Domain Name Resolving

We use unbound as validating, recursive, caching DNS resolver troughout our network.

Also on our OpenWRT routers, its used instead of the pre-installed default dnsmasquerade.

Installation

$ opkg update
$ opkg install unbound-daemon-heavy unbound-anchor unbound-checkconf unbound-control unbound-control-setup

Deactivate LuCi

By default unbound is configured and controlled by LuCi on OpenWRT. However, since we share our unbound configurations accross all hosts, that is not an option for us.

Open /etc/config/unbound on the router and make sure only the following lines are present:

config unbound
    option manual_conf '1'
    option root_age '9'

Configuration

Edit /etc/unbound/unbound.conf:

#
# Unbound configuration file for router.example.net.
#
# Unbound Version 1.10.1
# Linked libs: pluggable-libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1g  21 Apr 2020
# Linked modules: dns64 respip validator iterator
# TCP Fastopen feature available
#
# See https://unbound.net/documentation/unbound.conf.html


#=============================================
#
# Remote Control Settings
#
#=============================================

remote-control:

    # Set up the keys and certificates with unbound-control-setup.

    # Enable remote control.
    # Default: no
    control-enable: yes

    # IPv4, IPv6 addresses or local socket to listen for control commands.
    # Default: localhost
    #control-interface: 127.0.0.1
    #control-interface: ::1

    # port number for remote control operations.
    # control-port: 8953

    # unbound server key file.
    server-key-file: "/etc/unbound/unbound_server.key"

    # unbound server certificate file.
    server-cert-file: "/etc/unbound/unbound_server.pem"

    # unbound-control key file.
    control-key-file: "/etc/unbound/unbound_control.key"

    # unbound-control certificate file.
    control-cert-file: "/etc/unbound/unbound_control.pem"


#=============================================
#
# Server Settings
#
#=============================================

server:

    #----------------------------------------
    # Server Modules Settings
    #----------------------------------------

    # Module configuration, a list of module names separated by spaces,
    # surround the string with quotes (""). The modules can be validator,
    # iterator. Setting this to "iterator" will result in a non-validating
    # server. Setting this to "validator iterator" will turn on DNSSEC
    # validation. The ordering of the modules is important.You must also set
    # trust-anchors for validation to be useful.
    module-config: "validator iterator"


    #----------------------------------------
    # Runtime Environment Settings
    #----------------------------------------

    # Fork into background as daemon.
    # Default: yes
    #do-daemonize: no # Don't daemonize when run as init.d service

    chroot: "/etc/unbound"

    # if given, user privileges are dropped (after binding port),
    # and the given username is assumed. Default is user "unbound".
    # If you give "" no privileges are dropped.
    # username: "unbound"
    username: "unbound"

    # the working directory. The relative files in this config are
    # relative to this directory. If you give "" the working directory
    # is not changed.
    directory: "/etc/unbound"

    # the pid file. Can be an absolute path outside of chroot/work dir.
    # pidfile: "/etc/unbound/unbound.pid"
    #pidfile: "/var/run/unbound.pid"


    #----------------------------------------
    # Network Settings
    #----------------------------------------

    # IPv4, IPv6 addresses to answer queries from.
    # Default: localhost
    interface: 0.0.0.0
    interface: ::0

    # IPv4, IPv6 addresses to send outgoing queries to authoritative servers
    # from.
    # Default: All
    #outgoing-interface: 0.0.0.0
    #outgoing-interface: ::0

    # Port to listen for client queries.
    # Default: 53
    # port: 53

    # Number of ports to open. This number of file descriptors can be opened per
    # thread. Must be at least 1. Default depends on compile options. Larger
    # numbers need extra resources from the operating system. For performance a
    # very large value is best, use libevent to make this possible.
    # outgoing-range:

    # Permit unbound to open this port or range of ports for use to send
    # queries. A larger number of permitted outgoing ports increases resilience
    # against spoofing attempts. Make sure these ports are not needed by other
    # daemons. By default only ports above 1024 that have not been assigned by
    # IANA are used. Give a port number or a range of the form "low-high",
    # without spaces.
    # The outgoing-port-permit and outgoing-port-avoid statements are processed
    # in the line order of the config file, adding the permitted ports and
    # subtracting the avoided ports from the set of allowed ports. The
    # processing starts with the non IANA allocated ports above 1024 in the set
    # of allowed ports.
    outgoing-port-permit: 38866-39680

