unbound conf

1. server:
2. module-config: "validator iterator"
3. username: "_unbound"
4. directory: "/usr/local/unbound"
5. chroot: "/usr/local/unbound"
6. do-daemonize: no
7. tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
8. root-hints: /usr/local/unbound/root.hints
9. auto-trust-anchor-file: "/usr/local/unbound/root.key"
10. trust-anchor-signaling: yes
11.  
12.  
13. # ACCESS CONTROL
14. access-control: 127.0.0.0/8 allow
15. access-control: 192.168.0.0/16 allow
16. access-control: 172.16.0.0/12 allow
17. access-control: 10.0.0.0/8 allow
18. access-control: 172.16.0.253 allow
19. access-control: 0.0.0.0/0 allow
20. access-control: fc00::/7 deny
21. access-control: ::1/128 deny
22. access-control: ::0/0 deny
23. access-control: ::ffff:127.0.0.1 deny
24.  
25. # INTERFACES
26. interface: 127.0.0.1@53
27. #interface: ::1@53
28. interface: 0.0.0.0@5335
29. #interface: ::0@5335
30.  
31. #outgoing-interface: 0.0.0.0
32.  
33. so-reuseport: yes
34.  
35. do-ip4: yes
36. do-ip6: no
37. do-tcp: yes
38. do-udp: yes
39. udp-connect: yes
40.  
41. prefer-ip4: yes
42. prefer-ip6: no
43.  
44. # LOGGING
45. use-syslog: no
46. log-time-ascii: yes
47. logfile: "/usr/local/unbound/log.d/unbound.log"
48. log-local-actions: no
49. log-queries: no
50. log-replies: no
51. log-servfail: yes
52. val-log-level: 2
53. verbosity: 1
54.  
55. # PERFORMANCE
56. num-threads: 2
57. num-queries-per-thread: 4096
58. cache-max-ttl: 86400
59. cache-min-ttl: 0
60. edns-buffer-size: 1472
61. rrset-roundrobin: yes
62. neg-cache-size: 4M
63. delay-close: 10000
64. rrset-cache-size: 256m
65. rrset-cache-slabs: 4
66. ratelimit: 1000
67. unwanted-reply-threshold: 10000
68. infra-cache-slabs: 4
69. infra-cache-numhosts: 100000
70. msg-cache-size: 256m
71. msg-cache-slabs: 4
72. key-cache-size: 4m
73. key-cache-slabs: 4
74. prefetch: yes
75. prefetch-key: yes
76. serve-expired: yes
77. max-udp-size: 4096
78. msg-buffer-size: 65552
79. stream-wait-size: 4m
80. outgoing-range: 32768
81. outgoing-port-permit: 32768
82.  
83.  
84.  
85. do-not-query-localhost: no
86. unblock-lan-zones: no
87. insecure-lan-zones: yes
88.  
89. private-domain: "yourdomain.lan."
90. private-domain: "0.168.192.in-addr.arpa."
91.  
92. domain-insecure: "yourdomain.lan."
93. domain-insecure: "0.168.192.in-addr.arpa."
94. private-address: 10.0.0.0/8
95. private-address: 172.16.0.0/12
96. private-address: 192.168.0.0/16
97. private-address: 169.254.0.0/16
98. private-address: fd00::/8
99. private-address: fe80::/10
100. private-address: ::ffff:0:0/96
101.  
102. hide-identity: yes
103. identity: "server"
104. hide-version: yes
105. version: ""
106. aggressive-nsec: yes
107. qname-minimisation: yes
108. qname-minimisation-strict: no
109. disable-dnssec-lame-check: no
110. hide-trustanchor: yes
111. harden-algo-downgrade: yes
112. harden-below-nxdomain: yes
113. harden-dnssec-stripped: yes
114. harden-glue: yes
115. harden-large-queries: yes
116. harden-referral-path: yes
117. harden-short-bufsize: yes
118. minimal-responses: yes
119. deny-any: yes
120. use-caps-for-id: yes
121. val-clean-additional: yes
122. val-max-restart: 5
123. root-key-sentinel: yes
124. zonemd-permissive-mode: no
125.  
126. # REMOTE CONTROL
127. remote-control:
128. control-enable: no
129. control-use-cert: no