# https://nlnetlabs.nl/documentation/unbound/unbound.conf/ server: # Modules module-config: "validator iterator" # Root auto-trust-anchor-file: "/var/lib/unbound/root.key" # root-hints: "/var/lib/unbound/root.hints" # Logging verbosity: 1 log-queries: no log-replies: no log-servfail: yes log-local-actions: no log-time-ascii: yes logfile: "" # Interface interface: 127.0.0.1 port: 5335 # Protocols do-ip6: yes do-ip4: yes do-udp: yes do-tcp: yes prefer-ip6: no prefer-ip4: yes # Process do-daemonize: no # Errors (EDE) ede: yes ede-serve-expired: yes val-log-level: 2 # Buffers edns-buffer-size: 1232 max-udp-size: 1232 so-rcvbuf: 8m so-sndbuf: 8m # Cache/Performance cache-max-ttl: 604800 cache-min-ttl: 30 cache-min-negative-ttl: 3600 fast-server-num: 3 fast-server-permil: 950 incoming-num-tcp: 256 infra-cache-numhosts: 100000 infra-cache-slabs: 2 infra-host-ttl: 3600 key-cache-size: 32m key-cache-slabs: 2 minimal-responses: yes msg-cache-size: 256m msg-cache-slabs: 2 neg-cache-size: 16m num-queries-per-thread: 2048 num-threads: 2 outgoing-num-tcp: 256 outgoing-range: 4096 prefetch-key: yes prefetch: yes rrset-cache-size: 512m rrset-cache-slabs: 2 serve-expired-client-timeout: 0 serve-expired-reply-ttl: 30 serve-expired-ttl-reset: no serve-expired-ttl: 86400 serve-expired: yes so-reuseport: yes target-fetch-policy: "3 2 1 1 1" # Recursion discard-timeout: 5000 # Security/Privacy aggressive-nsec: yes delay-close: 0 deny-any: yes do-not-query-localhost: yes harden-algo-downgrade: no harden-below-nxdomain: yes harden-dnssec-stripped: yes harden-glue: yes harden-large-queries: no harden-referral-path: no harden-short-bufsize: yes hide-http-user-agent: no hide-identity: yes hide-version: yes http-user-agent: "DNS" identity: "DNS" qname-minimisation: yes rrset-roundrobin: yes unwanted-reply-threshold: 10000000 use-caps-for-id: no val-clean-additional: yes # Local private-address: 10.0.0.0/8 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: fd00::/8 private-address: fe80::/10 # RFC6303 4.2 private-address: 192.0.2.0/24 private-address: 198.51.100.0/24 private-address: 203.0.113.0/24 private-address: 255.255.255.255/32 private-address: 2001:db8::/32 # Access access-control: 127.0.0.0/8 allow remote-control: control-enable: yes control-interface: 127.0.0.1 control-port: 8953 # Local copy of the DNS root zone auth-zone: name: "." primary: 170.247.170.2 # b.root-servers.net primary: 192.33.4.12 # c.root-servers.net primary: 199.7.91.13 # d.root-servers.net primary: 192.5.5.241 # f.root-servers.net primary: 192.112.36.4 # g.root-servers.net primary: 193.0.14.129 # k.root-servers.net primary: 192.0.47.132 # xfr.cjr.dns.icann.org primary: 192.0.32.132 # xfr.lax.dns.icann.org primary: 2801:1b8:10::b # b.root-servers.net primary: 2001:500:2::c # c.root-servers.net primary: 2001:500:2d::d # d.root-servers.net primary: 2001:500:2f::f # f.root-servers.net primary: 2001:500:12::d0d # g.root-servers.net primary: 2001:7fd::1 # k.root-servers.net primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org fallback-enabled: yes for-downstream: no for-upstream: yes zonefile: /var/lib/unbound/root.zone