    # Do not permit unbound to open this port or range of ports for use to send
    # queries. Use this to make sure unbound does not grab a port that another
    # daemon needs. The port is avoided on all outgoing interfaces, both IP4 and
    # IP6. By default only ports above 1024 that have not been assigned by IANA
    # are used. Give a port number or a range of the form "low-high", without
    # spaces.
    # Ports above 1'024
    outgoing-port-avoid: 1194 #; OpenVPN UDP port
    outgoing-port-avoid: 3306 #; MsriaDB database
    outgoing-port-avoid: 5000 #; Prosody XMPP server
    outgoing-port-avoid: 5060-5061 #; SIP Signaling UDP port
    outgoing-port-avoid: 5222 #; Prosody XMPP server
    outgoing-port-avoid: 5269 #; Prosody XMPP server
    outgoing-port-avoid: 5280-5281 #; Prosody XMPP server
    outgoing-port-avoid: 6667 #; IRC
    outgoing-port-avoid: 8333 #; Bitcoind dameon
    outgoing-port-avoid: 9001 #; TOR Relay
    outgoing-port-avoid: 9030 #; TOR Relay
    # Ports above 10'000
    outgoing-port-avoid: 11370-11372 # OpenPGP keyservers
    outgoing-port-avoid: 50001-50002 #; Electrum Server

    # Number of outgoing TCP buffers to allocate per thread. If set to 0, or if
    # do-tcp is "no", no TCP queries to authoritative servers are done. For larger
    # installations increasing this value is a good idea.
    # Default: 10. OpenWrt default: 1
    outgoing-num-tcp: 4

    # Number of incoming TCP buffers to allocate per thread. If set to 0, or if
    # do-tcp is "no", no  TCP  queries  from clients are accepted. For larger
    # installations increasing this value is a good idea.
    # Default: 10. OpenWrt default: 1
    incoming-num-tcp: 4

    # Detect source interface on UDP queries and copy them to replies. This
    # feature is experimental, and needs support in your OS for particular
    # socket options.
    # Default: no
    #interface-automatic: no

    # Number of bytes size to advertise as the EDNS reassembly buffer size. This
    # is the value put into datagrams over UDP towards peers. The actual buffer
    # size is determined by msg-buffer-size (both for TCP and UDP). Do not set
    # higher than that value. Default is 4096 which is RFC recommended. If you
    # have fragmentation reassembly problems, usually seen as timeouts, then a
    # value of 1472 can fix it. Setting to 512 bypasses even the most stringent
    # path MTU problems, but is seen as extreme, since the amount of TCP
    # fallback generated is excessive (probably also for this resolver, consider
    # tuning the outgoing tcp number).
    # Default; 4096
    edns-buffer-size: 4096

    # Number of bytes size of the message buffers. The default of 65552 bytes is
    # enough for 64 Kb packets, the maximum DNS message size. No message larger
    # than this can be sent or received. Can be reduced to use less memory, but
    # some requests for DNS data, such as for huge resource records, will result
    # in a SERVFAIL reply to the client.
    # Default: 65552, OpenWrt default: 8192
    msg-buffer-size: 65552

    # Enable IPv4, "yes" or "no".
    # do-ip4: yes

    # Enable IPv6, "yes" or "no".
    # do-ip6: yes

    # Enable UDP, "yes" or "no".
    # do-udp: yes

    # Enable TCP, "yes" or "no".
    # do-tcp: yes


    #----------------------------------------
    # TLS Client Connections Settings
    #----------------------------------------

    # Service clients over SSL (on the TCP sockets), with plain DNS inside the
    # SSL stream. Give the certificate to use and private key. Requires a full
    # restart to take effect.
    # Default: "" (disabled)
    # ssl-service-key: "path/to/privatekeyfile.key"
    # ssl-service-pem: "path/to/publiccertfile.pem"
    # ssl-port: 443


    #----------------------------------------
    # Upstream Server Connections Settings
    #----------------------------------------

    # request upstream over SSL (with plain DNS inside the SSL stream).
    # Default is no.  Can be turned on and off with unbound-control.
    # ssl-upstream: no

    # upstream connections use TCP only (and no UDP), "yes" or "no"
    # useful for tunneling scenarios, default no.
    # tcp-upstream: no

    # File to read root hints from.
    # Get it from ftp://FTP.INTERNIC.NET/domain/named.cache
    # Default: none
    #root-hints: "/etc/unbound/ICANN.cache"
    #root-hints: "/etc/unbound/ORSN.cache"
    #root-hints: "ICANN.cache"


    #----------------------------------------
    # Access Control Settings
    #----------------------------------------

