# https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound include: /srv/unbound/conf/*.conf server: do-daemonize: no # If no logfile is specified, syslog is used #logfile: "/var/log/unbound/unbound.log" verbosity: 0 interface: 0.0.0.0 port: 53 do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 # You want to leave this to no unless you have *native* IPv6. With 6to4 and # Terredo tunnels your web browser should favor IPv4 for the same reasons prefer-ip6: no # Trust glue only if it is within the server's authority harden-glue: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped: yes # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details use-caps-for-id: no # Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems edns-buffer-size: 1472 # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch: yes # Reduce latency by serving the outdated record before updating it serve-expired: yes # more cache memory, rrset=msg*2 rrset-cache-size: 64m msg-cache-size: 32m # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. num-threads: 1 # Larger socket buffer. OS may need config. so-rcvbuf: 2m so-sndbuf: 2m # Allow from adguard subnet (see docker-compose adguard network) access-control: 0.0.0.0/0 allow # Record used for container healthcheck local-zone: "healthrecord.unbound" nodefault local-data: "healthcheck.unbound. A 127.0.0.1"