diff --git a/README.md b/README.md
index e111d0b..e695490 100644
--- a/README.md
+++ b/README.md
@@ -102,10 +102,14 @@ wireguard | [cont-init.d] done.
wireguard | [services.d] starting services
```
+---
+
## Recommended configuration / Split tunnel:
Modify your wireguard client `AllowedIps` to `10.2.0.0/24` to only tunnel the web panel and DNS traffic.
+---
+
## Access PiHole
While connected to WireGuard, navigate to http://10.2.0.100/admin
@@ -134,6 +138,44 @@ wireguard:
---
+## Modifying the upstream DNS provider for Unbound
+If you choose to not use Cloudflare any reason you are able to modify the upstream DNS provider in `unbound.conf`.
+
+Search for `forward-zone` and modify the IP addresses for your chosen DNS provider.
+
+>**NOTE:** The anything after `#` is a comment on the line.
+What this means is it is just there to tell you which DNS provider you put there. It is for you to be able to reference later. I recommend updating this if you change your DNS provider from the default values.
+
+
+```yaml
+forward-zone:
+ name: "."
+ forward-addr: 1.1.1.1@853#cloudflare-dns.com
+ forward-addr: 1.0.0.1@853#cloudflare-dns.com
+ forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
+ forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
+ forward-tls-upstream: yes
+```
+
+---
+
+## Available DNS Providers
+
+While you can actually use any upstream provider you want, the team over at pi-hole.net provide a fantastic break down along with all needed information of some of the more popular providers here:
+https://docs.pi-hole.net/guides/upstream-dns-providers/
+
+Providers they have the information for:
+
+1. Google
+2. OpenDNS
+3. Level3
+4. Comodo
+5. DNS.WATCH
+6. Quad9
+7. CloudFlare DNS
+
+
+---
## Author
@@ -150,5 +192,4 @@ Contributions, issues and feature requests are welcome!
Feel free to check
Give a ⭐ if this project helped you!
-
-
+
\ No newline at end of file
diff --git a/unbound/unbound.conf b/unbound/unbound.conf
index f0bd343..e8bc4fa 100644
--- a/unbound/unbound.conf
+++ b/unbound/unbound.conf
@@ -1,362 +1,302 @@
-# server:
-# ###########################################################################
-# # BASIC SETTINGS
-# ###########################################################################
-# # Time to live maximum for RRsets and messages in the cache. If the maximum
-# # kicks in, responses to clients still get decrementing TTLs based on the
-# # original (larger) values. When the internal TTL expires, the cache item
-# # has expired. Can be set lower to force the resolver to query for data
-# # often, and not trust (very large) TTL values.
-# cache-max-ttl: 86400
-
-# # Time to live minimum for RRsets and messages in the cache. If the minimum
-# # kicks in, the data is cached for longer than the domain owner intended,
-# # and thus less queries are made to look up the data. Zero makes sure the
-# # data in the cache is as the domain owner intended, higher values,
-# # especially more than an hour or so, can lead to trouble as the data in
-# # the cache does not match up with the actual data any more.
-# cache-min-ttl: 300
-
-# # Set the working directory for the program.
-# directory: "/opt/unbound/etc/unbound"
-
-# # RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer
-# # size. This is the value put into datagrams over UDP towards peers.
-# # 4096 is RFC recommended. 1472 has a reasonable chance to fit within a
-# # single Ethernet frame, thus lessing the chance of fragmentation
-# # reassembly problems (usually seen as timeouts). Setting to 512 bypasses
-# # even the most stringent path MTU problems, but is not recommended since
-# # the amount of TCP fallback generated is excessive.
-# edns-buffer-size: 1472
-
-# # Listen to for queries from clients and answer from this network interface
-# # and port.
-# interface: 0.0.0.0@53
-
-# # Rotates RRSet order in response (the pseudo-random number is taken from
-# # the query ID, for speed and thread safety).