    # Default: Only localhost is allowed, the rest is refused.

    # Deny all IPv4
    access-control: 0.0.0.0/0 refuse
    # Allow IPv4 localhost
    access-control: 127.0.0.0/8 allow
    # Allow private IPv4 addresses (RFC 1918)
    access-control: 10.0.0.0/8 allow
    access-control: 172.16.0.0/12 allow
    access-control: 192.168.0.0/16 allow
    # Allow link-local IPv4 addresses (RFC 6890 and RFC 3927)
    access-control: 169.254.0.0/16 allow
    access-control: 169.254.0.0/24 refuse
    access-control: 169.254.255.0/24 refuse
    # Allow global IPv4 subnets assigned to us
    access-control: 192.0.2.14/32 allow
    access-control: 198.51.100.7/32 allow
    access-control: 192.0.2.14/32 allow

    # Deny all IPV6
    access-control: ::0/0 refuse
    # Allow IPv6 localhost
    access-control: ::1 allow
    access-control: ::ffff:127.0.0.1 allow
    # Allow link-local IPv6 addresses (RFC 4862 and RFC 4291)
    access-control: fe80::/10 allow
    # Allow private IPv6 addresses (RFC 4193)
    access-control: fc00::/7 allow
    # Allow global IPv6 subnets assigned to us
    access-control: 2001:db8:3414::/48 allow
    access-control: 2001:db8:48d1::/64 allow
    access-control: 2001:db8:2d07:5b57::/128 allow
    # Allow global our private IPv6 (c1d89eb128) subnets
    access-control: fdc1:d89e:b128::/48 allow


    #----------------------------------------
    # Logging and Statistics Seetings
    #----------------------------------------

    # "" means log to stderr or nowhere when running in background.
    # Use of this option sets use-syslog to "no".
    # logfile: ""

    # Send log messages to syslog. Overrides the 'logfile' setting.
    # Default: yes
    # use-syslog: yes

    # Print timestamps in logfiles in UTC ASCII-format. Prints epoch in seconds
    # if set to 'no'.
    # Default: no
    # log-time-ascii: no

    # Log all received DNS queries with time, IP, name, type, and class.
    # log-queries: no
    #log-queries: no

    # Log all DNS replies with IP address, name, type, class, return code, time
    # to resolve, from cache and response size.
    # Default: no
    #log-replies: no

    # print statistics to the log (for every thread) every N seconds.
    # Set to "" or 0 to disable. Default is disabled.
    # statistics-interval: 0

    # enable cumulative statistics, without clearing them after printing.
    # statistics-cumulative: no

    # enable extended statistics (query types, answer codes, status)
    # printed from unbound-control. default off, because of speed.
    # extended-statistics: no


    #------------------------------------------
    # System Resources and Performance Settings
    #------------------------------------------

    # The number of threads to create to serve clients.
    # Use 1 for no threading.
    num-threads: 1

    # Number of ports to open. This number of file descriptors can be
    # opened per thread. Must be at least 1. Default depends on com-
    # pile options. Larger numbers need extra resources from the oper-
    # ating system. For performance a very large value is best, use
    # libevent to make this possible.
    # OpenWrt default: 60
    #outgoing-range: 60

    # The number of queries that every thread will service  simultaneously. If
    # more queries  arrive  that  need servicing, and no queries can be jostled
    # out (see jostle-timeout), then the queries are dropped. This forces the
    # client to resend after a timeout; allowing the server time to work on the
    # existing queries.
    # Default depends on compile options, 512 or 1024. OpenWrt default: 30
    num-queries-per-thread: 64

    # If not 0, then set the SO_RCVBUF socket option to get more buffer space on
    # UDP port 53 incoming queries. So that short spikes on busy servers do not
    # drop packets (see counter in netstat -su). Otherwise, the number of bytes
    # to ask for, try "4m" on a busy server. The OS caps it at a maximum, on
    # linux unbound needs root permission to bypass the limit, or the admin can
    # use sysctl net.core.rmem_max.
    # Default is 0 (use system value).
    #so-rcvbuf: 0

    # If not 0, then set the SO_SNDBUF socket option to get more buffer space on
    # UDP port 53 outgoing queries. This for very busy servers handles spikes in
    # answer traffic, otherwise 'send: resource temporarily unavailable' can get
    # logged, the buffer overrun is also visible by netstat -su. Specify the
    # number of bytes to ask for, try "4m" on a very busy server. The OS caps it
    # at a maximum, on linux unbound needs root permission to bypass the limit,
    # or the admin can use sysctl net.core.wmem_max.
    # Default is 0 (use system value).
    #so-sndbuf: 0

    # If yes, then open dedicated listening sockets for incoming queries for
    # each thread and try to set the SO_REUSEPORT socket option on each socket.
    # May distribute incoming queries to threads more evenly. Default is no. On
    # Linux it is supported in  kernels >= 3.9. On other systems, FreeBSD, OSX
    # it may also work.You can enable it (on any platform and kernel), it then
    # attempts to open the port and passes the option if it was available at
    # compile time, if that works it is used, if it fails, it continues silently
    # (unless verbosity 3) without the option.
    # Default: no
    so-reuseport: yes

