server: verbosity: 1 num-threads: 2 interface: 10.0.0.1@53 # Listen to home interface interface: 127.0.0.1@53 # and listen to localhost as well interface: 10.0.0.1@853 # Listen to home interface for DoT interface: 127.0.0.1@853 # and listen to localhost as well for DoT interface: 127.0.0.1@4443 # listen for DoH on local only port port: 53 https-port: 4443 # move defsault DNS over HTTPS port not to clash with NGINX http-notls-downstream: yes so-reuseport: yes cache-min-ttl: 300 cache-max-ttl: 86400 do-ip4: yes do-ip6: yes do-udp: yes do-tcp: yes use-systemd: no do-daemonize: yes # For security reasons, only clients on the home interface can use the DNS service access-control: 10.0.0.0/24 allow access-control: 127.0.0.1/8 allow # and, of course, localhost as well use-syslog: yes hide-identity: yes hide-version: yes harden-short-bufsize: yes harden-large-queries: yes harden-glue: yes harden-dnssec-stripped: yes harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: yes qname-minimisation: yes qname-minimisation-strict: no aggressive-nsec: yes use-caps-for-id: yes prefetch: yes rrset-roundrobin: yes minimal-responses: yes tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # DNS over TLS enabler, see below auto-trust-anchor-file: "root-anchors/root-anchors.txt" # DNSSEC enabler, see below include: /etc/unbound/adservers.conf # This will add Ad blocking include: /etc/unbound/local.conf # This for local names remote-control: # enable the CLI control control-enable: yes forward-zone: # Remove this block if you DO NOT want to forward your requests! name: "." # Use Google DNS as upstream DNS (put here your preferred ones if not Google) forward-tls-upstream: yes forward-addr: 8.8.8.8@853 forward-addr: 8.8.4.4@853