-# rrset-roundrobin: yes
-
-# # Drop user privileges after binding the port.
-# username: "_unbound"
-
-# ###########################################################################
-# # LOGGING
-# ###########################################################################
-
-# # Do not print log lines to inform about local zone actions
-# log-local-actions: no
-
-# # Do not print one line per query to the log
-# log-queries: no
-
-# # Do not print one line per reply to the log
-# log-replies: no
-
-# # Do not print log lines that say why queries return SERVFAIL to clients
-# log-servfail: no
-
-# # Further limit logging
-# logfile: /dev/null
-
-# # Only log errors
-# verbosity: 5
-
-# ###########################################################################
-# # PRIVACY SETTINGS
-# ###########################################################################
-
-# # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
-# # denials, using information from previous NXDO-MAINs answers. In other
-# # words, use cached NSEC records to generate negative answers within a
-# # range and positive answers from wildcards. This increases performance,
-# # decreases latency and resource utilization on both authoritative and
-# # recursive servers, and increases privacy. Also, it may help increase
-# # resilience to certain DoS attacks in some circumstances.
-# aggressive-nsec: yes
-
-# # Extra delay for timeouted UDP ports before they are closed, in msec.
-# # This prevents very delayed answer packets from the upstream (recursive)
-# # servers from bouncing against closed ports and setting off all sort of
-# # close-port counters, with eg. 1500 msec. When timeouts happen you need
-# # extra sockets, it checks the ID and remote IP of packets, and unwanted
-# # packets are added to the unwanted packet counter.
-# delay-close: 10000
-
-# # Prevent the unbound server from forking into the background as a daemon
-# do-daemonize: no
-
-# # Add localhost to the do-not-query-address list.
-# do-not-query-localhost: no
-
-# # Number of bytes size of the aggressive negative cache.
-# neg-cache-size: 4M
-
-# # Send minimum amount of information to upstream servers to enhance
-# # privacy (best privacy).
-# qname-minimisation: yes
-
-# ###########################################################################
-# # SECURITY SETTINGS
-# ###########################################################################
-# # Only give access to recursion clients from LAN IPs
-# access-control: 127.0.0.1/32 allow
-# access-control: 192.168.0.0/16 allow
-# access-control: 172.16.0.0/12 allow
-# access-control: 10.0.0.0/8 allow
-# # access-control: fc00::/7 allow
-# # access-control: ::1/128 allow
-
-# # File with trust anchor for one zone, which is tracked with RFC5011
-# # probes.
-# auto-trust-anchor-file: "var/root.key"
-
-# # Enable chroot (i.e, change apparent root directory for the current
-# # running process and its children)
-# chroot: "/opt/unbound/etc/unbound"
-
-# # Deny queries of type ANY with an empty response.
-# deny-any: yes
-
-# # Harden against algorithm downgrade when multiple algorithms are
-# # advertised in the DS record.
-# harden-algo-downgrade: yes
-
-# # RFC 8020. returns nxdomain to queries for a name below another name that
-# # is already known to be nxdomain.
-# harden-below-nxdomain: yes
-
-# # Require DNSSEC data for trust-anchored zones, if such data is absent, the
-# # zone becomes bogus. If turned off you run the risk of a downgrade attack
-# # that disables security for a zone.
-# harden-dnssec-stripped: yes
-
-# # Only trust glue if it is within the servers authority.
-# harden-glue: yes
-
-# # Ignore very large queries.
-# harden-large-queries: yes
-
-# # Perform additional queries for infrastructure data to harden the referral
-# # path. Validates the replies if trust anchors are configured and the zones
-# # are signed. This enforces DNSSEC validation on nameserver NS sets and the
-# # nameserver addresses that are encountered on the referral path to the
-# # answer. Experimental option.
-# harden-referral-path: no
-
-# # Ignore very small EDNS buffer sizes from queries.