    # If yes, Unbound rotates RRSet order in response (the random number is
    # taken from the query ID, for speed and thread safety).
    # Default: no
    rrset-roundrobin: yes

    # If yes, Unbound doesn't insert authority/additional sections into response
    # messages when those sections are not required. This reduces response size
    # significantly, and may avoid TCP fallback for some responses. This may
    # cause a slight speedup. The default is no, because the DNS protocol RFCs
    # mandate these sections, and the additional content could be of use and
    # save roundtrips for clients.
    # Default: no
    minimal-responses: yes


    #----------------------------------------
    # Cache Settings
    #----------------------------------------


    #----------------------------------------
    # Message Cache Settings

    # Number of bytes size of the message cache. A plain number is in bytes,
    # append 'k', 'm'  or  'g' for kilobytes, megabytes or gigabytes (1024*1024
    # bytes in a megabyte).
    # Default: 4m
    msg-cache-size:4m

    # Number of slabs in the message cache. Slabs reduce lock contention by
    # threads. Must be set to a power of 2. Setting (close) to the number of
    # cpus is a reasonable guess.
    msg-cache-slabs: 1

    # If yes, message cache elements are prefetched before they expire to keep
    # the cache up to date. Default is no. Turning it on gives about 10 percent
    # more traffic and load on the machine, but popular items do not expire from
    # the cache.
    # Default: no
    prefetch: yes

    # If enabled, unbound attempts to serve old responses from cache with a TTL
    # of 0 in the response without waiting for the actual resolution to finish.
    # The actual resolution answer ends up in the cache later on.
    # Default: no
    serve-expired: yes

    #----------------------------------------
    # Resource Records Cache Settings

    # Number of bytes size of the RRset cache. Default is 4 megabytes. A plain
    # number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or
    # gigabytes (1024*1024 bytes in a megabyte).
    # Default: 4m, OpenWrt default: 100k
    rrset-cache-size: 4m

    # Number of slabs in the RRset cache. Slabs reduce lock contention by
    # threads, but fragment memory usage. Must be set to a power of 2.
    # OpenWrt default: 1
    rrset-cache-slabs: 1

    # Time to live maximum for RRsets and messages in the cache. If the maximum
    # kicks in, responses to clients still get decrementing TTLs based on the
    # original (larger) values. When the internal TTL expires, the cache item has
    # expired. Can be set lower to force the resolver to query for data often, and
    # not trust (very large) TTL values.
    # Default: 86400 (1 day)
    #cache-max-ttl: 86400

    # Time to live minimum for RRsets and messages in the cache. If the minimum
    # kicks in, the data is cached for longer than the domain owner intended,
    # and thus less queries are made to look up the data. Zero makes sure the
    # data in the cache is as the domain owner intended, higher values,
    # especially more than an hour or so, can lead to trouble as the data in the
    # cache does not match up with the actual data any more.
    # Default: 0
    cache-min-ttl: 900 # 15 min

    #----------------------------------------
    # Negative Answers Cache Settings

    # Number of bytes size of the aggressive negative cache. A plain number is
    # in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes
    # (1024*1024 bytes in a megabyte).
    # Default: 1m. OpenWRT default: 10k
    neg-cache-size: 500k

    # Time to live maximum for negative responses, these have a SOA in
    # the authority section that is limited in time.
    # Default: 3600 (1 hour)
    #cache-max-negative-ttl: 3600

    # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN and
    # other denials, using information from previous NXDOMAINs answers. It
    # helps to reduce the query rate towards targets that get a very high
    # nonexistent name lookup rate.
    # Default: no
    # Added in unbound 1.7.0
    #aggressive-nsec: yes

    #----------------------------------------
    # Infrastructure Cache Settings

    # Number of slabs in the infrastructure cache. Slabs reduce lock contention
    # by threads. Must be set to a power of 2.
    # OpenWrt default: 1
    infra-cache-slabs: 1

    # Time to live in seconds for entries in the host cache. The host cache
    # contains roundtrip timing, lameness and EDNS support information.
    # Default: 900.
    # infra-host-ttl: 900

    # Number of hosts for which information is cached.
    # Default: 10,000. OpenWrt default: 200
    infra-cache-numhosts: 2500

    # Time to live in seconds for entries in the host cache. The host cache
    # contains roundtrip timing, lameness and EDNS support information.
    # Default: 900.
    infra-host-ttl: 900

    # Lower limit in milliseconds for dynamic retransmit timeout calculation in
    # infrastructure cache. Increase this value if using forwarders that need
    # more time to do recursive name resolution.
    # Default is 50
    #infra-cache-min-rtt: 50

