unbound.config (Adguard + Unbound + Redis)

1. server:
2. interface: 127.0.0.1
3. port: 5335
4. do-ip6: no
5. do-ip4: yes
6. do-udp: yes
7. do-tcp: yes
8.  
9. # Enable the cachedb module with validator and iterator
10. module-config: "validator cachedb iterator"
11.  
12. # Adjust cache settings for better performance with Redis
13. cache-min-ttl: 0
14. cache-max-ttl: 86400
15. serve-expired: yes
16. serve-expired-ttl: 86400
17.  
18. # Hide DNS Server info
19. hide-identity: yes
20. hide-version: yes
21.  
22. # DNSSEC validation
23. auto-trust-anchor-file: "/var/lib/unbound/root.key"
24. val-permissive-mode: no
25.  
26. # Limit DNS Fraud and use DNSSEC
27. aggressive-nsec: yes
28. answer-cookie: yes
29. deny-any: yes
30. do-not-query-localhost: no
31. harden-algo-downgrade: yes
32. harden-dnssec-stripped: yes
33. harden-glue: yes
34. harden-referral-path: yes
35. hide-trustanchor: yes
36. qname-minimisation: yes
37. rrset-roundrobin: yes
38. use-caps-for-id: yes
39.  
40. # Performance Tuning via NLNetLabs
41. # https://unbound.docs.nlnetlabs.nl/en/latest/topics/core/performance.html
42. num-queries-per-thread: 225
43. num-threads: 2
44. outgoing-range: 450
45. so-reuseport: yes
46.  
47. # Caching
48. cache-min-negative-ttl: 30
49. infra-cache-max-rtt: 60000
50. infra-cache-min-rtt: 25
51. infra-cache-numhosts: 100000
52. infra-host-ttl: 450
53. infra-keep-probing: no
54. key-cache-size: 32m
55. msg-cache-size: 128m
56. neg-cache-size: 16m
57. rrset-cache-size: 256m
58. serve-expired-client-timeout: 0
59.  
60. # Optimizations
61. edns-buffer-size: 1232
62. fast-server-num: 9
63. fast-server-permil: 768
64. infra-cache-slabs: 8
65. key-cache-slabs: 8
66. msg-cache-slabs: 8
67. prefetch-key: yes
68. prefetch: yes
69. rrset-cache-slabs: 8
70. unwanted-reply-threshold: 10000000
71.  
72. # increase buffer size so that no messages are lost in traffic spikes
73. so-rcvbuf: 8m
74. so-sndbuf: 8m
75. private-address: 192.168.0.0/16
76. private-address: 169.254.0.0/16
77. private-address: 172.16.0.0/12
78. private-address: 10.0.0.0/8
79. private-address: fd00::/8
80. private-address: fe80::/10
81. root-hints: "/etc/unbound/root.hints"
82.  
83. # Use BIND9 style prefetching (only query what's needed)
84. # BIND8: "-1 -1 -1 -1 -1" (prefetch EVERYTHING)
85. # Default: "3 2 1 0 0"
86. # https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-target-fetch-policy
87. target-fetch-policy: "3 2 1 0 0"
88.  
89. # HTTPS
90. http-max-streams: 150
91. http-query-buffer-size: 8m
92. http-response-buffer-size: 8m
93.  
94. incoming-num-tcp: 96
95. outgoing-num-tcp: 96
96.  
97.  
98. # Get data for all TLDs from root servers (by IXFR or AXFR)
99. #
100. # Run a ping test on each to determine which servers respond the fastest
101. # Use only the fastest root servers
102. auth-zone:
103. name: "."
104. primary: 202.12.27.33 # m.root-servers.net 3.4ms
105. primary: 192.5.5.241 # f.root-servers.net 3.6ms
106. primary: 192.58.128.30 # j.root-servers.net 4ms
107. primary: 192.203.230.10 # e.root-servers.net 4ms
108. primary: 170.247.170.2 # b.root-servers.net 11.6ms
109. primary: 198.41.0.4 # a.root-servers.net 13.3ms
110. primary: 192.0.32.132 # lax.xfr.dns.icann.org 13.6ms
111. primary: 192.33.4.12 # c.root-servers.net 15.9ms
112. #primary: 199.7.91.13 # d.root-servers.net 14ms
113. #primary: 192.112.36.4 # g.root-servers.net TIMEOUT
114. #primary: 198.97.190.53 # h.root-servers.net 23ms
115. #primary: 192.36.148.17 # i.root-servers.net 44ms
116. #primary: 193.0.14.129 # k.root-servers.net 73ms
117. #primary: 199.7.83.42 # l.root-servers.net 67ms
118. #primary: 192.0.47.132 # iad.xfr.dns.icann.org 67ms
119.  
120. # IPv6 ? Uncomment if you use IPv6!
121. #primary: 2001:503:ba3e::2:30 # a.root-servers.net 16ms
122. #primary: 2801:1b8:10::b # b.root-servers.net 72ms
123. #primary: 2001:500:2::c # c.root-servers.net 15ms
124. #primary: 2001:500:2d::d # d.root-servers.net 18ms
125. #primary: 2001:500:a8::e # e.root-servers.net 17ms
126. #primary: 2001:500:2f::f # f.root-servers.net 14ms
127. #primary: 2001:500:12::d0d # g.root-servers.net 69ms
128. #primary: 2001:500:1::53 # h.root-servers.net 21ms
129. #primary: 2001:7fe::53 # i.root-servers.net 20ms
130. #primary: 2001:503:c27::2:30 # j.root-servers.net 15ms
131. #primary: 2001:7fd::1 # k.root-servers.net 75ms
132. #primary: 2001:500:9f::42 # l.root-servers.net 71ms
133. #primary: 2001:dc3::35 # m.root-servers.net 23ms
134. #primary: 2620:0:2d0:202::132 # lax.xfr.dns.icann.org 25ms
135. #primary: 2620:0:2830:202::132 # iad.xfr.dns.icann.org 74ms
136.  
137. fallback-enabled: yes
138. for-downstream: no
139. for-upstream: yes
140.  
141. zonemd-check: yes
142. zonefile: /etc/unbound/root.zone
143.  
144. cachedb:
145. backend: "redis"
146.  
147. # Redis connection settings
148. redis-server-host: 127.0.0.1
149. redis-server-port: 6379
150.  
151. # Optional: Set password if Redis is configured with one
152. # redis-server-password: "your_password_here"
153.  
154. # Timeout for Redis operations (in milliseconds)
155. redis-timeout: 100
156.  
157. # Expire cached entries in Redis after this time (in seconds)
158. # This should match or exceed cache-max-ttl
159. redis-expire-records: yes
160.  
161. remote-control:
162. control-enable: yes
163. control-interface: 127.0.0.1
164. control-port: 8953
165.  
166. # These will be auto-generated if they don't exist
167. server-key-file: "/etc/unbound/unbound_server.key"
168. server-cert-file: "/etc/unbound/unbound_server.pem"
169. control-key-file: "/etc/unbound/unbound_control.key"
170. control-cert-file: "/etc/unbound/unbound_control.pem"