-# harden-short-bufsize: yes
-
-# # Refuse id.server and hostname.bind queries
-# hide-identity: yes
-
-# # Refuse version.server and version.bind queries
-# hide-version: yes
-
-# # Report this identity rather than the hostname of the server.
-# identity: "DNS"
-
-# # These private network addresses are not allowed to be returned for public
-# # internet names. Any occurrence of such addresses are removed from DNS
-# # answers. Additionally, the DNSSEC validator may mark the answers bogus.
-# # This protects against DNS Rebinding
-# private-address: 10.0.0.0/8
-# private-address: 172.16.0.0/12
-# private-address: 192.168.0.0/16
-# private-address: 169.254.0.0/16
-# # private-address: fd00::/8
-# # private-address: fe80::/10
-# # private-address: ::ffff:0:0/96
-
-# # Enable ratelimiting of queries (per second) sent to nameserver for
-# # performing recursion. More queries are turned away with an error
-# # (servfail). This stops recursive floods (e.g., random query names), but
-# # not spoofed reflection floods. Cached responses are not rate limited by
-# # this setting. Experimental option.
-# ratelimit: 1000
-
-# # Use this certificate bundle for authenticating connections made to
-# # outside peers (e.g., auth-zone urls, DNS over TLS connections).
-# tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-
-# # Set the total number of unwanted replies to eep track of in every thread.
-# # When it reaches the threshold, a defensive action of clearing the rrset
-# # and message caches is taken, hopefully flushing away any poison.
-# # Unbound suggests a value of 10 million.
-# unwanted-reply-threshold: 10000
-
-# # Use 0x20-encoded random bits in the query to foil spoof attempts. This
-# # perturbs the lowercase and uppercase of query names sent to authority
-# # servers and checks if the reply still has the correct casing.
-# # This feature is an experimental implementation of draft dns-0x20.
-# # Experimental option.
-# use-caps-for-id: yes
-
-# # Help protect users that rely on this validator for authentication from
-# # potentially bad data in the additional section. Instruct the validator to
-# # remove data from the additional section of secure messages that are not
-# # signed properly. Messages that are insecure, bogus, indeterminate or
-# # unchecked are not affected.
-# val-clean-additional: yes
-
-# ###########################################################################
-# # PERFORMANCE SETTINGS
-# ###########################################################################
-# # https://nlnetlabs.nl/documentation/unbound/howto-optimise/
-# # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/
-
-# # Number of slabs in the infrastructure cache. Slabs reduce lock contention
-# # by threads. Must be set to a power of 2.
-# infra-cache-slabs: 4
-
-# # Number of incoming TCP buffers to allocate per thread. Default
-# # is 10. If set to 0, or if do-tcp is "no", no TCP queries from
-# # clients are accepted. For larger installations increasing this
-# # value is a good idea.
-# incoming-num-tcp: 10
-
-# # Number of slabs in the key cache. Slabs reduce lock contention by
-# # threads. Must be set to a power of 2. Setting (close) to the number
-# # of cpus is a reasonable guess.
-# key-cache-slabs: 4
-
-# # Number of bytes size of the message cache.
-# # Unbound recommendation is to Use roughly twice as much rrset cache memory
-# # as you use msg cache memory.
-# msg-cache-size: 855658496
-
-# # Number of slabs in the message cache. Slabs reduce lock contention by
-# # threads. Must be set to a power of 2. Setting (close) to the number of
-# # cpus is a reasonable guess.
-# msg-cache-slabs: 4
-
-# # The number of queries that every thread will service simultaneously. If
-# # more queries arrive that need servicing, and no queries can be jostled
-# # out (see jostle-timeout), then the queries are dropped.
-# # This is best set at half the number of the outgoing-range.
-# # This Unbound instance was compiled with libevent so it can efficiently
-# # use more than 1024 file descriptors.
-# num-queries-per-thread: 4096
-
-# # The number of threads to create to serve clients.