    #----------------------------------------
    # Key Cache Settings

    # Number of bytes size of the key cache. A plain number is in bytes, append
    # 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in
    # a megabyte).
    # Default: 4m. OpenWRT default: 100k
    key-cache-size: 1m

    # Number of slabs in the key cache. Slabs reduce lock contention by threads.
    # Must be set to a power of 2. Setting (close) to the number of cpus is a
    # reasonable guess.
    key-cache-slabs: 1

    # If yes, fetch the DNSKEYs earlier in the validation process, when a DS
    # record is encountered. This lowers the latency of requests. It does use a
    # little more CPU. Also if the cache is set to 0, it is no use.
    # Default: no.
    prefetch-key: yes


    #----------------------------------------
    # Security and Privacy Settings
    #----------------------------------------

    # Timeout in milliseconds used when the server is very busy. Set to a value
    # that usually results in one roundtrip to the authority servers. If too
    # many queries arrive, then 50% of the queries are allowed to run to
    # completion, and the other 50% are replaced with the new incoming query if
    # they have already spent more than their allowed time. This protects
    # against denial of service by slow queries or high query rates. Default 200
    # milliseconds. The effect is that the qps for long-lasting queries is
    # about  (num- queries- per-thread / 2) / (average time for such long
    # queries) qps. The qps for short queries can be about (num-queries- per-
    # thread / 2) / (jostle-timeout in whole seconds) qps per thread, about
    # (1024/2)*5 = 2560 qps by default.
    # Deafault: 200
    #jostle-timeout: 200

    # If enabled id.server and hostname.bind queries are refused.
    hide-identity: yes

    # Set the identity to report. If set to "", the default, then the hostname
    # of the server is returned.
    # Default: "" (server hostname)
    identity: ""

    # If enabled version.server and version.bind queries are refused.
    hide-version: yes

    # Set the version to report. If set to "", the default,  then  the package
    # version is returned.
    version: ""

    # If enabled trustanchor.unbound queries are refused.
    hide-trustanchor: yes

    # Set the target fetch policy used by unbound to determine if it should
    # fetch nameserver target addresses opportunistically.The policy is
    # described per dependency depth.
    # The number of values determines the maximum dependency depth that unbound
    # will pursue in answering a query. A value of -1 means to fetch all targets
    # opportunistically for that dependency depth. A value of 0 means to fetch
    # on demand only. A positive value fetches that many targets
    # opportunistically.
    # Enclose the list between quotes ("") and put spaces between numbers. The
    # default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
    # closer to that of BIND 9, while setting "-1 -1 -1 -1 -1" gives behaviour
    # rumoured to be closer to that of BIND 8.
    # Default: "3 2 1 0 0", OpenWrt default: "2 1 0 0 0 0"
    target-fetch-policy: "3 2 1 0 0"

    # Very small EDNS buffer sizes from queries are ignored. Default
    # is off, since it is legal protocol wise to send these, and
    # unbound tries to give very small answers to these queries, where
    # possible.
    # Default: no. OpenWRT Default: yes
    harden-short-bufsize: yes

    # Very large queries are ignored. Default is off, since it is
    # legal protocol wise to send these, and could be necessary for
    # operation if TSIG or EDNS payload is very large.
    # Default: no. OpenWrt default: yes
    harden-large-queries: no

    # Will trust glue only if it is within the servers authority.
    # Default: yes.
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the
    # zone becomes bogus. If turned  off, and no DNSSEC data is received (or the
    # DNSKEY data fails to validate), then the zone is made insecure, this
    # behaves like there is no trust anchor. You could turn this off if you are
    # sometimes behind an intrusive firewall (of some sort) that removes DNSSEC
    # data from packets, or a zone changes from signed to unsigned to badly
    # signed often. If turned off you run the risk of a downgrade attack that
    # disables security for a zone.
    # Default: yes
    harden-dnssec-stripped: yes

    # From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"),
    # returns nxdomain to queries for a name below another  name that is already
    # known to be nxdomain. DNSSEC mandates  noerror for empty nonterminals,
    # hence this is possible. Very old software might return nxdomain for empty
    # nonterminals (that usually happen for reverse IP address lookups), and
    # thus may be incompatible with this. To try to avoid this only DNSSEC-
    # secure nxdomains are used, because the old software does not have DNSSEC.
    # Default is off. The nxdomain must be secure, this means nsec3 with optout
    # is insufficient.
    # Default: no
    harden-below-nxdomain:yes

