# https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound include: /srv/unbound/conf/*.conf server: # If no logfile is specified, syslog is used #logfile: "/var/log/unbound/unbound.log" verbosity: 0 interface: 0.0.0.0 port: 53 do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes # You want to leave this to no unless you have *native* IPv6. With 6to4 and # Terredo tunnels your web browser should favor IPv4 for the same reasons prefer-ip6: no # Trust glue only if it is within the server's authority harden-glue: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped: yes # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details use-caps-for-id: no # Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems edns-buffer-size: 1472 # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch: yes # Reduce latency by serving the outdated record before updating it serve-expired: yes # more cache memory, rrset=msg*2 rrset-cache-size: 64m msg-cache-size: 32m # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. num-threads: 1 # Larger socket buffer. OS may need config. so-rcvbuf: 2m so-sndbuf: 2m # Allow from adguard subnet (see docker-compose adguard network) access-control: 0.0.0.0/0 allow