-# # This is set dynamically at run time to effectively use available CPUs
-# # resources
-# num-threads: 2
-
-# # Number of ports to open. This number of file descriptors can be opened
-# # per thread.
-# # This Unbound instance was compiled with libevent so it can efficiently
-# # use more than 1024 file descriptors.
-# outgoing-range: 8192
-
-# # Number of bytes size of the RRset cache.
-# # Use roughly twice as much rrset cache memory as msg cache memory
-# rrset-cache-size: 1711316992
-
-# # Number of slabs in the RRset cache. Slabs reduce lock contention by
-# # threads. Must be set to a power of 2.
-# rrset-cache-slabs: 4
-
-# # Do no insert authority/additional sections into response messages when
-# # those sections are not required. This reduces response size
-# # significantly, and may avoid TCP fallback for some responses. This may
-# # cause a slight speedup.
-# minimal-responses: yes
-
-# # # Fetch the DNSKEYs earlier in the validation process, when a DS record
-# # is encountered. This lowers the latency of requests at the expense of
-# # little more CPU usage.
-# prefetch: yes
-
-# # Fetch the DNSKEYs earlier in the validation process, when a DS record is
-# # encountered. This lowers the latency of requests at the expense of little
-# # more CPU usage.
-# prefetch-key: yes
-
-# # Have unbound attempt to serve old responses from cache with a TTL of 0 in
-# # the response without waiting for the actual resolution to finish. The
-# # actual resolution answer ends up in the cache later on.
-# serve-expired: yes
-
-# # Open dedicated listening sockets for incoming queries for each thread and
-# # try to set the SO_REUSEPORT socket option on each socket. May distribute
-# # incoming queries to threads more evenly.
-# so-reuseport: yes
-
-# ###########################################################################
-# # LOCAL ZONE
-# ###########################################################################
-
-# # # Include file for local-data and local-data-ptr
-# # include: /opt/unbound/etc/unbound/a-records.conf
-# # include: /opt/unbound/etc/unbound/srv-records.conf
-
-# # ###########################################################################
-# # # FORWARD ZONE
-# # ###########################################################################
-
-# # include: /opt/unbound/etc/unbound/forward-records.conf
-
-
-# remote-control:
-# control-enable: no
-
server:
- verbosity: 1
- num-threads: 3
- interface: 0.0.0.0@53
- so-reuseport: yes
- edns-buffer-size: 1472
- delay-close: 10000
- cache-min-ttl: 60
+ ###########################################################################
+ # BASIC SETTINGS
+ ###########################################################################
+ # Time to live maximum for RRsets and messages in the cache. If the maximum
+ # kicks in, responses to clients still get decrementing TTLs based on the
+ # original (larger) values. When the internal TTL expires, the cache item
+ # has expired. Can be set lower to force the resolver to query for data
+ # often, and not trust (very large) TTL values.
cache-max-ttl: 86400
- do-daemonize: no
- username: "_unbound"
- log-queries: no
- hide-version: yes
- hide-identity: yes
- identity: "DNS"
- harden-algo-downgrade: yes
- harden-short-bufsize: yes
- harden-large-queries: yes
- harden-glue: yes
- harden-dnssec-stripped: yes
- harden-below-nxdomain: yes
- harden-referral-path: no
- do-not-query-localhost: no
- prefetch: yes
- prefetch-key: yes
- qname-minimisation: yes
- aggressive-nsec: yes
- ratelimit: 1000
- rrset-roundrobin: yes
- minimal-responses: yes
- chroot: "/opt/unbound/etc/unbound"
+
+ # Time to live minimum for RRsets and messages in the cache. If the minimum
+ # kicks in, the data is cached for longer than the domain owner intended,
+ # and thus less queries are made to look up the data. Zero makes sure the
+ # data in the cache is as the domain owner intended, higher values,
+ # especially more than an hour or so, can lead to trouble as the data in
+ # the cache does not match up with the actual data any more.