    # Harden the referral path by performing additional queries for
    # infrastructure data. Validates the replies if trust anchors are configured
    # and the zones are signed. This enforces DNSSEC validation on nameserver NS
    # sets and the nameserver addresses that are encountered on the referral
    # path to the answer. Default off, because it burdens the authority servers,
    # and it is not RFC standard, and could lead to performance problems because
    # of the extra query load that is generated. Experimental option. If you
    # enable it consider adding more numbers after the target-fetch-policy  to
    # increase the max depth that is checked to.
    # Default: no
    harden-referral-path: no

    # Harden against algorithm downgrade when multiple algorithms are advertised
    # in the DS record. If no, allows the weakest algorithm to validate the
    # zone. Default is no. Zone signers must produce zones that allow this
    # feature to work, but sometimes they do not, and turning this option off
    # avoids that validation failure.
    # Default: no
    harden-algo-downgrade: no

    # Use 0x20-encoded random bits in the query to foil spoof attempts. This
    # perturbs the lowercase and uppercase of query names sent to authority
    # servers and checks if the reply still has the correct casing. Disabled by
    # default. This feature is an experimental implementation of draft dns-0x20.
    # Default: no
    use-caps-for-id: yes

    # Whitelist the domain so that it does not receive caps-for-id perturbed
    # queries. For domains that do not support 0x20 and also fail with fallback
    # because they keep sending different answers, like some load balancers. Can
    # be given multiple times, for different domains.
    #caps-whitelist:

    # Send minimum amount of information to upstream servers to enhance privacy.
    # Only sent minimum required labels of the QNAME and set QTYPE to NS when
    # possible. Best effort approach; full QNAME and original QTYPE will be sent
    # when upstream replies with a RCODE other than NOERROR, except when
    # receiving NXDOMAIN from a DNSSEC signed zone.
    # Default: no
    qname-minimisation: yes

    # QNAME minimisation in strict mode. Do not fall-back to sending
    # full QNAME to potentially broken nameservers. A lot of domains
    # will not be resolvable when this option in enabled. Only use if
    # you know what you are doing. This option only has effect when
    # qname-minimisation is enabled.
    # Default: no
    qname-minimisation-strict: no

    # Give IPv4 of IPv6 addresses or classless subnets. These are addresses on
    # your private network, and are not allowed to be returned  for  public
    # internet names. Any occurrence of such addresses are removed from DNS
    # answers. Additionally, the DNSSEC validator may mark the answers bogus.
    # This protects against so-called DNS Rebinding, where a user browser is
    # turned into a network proxy, allowing remote access through the browser to
    # other parts of your private network. Some names can be allowed to contain
    # your private addresses, by default all the local-data that you configured
    # is allowed to, and you can specify additional names using private-domain.
    # No private addresses are enabled by default. We consider to enable this
    # for the RFC1918 private IP address space by default in later releases.
    # That would enable private addresses for 10.0.0.0/8, 172.16.0.0/12
    # 192.168.0.0/16, 169.254.0.0/16 fd00::/8 and fe80::/10, since the RFC
    # standards say these addresses should not be visible on the public
    # internet. Turning on 127.0.0.0/8 would hinder many spam- blocklists as
    # they use that.
    # Private IPv4 addresses (RFC 1918)
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    # Private IPv6 addresses (RFC 4193)
    private-address: fc00::/7;
    # Link-local IPv4 addresses (RFC 6890 and RFC 3927)
    private-address: 169.254.0.0/16
    # Link-local IPv6 addresses (RFC 4862 and RFC 4291)
    private-address: fe80::/10
    private-address: fd00::/8
    # Stop IPv4-mapped IPv6 addresses from bypassing the filter.
    private-address: ::ffff:0:0/96

    # If set, a total number of unwanted replies is kept track of in every
    # thread. When it reaches the threshold, a defensive action is taken and a
    # warning is printed to the log. The defensive action is to clear the rrset
    # and message caches, hopefully flushing away any poison. A value of 10
    # million is suggested.
    # Default: 0 (turned off).
    unwanted-reply-threshold: 10000000

    # Do not query the given IP address. Can be IP4 or IP6. Append
    # /num to indicate a classless delegation netblock, for example
    # like 10.2.3.4/24 or 2001::11/64.
    #do-not-query-address:

    # If yes, localhost is added to the do-not-query-address entries, both IP6
    # ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send queries
    # to.
    # Default: yes
    do-not-query-localhost: no # Allow query to local dnsmasq on OpenWRT


    #----------------------------------------
    # DNSSEC Settings
    #----------------------------------------

    # If true, disables the DNSSEC lameness check in the iterator. This check
    # sees if RRSIGs are present in the answer, when dnssec is expected, and
    # retries another authority if RRSIGs are unexpectedly missing. The
    # validator will insist in RRSIGs for DNSSEC signed domains regardless of
    # this setting, if a trust anchor is loaded.
    disable-dnssec-lame-check: no

