diff --git a/docker-build/unbound-pihole.conf b/docker-build/unbound-pihole.conf index e997bf9..89d7ac9 100644 --- a/docker-build/unbound-pihole.conf +++ b/docker-build/unbound-pihole.conf @@ -1,4 +1,6 @@ server: + # https://manpages.debian.org/bullseye/unbound/unbound.conf.5.en.html + # # If no logfile is specified, syslog is used # logfile: "/var/log/unbound/unbound.log" verbosity: 0 @@ -9,7 +11,7 @@ server: do-udp: yes do-tcp: yes - # May be set to yes if you have IPv6 connectivity + # Maybe set to yes if you have IPv6 connectivity do-ip6: no # You want to leave this to no unless you have *native* IPv6. With 6to4 and @@ -51,7 +53,13 @@ server: # This only applies to domains that have been frequently queried prefetch: yes - # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. + # Fetch the DNSKEYs earlier in the validation process, when a DS record is encountered. + # This lowers the latency of requests. It does use a little more CPU. + prefetch-key: yes + + # One thread should be sufficient, can be increased on beefy machines. + # In reality for most users running on small networks or on a single machine, + # it should be unnecessary to seek performance enhancement by increasing num-threads above 1. num-threads: 1 # Ensure kernel buffer is large enough to not lose messages in traffic spikes @@ -61,6 +69,16 @@ server: msg-cache-size: 128m rrset-cache-size: 256m + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + # It helps to reduce the query rate towards targets that get a very high nonexistent name lookup rate. + aggressive-nsec: yes + + # If enabled id.server and hostname.bind queries are refused. + hide-identity: yes + #If enabled version.server and version.bind queries are refused. + hide-version: yes + # Ensure privacy of local IP ranges private-address: 192.168.0.0/16 private-address: 169.254.0.0/16