+ cache-min-ttl: 60
+
+ # Set the working directory for the program.
directory: "/opt/unbound/etc/unbound"
- auto-trust-anchor-file: "var/root.key"
- num-queries-per-thread: 4096
- outgoing-range: 8192
- msg-cache-size: 260991658
- rrset-cache-size: 260991658
+
+ # RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer
+ # size. This is the value put into datagrams over UDP towards peers.
+ # 4096 is RFC recommended. 1472 has a reasonable chance to fit within a
+ # single Ethernet frame, thus lessing the chance of fragmentation
+ # reassembly problems (usually seen as timeouts). Setting to 512 bypasses
+ # even the most stringent path MTU problems, but is not recommended since
+ # the amount of TCP fallback generated is excessive.
+ edns-buffer-size: 1472
+
+ # Listen to for queries from clients and answer from this network interface
+ # and port.
+ interface: 0.0.0.0@53
+
+ # Rotates RRSet order in response (the pseudo-random number is taken from
+ # the query ID, for speed and thread safety).
+ rrset-roundrobin: yes
+
+ # Drop user privileges after binding the port.
+ username: "_unbound"
+
+ ###########################################################################
+ # LOGGING
+ ###########################################################################
+
+ # Do not print log lines to inform about local zone actions
+ log-local-actions: no
+
+ # Do not print one line per query to the log
+ log-queries: no
+
+ # Do not print one line per reply to the log
+ log-replies: no
+
+ # Do not print log lines that say why queries return SERVFAIL to clients
+ log-servfail: no
+
+ # Further limit logging
+ logfile: /dev/null
+
+ # Only log errors
+ verbosity: 5
+
+ ###########################################################################
+ # PRIVACY SETTINGS
+ ###########################################################################
+
+ # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
+ # denials, using information from previous NXDO-MAINs answers. In other
+ # words, use cached NSEC records to generate negative answers within a
+ # range and positive answers from wildcards. This increases performance,
+ # decreases latency and resource utilization on both authoritative and
+ # recursive servers, and increases privacy. Also, it may help increase
+ # resilience to certain DoS attacks in some circumstances.
+ aggressive-nsec: yes
+
+ # Extra delay for timeouted UDP ports before they are closed, in msec.
+ # This prevents very delayed answer packets from the upstream (recursive)
+ # servers from bouncing against closed ports and setting off all sort of
+ # close-port counters, with eg. 1500 msec. When timeouts happen you need
+ # extra sockets, it checks the ID and remote IP of packets, and unwanted
+ # packets are added to the unwanted packet counter.
+ delay-close: 10000
+
+ # Prevent the unbound server from forking into the background as a daemon
+ do-daemonize: no
+
+ # Add localhost to the do-not-query-address list.
+ do-not-query-localhost: no
+
+ # Number of bytes size of the aggressive negative cache.
neg-cache-size: 4M
- serve-expired: yes
- unwanted-reply-threshold: 10000
- use-caps-for-id: yes
- val-clean-additional: yes
- tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+
+ # Send minimum amount of information to upstream servers to enhance
+ # privacy (best privacy).
+ qname-minimisation: yes
+
+ ###########################################################################
+ # SECURITY SETTINGS
+ ###########################################################################
+ # Only give access to recursion clients from LAN IPs
+ access-control: 127.0.0.1/32 allow
+ access-control: 192.168.0.0/16 allow
+ access-control: 172.16.0.0/12 allow
+ access-control: 10.0.0.0/8 allow
+ # access-control: fc00::/7 allow
+ # access-control: ::1/128 allow
+
+ # File with trust anchor for one zone, which is tracked with RFC5011
+ # probes.
+ auto-trust-anchor-file: "var/root.key"
+
+ # Enable chroot (i.e, change apparent root directory for the current
+ # running process and its children)
+ chroot: "/opt/unbound/etc/unbound"
+
+ # Deny queries of type ANY with an empty response.