    # File with trusted keys for validation. Both DS and DNSKEY entries can
    # appear in the file. The format of the file is the standard DNS Zone file
    # format. Default is "", or no trust anchor file.
    # Default: ""
    #trust-anchor-file: "/etc/unbound/root.key"

    # File with trust anchor for one zone, which is tracked with RFC5011 probes.
    # The probes are several times per month, thus the machine must be online
    # frequently. The initial file can  be one with contents as described in
    # trust-anchor-file. The file is written to when the anchor is updated, so
    # the unbound user must have write permission. Write permission to the file,
    # but also to the directory it is in  (to create a temporary file, which is
    # necessary to deal with filesystem full events), it must also be inside the
    # chroot (if that is used).
    # Default: ""
    #auto-trust-anchor-file: "/etc/unbound/root.key"

    # A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
    # given to specify multiple trusted keys, in addition to the trust-anchor-
    # files. The resource record is entered in the same format as 'dig' or
    # 'drill' prints them, the same format as in the zone file. Has to be on a
    # single line, with "" around it. A TTL can be specified for ease of cut and
    # paste, but is ignored. A class can be specified, but class IN is default.
    # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
    # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
    #trust-anchor: <"Resource Record">

    # File with trusted keys for validation. Specify more than one file with
    # several entries, one file per entry. Like trust-anchor-file but has a
    # different file format. Format is BIND-9 style format, the trusted-keys {
    # name flag proto algo "key"; }; clauses are read. It is possible to use
    # wildcards with this statement, the wildcard is expanded on start and on
    # reload.
    #trusted-keys-file: <filename>

    # Send RFC8145 key tag query after trust anchor priming.
    # Default; yes
    #trust-anchor-signaling: yes

    # Root key trust anchor sentinel. 
    # Default: yes
    # root-key-sentinel: yes

    # This option was used during early days DNSSEC deployment when no parent-
    # side DS record registrations were easily available. Nowadays, it is best
    # to have DS records registered with the parent  zone (many top level zones
    # are signed). File with trusted keys for DLV (DNSSEC Lookaside Validation).
    # Both DS and DNSKEY entries can be used in the file, in the same format as
    # for trust-anchor-file: statements. Only one DLV can be configured, more
    # would be slow. The DLV configured is used as a root trusted DLV, this
    # means that it is a lookaside for the root.
    # Decommissioning the DLV has been completed as of September 30, 2017,
    # please do not use it any more.
    # Default: "" (No DLV anchor)
    #dlv-anchor-file: "/var/lib/unbound/dlv.isc.org.key"

    # Much like trust-anchor, this is a DLV anchor with the DS or DNSKEY inline.
    # DLV is going to be decommissioned. Please do not use it any more.
    #dlv-anchor: <"Resource Record">

    # Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
    # the domain name. So a trust anchor above the domain name can not make the
    # domain secure with a DS record, such a DS record is then ignored. Also
    # keys from DLV are ignored  for the domain. Can be given multiple times to
    # specify multiple domains that are treated as if unsigned. If you set trust
    # anchors for the domain they override this setting (and the domain is
    # secured).
    # This can be useful if you want to make sure a trust anchor for external
    # lookups does not affect an (unsigned) internal domain. A DS record
    # externally can create validation failures for that internal domain.
    #domain-insecure: <domain name>

    # Default is "" or "0", which disables this debugging feature. If enabled
    # by giving a RRSIG style date, that date is used for verifying RRSIG
    # inception and expiration dates, instead of the current date. Do not set
    # this unless you are debugging signature inception and expiration. The
    # value -1 ignores the date altogether, useful for some special
    # applications.
    # Default: ""
    #val-override-date:

    # Minimum number of seconds of clock skew to apply to validated signatures.
    # A value of 10% of the signature lifetime (expiration - inception) is used,
    # capped by this setting. Default is 3600 (1  hour) which allows for
    # daylight savings differences. Lower this value for more strict checking of
    # short lived  signa- tures.
    # Default: 3600
    #val-sig-skew-min: 3600

    # Maximum number of seconds of clock skew to apply to validated signatures.
    # A value of 10% of the signature lifetime (expiration - inception)  is
    # used, capped by this setting. Default is 86400 (24 hours) which allows for
    # timezone setting problems in stable  domains. Setting both min and max
    # very low  disables the clock skew allowances. Setting both min and max
    # very high makes the validator check the signature timestamps less
    # strictly.
    # Default: 86400
    #val-sig-skew-max: 86400

    # The time to live for bogus data. This is data that has failed validation;
    # due to invalid signatures or other checks. The TTL from that data cannot
    # be trusted, and this value is used instead. The value is in seconds,
    # default 60. The time interval prevents repeated revalidation of bogus
    # data.
    # Default: 60
    #val-bogus-ttl: 60

