server:
port:53
#
#
# Run in a chroot
#
#
chroot: "/etc/unbound"
#
#
# Interface to listen on; the ip address
# Use 0.0.0.0 to listen on all
#
# In the case of a router, I add a loopback address (10.53.1.53)
# and use this for unbound; this way, we have a single server that
# can be reached via multiple gateway
#
#
# We also have the option of specifying the outgoing interface
# This is applicable if you have multiple links to the internet 
# and wish to restrict vpn traffic to a particular one 
#
interface: 127.0.0.1
interface: $LOOPBACK_ADDR
outgoing-interface: $LAN_GW
#
# 
# Types of queries to accept
# 
#
#
do-ip6: no
do-ip4: yes
do-udp: yes
do-tcp: yes
#
#  
#  Access control 
#  Specify the CIDR blocks to allow or deny
#  On an internet reachable host, use iptables too
#
access-control: 127.0.0.0/8     allow
access-control: 10.0.0.0/8      allow
access-control: 192.168.0.0/16  allow
access-control: 172.16.0.0/12   allow
access-control: 0.0.0.0/0       refuse
#
#
#  Next, we manually download the root hints
#  "wget -qO root.hints https://www.internic.net/domain/named.cache"
#
#
root-hints: "/etc/unbound/root.hints"
#
#
# The trust anchors are taken care of by the unbound-anchor utility
# It runs a cron job to ensure they are up-to-date
#
# What are trust anchors? In DNSSEC, there is a chain of trust.  
# The parent zone must have records that verify the child zone
# These are generally DS records which are hashes of the Zone signing key
# 
# A traversal works like this 
# DS records in root verify the DNSKEYs for .net 
# DS records in .net verify the DNSKEYs for etherarp.net
# The DNSKEYs for etherarp.net verify the resource records.
#
# So the chain of trust needs a starting point,
# this key provided by ICANN is used to verify the root zone
#
#        
auto-trust-anchor-file: "/etc/unbound/root.key"
#
#
hide-identity:  yes
hide-version :  yes
#
#
# Will trust glue only if it is within the servers authority.
# Suppose I want to set ns.etherarp.net as the NS for etherarp.net,
# then I need to set recotd 'ns' as a glue record
#
#
harden-glue:yes
#
# 
# A zone we expect to be secure only responds with non-secure/conventional DNS
# By default, we repudiate the non-secure records, rendering the domain unreachable
# This is the same behavior as receiving dnssec data that doesn't match up with its anchor 
# 
# If set to no, it just accepts the unverified data at face value
# behaving as though it was a conventional dns zone
#
# LEAVE THIS SET TO "YES" otherwise you completely defeat the purpose of dnssec
#
harden-dnssec-stripped:yes
#
# 
# When sending a query to the authority NS, 
# pErTUrb bEtWEEN UpPeR aND LoWeR casE 
# 
# DNS is not case sensitive. However, when replying with an answer
# namesevers include the query received. 
#
# This options requires the two match to trust the response
#
# Best to leave this set to "no" (default) as it can cause unreliability 
# 
use-caps-for-id:no
#
#
# Performance and computational options.
# If you don't have a multicore/hyperthreaded machine (e.g. running on embedded router)
# then set num-threads to 1 (disable multithreading )
#
# The slabs must take a value approximately double the number of threads
# this value must be a power of 2
#
#
num-threads:        4
msg-cache-slabs:    2        
rrset-cache-slabs:  2  
key-cache-slabs:    2
infra-cache-slabs:  2
#
# 
# The RRset cache record values like  A,NS 
# These values are appropriate for a desktop or server
# On a small mbedded device like a router, use values like 2m
#
rrset-cache-size:256m
#
#
# Msg cache contains metadata, things like AD bit etc
# This should be 1/2 the size of the rrset-cache 
#
#
msg-cache-size:128m
#
# 
# Prefetch the message cache
# When popular entries are about to expire, we 
# refresh
#
prefetch: yes
#
# 
# Override records with short TTL (time to live)
# we do --not-- update records below this time
# Don't make it longer than ~300s, you may get stale records
#
#
cache-min-ttl:300
#
#
# Override records with long TTL
# Don't keep cached records for longer than 30h 
#
#       
cache-max-ttl:10800  
#
#
# Suppose you have a special dns provider for accessing US netflix
# You can set a forward zone here.
#
# There is also a type of zone known as a stub zone.
# The difference - a forward zone overrides stubs
#
# 
forward-zone:
    name:           "netflix.com"
    forward-addr:   1.2.3.4
#
#
# We can split our config into multiple files.
# Let's add a file containing local records to block add domains 
#
#
include: /etc/unbound/ads.conf
#
#
# Finally we set a forward zone for "." (the entire dns tree)
# This means that all requests are passed onto verisign and google's dns
# If you want, you could omit this, leaving your server to do all of the heavy lifting
# 
forward-zone:                  
    name:          "."             
    forward-addr:  64.6.64.6       
    forward-addr:  64.6.65.6