unbound/unbound.conf

# https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound
server:
    # If no logfile is specified, syslog is used
    #logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 0.0.0.0
    port: 53
    do-ip4: yes
    do-ip6: no
    do-udp: yes
    do-tcp: yes

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this when you want to maually add/update the root.hints file
    # Otherwise, the hints included in the unbound package at the time the image was built will be used
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # Reduce latency by serving the outdated record before updating it
    serve-expired: yes

    # more cache memory, rrset=msg*2
    rrset-cache-size: 64m
    msg-cache-size: 32m

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Larger socket buffer.  OS may need config.
    so-rcvbuf: 2m
    so-sndbuf: 2m

    # Allow from adguard subnet (see docker-compose adguard network)
    access-control: 0.0.0.0/0 allow
Initial commit 2022-01-21 23:23:55 +00:00			`# https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound`
			`server:`
			`# If no logfile is specified, syslog is used`
			`#logfile: "/var/log/unbound/unbound.log"`
			`verbosity: 0`

			`interface: 0.0.0.0`
			`port: 53`
			`do-ip4: yes`
			`do-ip6: no`
			`do-udp: yes`
			`do-tcp: yes`

			`# You want to leave this to no unless you have native IPv6. With 6to4 and`
			`# Terredo tunnels your web browser should favor IPv4 for the same reasons`
			`prefer-ip6: no`

			`# Use this when you want to maually add/update the root.hints file`
			`# Otherwise, the hints included in the unbound package at the time the image was built will be used`
			`#root-hints: "/var/lib/unbound/root.hints"`

			`# Trust glue only if it is within the server's authority`
			`harden-glue: yes`

			`# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS`
			`harden-dnssec-stripped: yes`

			`# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes`
			`# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details`
			`use-caps-for-id: no`

			`# Reduce EDNS reassembly buffer size.`
			`# Suggested by the unbound man page to reduce fragmentation reassembly problems`
			`edns-buffer-size: 1472`

			`# Perform prefetching of close to expired message cache entries`
			`# This only applies to domains that have been frequently queried`
			`prefetch: yes`

			`# Reduce latency by serving the outdated record before updating it`
			`serve-expired: yes`

			`# more cache memory, rrset=msg*2`
			`rrset-cache-size: 64m`
			`msg-cache-size: 32m`

			`# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.`
			`num-threads: 1`

			`# Larger socket buffer. OS may need config.`
			`so-rcvbuf: 2m`
			`so-sndbuf: 2m`

			`# Allow from adguard subnet (see docker-compose adguard network)`
			`access-control: 0.0.0.0/0 allow`