    # Instruct the validator to remove data from the additional section of
    # secure messages that are not signed properly. Messages that are insecure,
    # bogus, indeterminate or unchecked are not affected. Default is yes. Use
    # this setting to protect the users that rely on this validator for
    # authentication from potentially bad data in the additional section.
    # Default: yes
    #val-clean-additional: yes

    # Have the validator print validation failures to the log. Regardless of the
    # verbosity setting. Default is 0, off. At 1, for every user query that
    # fails a line is printed to the logs. This way you can monitor what happens
    # with validation. Use a diagnosis tool, such as dig or drill, to find out
    # why validation is failing for these queries. At 2, not only the query that
    # failed is printed but also the reason why unbound thought it was wrong and
    # which server sent the faulty data.
    # Default: 0
    #val-log-level: 0

    # Instruct the validator to mark bogus messages as indeterminate. The
    # security checks are performed, but if the result is bogus (failed
    # security), the reply is not withheld from the client with SERVFAIL as
    # usual. The client receives the bogus data. For messages that are found to
    # be secure the AD bit is set in replies. Also logging is performed as for
    # full validation. The default value is "no".
    # Default: no
    #val-permissive-mode: no

    # Instruct unbound to ignore the CD flag from clients and refuse to return
    # bogus answers to them. Thus, the CD (Checking Disabled)   flag does not
    # disable checking any more. This is useful with legacy (Window 2008
    # servers) that set the CD flag but cannot validate  DNSSEC  themselves.
    # Like this Unbound still provides them with DNSSEC protection.
    # Default: no
    #ignore-cd-flag: no

    # List of keysize and iteration count values, separated by spaces,
    # surrounded by quotes. This determines the maximum allowed NSEC3 iteration
    # count before a message is simply marked insecure instead of performing the
    # many hashing iterations. The list must be in ascending order and have at
    # least one entry. If you set it to "1024 65535" there is no restriction  to
    # NSEC3 iteration values. This table must be kept short; a very long list
    # could cause slower operation.
    # Default: "1024 150 2048 500 4096 2500"
    #val-nsec3-keysize-iterations: "1024 150 2048 500 4096  2500"

    # Instruct the auto-trust-anchor-file probe mechanism for RFC5011 autotrust
    # updates to add new trust anchors only after they have been visible for this
    # time. Default is 30 days as per the RFC.
    # Default: 2629800
    #add-holddown: 2629800

    # Instruct the auto-trust-anchor-file probe mechanism for RFC5011 autotrust
    # updates to remove revoked trust anchors after they have been kept in the
    # revoked list for this long. Default is 30 days as per the RFC.
    # Default: 2629800
    #del-holddown: 2629800

    # Instruct the auto-trust-anchor-file probe mechanism for RFC5011 autotrust
    # updates to remove missing trust anchors after they have been unseen for
    # this long. This cleans up the state file if the target zone does not
    # perform trust anchor revocation, so this makes the auto probe mechanism
    # work with zones that perform regular (non-5011) rollovers. The default is
    # 366 days. The value 0 does not remove missing anchors, as per the RFC.
    # Default: 31536000
    #keep-missing: 31536000

    # Debug option that allows the autotrust 5011 rollover timers to assume very
    # small values.
    # Default: no
    #permit-small-holddown: no


    #----------------------------------------
    # Local Host Mode Settings
    #----------------------------------------

    # Default is disabled. If enabled, then for private address space, the
    # reverse lookups are no longer filtered. This allows unbound when running
    # as dns service on a host where it provides service for that host, to put
    # out all of the queries for the 'lan' upstream. When enabled, only
    # localhost, 127.0.0.1 reverse and ::1 reverse zones are configured with
    # default local zones. Disable the option when unbound is running as a
    # (DHCP-) DNS network resolver for a group of machines, where such lookups
    # should be filtered (RFC compliance), this also stops potential data
    # leakage about the local network to the upstream DNS servers.
    # Default: no
    #unblock-lan-zones: no

    # Default is disabled. If enabled, then reverse lookups in private address
    # space are not validated. This is usually required whenever unblock-lan-
    # zones is used.
    # Default: no
    #insecure-lan-zones: no


#=============================================
#
# Configuration Files to include
#
#=============================================

# Include Configuration Settings
#include: "/etc/unbound/unbound.conf.d/*.conf"

#
# Local Zones Settings
include: "/etc/unbound/local-zones.d/*.conf"

# Adservers Blacklists
include: "/etc/unbound/adservers.d/*.conf"

#
# Forward Zone Settings
include: "/etc/unbound/upstream-resolver.conf"

# -*- mode: ini; tab-width: 4; indent-tabs-mode: nil -*-