+ #deny-any: yes
+
+ # Harden against algorithm downgrade when multiple algorithms are
+ # advertised in the DS record.
+ harden-algo-downgrade: yes
+
+ # RFC 8020. returns nxdomain to queries for a name below another name that
+ # is already known to be nxdomain.
+ harden-below-nxdomain: yes
+
+ # Require DNSSEC data for trust-anchored zones, if such data is absent, the
+ # zone becomes bogus. If turned off you run the risk of a downgrade attack
+ # that disables security for a zone.
+ harden-dnssec-stripped: yes
+
+ # Only trust glue if it is within the servers authority.
+ harden-glue: yes
+
+ # Ignore very large queries.
+ harden-large-queries: yes
+
+ # Perform additional queries for infrastructure data to harden the referral
+ # path. Validates the replies if trust anchors are configured and the zones
+ # are signed. This enforces DNSSEC validation on nameserver NS sets and the
+ # nameserver addresses that are encountered on the referral path to the
+ # answer. Experimental option.
+ harden-referral-path: no
+
+ # Ignore very small EDNS buffer sizes from queries.
+ harden-short-bufsize: yes
+
+ # Refuse id.server and hostname.bind queries
+ hide-identity: yes
+
+ # Refuse version.server and version.bind queries
+ hide-version: yes
+
+ # Report this identity rather than the hostname of the server.
+ identity: "DNS"
+
+ # These private network addresses are not allowed to be returned for public
+ # internet names. Any occurrence of such addresses are removed from DNS
+ # answers. Additionally, the DNSSEC validator may mark the answers bogus.
+ # This protects against DNS Rebinding
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
- private-address: fd00::/8
- private-address: fe80::/10
- private-address: ::ffff:0:0/96
- access-control: 127.0.0.1/32 allow
- access-control: 192.168.1.1/24 allow
- access-control: 172.16.0.0/12 allow
- access-control: 10.0.0.0/8 allow
- logfile: /var/log/unbound.log
- #include: /opt/unbound/etc/unbound/a-records.conf
+ # private-address: fd00::/8
+ # private-address: fe80::/10
+ # private-address: ::ffff:0:0/96
+
+ # Enable ratelimiting of queries (per second) sent to nameserver for
+ # performing recursion. More queries are turned away with an error
+ # (servfail). This stops recursive floods (e.g., random query names), but
+ # not spoofed reflection floods. Cached responses are not rate limited by
+ # this setting. Experimental option.
+ ratelimit: 1000
+
+ # Use this certificate bundle for authenticating connections made to
+ # outside peers (e.g., auth-zone urls, DNS over TLS connections).
+ tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+
+ # Set the total number of unwanted replies to eep track of in every thread.
+ # When it reaches the threshold, a defensive action of clearing the rrset
+ # and message caches is taken, hopefully flushing away any poison.
+ # Unbound suggests a value of 10 million.
+ unwanted-reply-threshold: 10000
+
+ # Use 0x20-encoded random bits in the query to foil spoof attempts. This
+ # perturbs the lowercase and uppercase of query names sent to authority
+ # servers and checks if the reply still has the correct casing.
+ # This feature is an experimental implementation of draft dns-0x20.
+ # Experimental option.
+ use-caps-for-id: yes
+
+ # Help protect users that rely on this validator for authentication from
+ # potentially bad data in the additional section. Instruct the validator to
+ # remove data from the additional section of secure messages that are not
+ # signed properly. Messages that are insecure, bogus, indeterminate or
+ # unchecked are not affected.
+ val-clean-additional: yes
+
+ ###########################################################################
+ # PERFORMANCE SETTINGS
+ ###########################################################################
+ # https://nlnetlabs.nl/documentation/unbound/howto-optimise/
+ # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/
+
+ # Number of slabs in the infrastructure cache. Slabs reduce lock contention
+ # by threads. Must be set to a power of 2.
