1.1@53          # Cloudflare (primary IPv4, unencrypted)
	# forward-addr: 1.0.0.1@53          # Cloudflare (secondary IPv4, unencrypted)
	# forward-addr: 8.8.8.8@53          # Google Public DNS (primary IPv4, unencrypted)
	# forward-addr: 8.8.4.4@53          # Google Public DNS (secondary IPv6, unecnrypted)
	# forward-addr: 9.9.9.9@53          # Quad9 (IPv4, unencrypted)