+ # infra-cache-slabs: 4
+
+ # Number of incoming TCP buffers to allocate per thread. Default
+ # is 10. If set to 0, or if do-tcp is "no", no TCP queries from
+ # clients are accepted. For larger installations increasing this
+ # value is a good idea.
+ # incoming-num-tcp: 10
+
+ # Number of slabs in the key cache. Slabs reduce lock contention by
+ # threads. Must be set to a power of 2. Setting (close) to the number
+ # of cpus is a reasonable guess.
+ # key-cache-slabs: 4
+
+ # Number of bytes size of the message cache.
+ # Unbound recommendation is to Use roughly twice as much rrset cache memory
+ # as you use msg cache memory.
+ msg-cache-size: 260991658
+
+ # Number of slabs in the message cache. Slabs reduce lock contention by
+ # threads. Must be set to a power of 2. Setting (close) to the number of
+ # cpus is a reasonable guess.
+ #msg-cache-slabs: 4
+
+ # The number of queries that every thread will service simultaneously. If
+ # more queries arrive that need servicing, and no queries can be jostled
+ # out (see jostle-timeout), then the queries are dropped.
+ # This is best set at half the number of the outgoing-range.
+ # This Unbound instance was compiled with libevent so it can efficiently
+ # use more than 1024 file descriptors.
+ num-queries-per-thread: 4096
+
+ # The number of threads to create to serve clients.
+ # This is set dynamically at run time to effectively use available CPUs
+ # resources
+ num-threads: 3
+
+ # Number of ports to open. This number of file descriptors can be opened
+ # per thread.
+ # This Unbound instance was compiled with libevent so it can efficiently
+ # use more than 1024 file descriptors.
+ outgoing-range: 8192
+
+ # Number of bytes size of the RRset cache.
+ # Use roughly twice as much rrset cache memory as msg cache memory
+ rrset-cache-size: 260991658
+
+ # Number of slabs in the RRset cache. Slabs reduce lock contention by
+ # threads. Must be set to a power of 2.
+ #rrset-cache-slabs: 4
+
+ # Do no insert authority/additional sections into response messages when
+ # those sections are not required. This reduces response size
+ # significantly, and may avoid TCP fallback for some responses. This may
+ # cause a slight speedup.
+ minimal-responses: yes
+
+ # # Fetch the DNSKEYs earlier in the validation process, when a DS record
+ # is encountered. This lowers the latency of requests at the expense of
+ # little more CPU usage.
+ prefetch: yes
+
+ # Fetch the DNSKEYs earlier in the validation process, when a DS record is
+ # encountered. This lowers the latency of requests at the expense of little
+ # more CPU usage.
+ prefetch-key: yes
+
+ # Have unbound attempt to serve old responses from cache with a TTL of 0 in
+ # the response without waiting for the actual resolution to finish. The
+ # actual resolution answer ends up in the cache later on.
+ serve-expired: yes
+
+ # Open dedicated listening sockets for incoming queries for each thread and
+ # try to set the SO_REUSEPORT socket option on each socket. May distribute
+ # incoming queries to threads more evenly.
+ so-reuseport: yes
+
+ ###########################################################################
+ # LOCAL ZONE
+ ###########################################################################
+
+ # # Include file for local-data and local-data-ptr
+ # include: /opt/unbound/etc/unbound/a-records.conf
+ # include: /opt/unbound/etc/unbound/srv-records.conf
+
+ # ###########################################################################
+ # # FORWARD ZONE
+ # ###########################################################################
+
+ # include: /opt/unbound/etc/unbound/forward-records.conf
+
forward-zone:
name: "."
forward-addr: 1.1.1.1@853#cloudflare-dns.com
@@ -364,5 +304,7 @@ server:
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-tls-upstream: yes
+
remote-control:
- control-enable: no
\ No newline at end of file
+ control-enable: no
+