2024-01-22 19:57:40 +01:00
{
2024-02-28 22:49:50 +01:00
services = {
unbound = {
enable = true ;
localControlSocketPath = " / r u n / u n b o u n d / u n b o u n d . c t l " ;
settings = {
server = {
# Setting logfile to an empty string outputs to stderr
log-queries = false ;
verbosity = 1 ;
2024-01-22 19:57:40 +01:00
2024-02-28 22:49:50 +01:00
port = 5335 ;
do-ip4 = true ;
do-ip6 = true ;
do-udp = true ;
do-tcp = true ;
prefer-ip6 = true ;
2024-01-22 19:57:40 +01:00
2024-02-28 22:49:50 +01:00
hide-identity = true ;
hide-version = true ;
2024-01-22 19:57:40 +01:00
2024-02-28 22:49:50 +01:00
# Trust glue only if it is within the server's authority
harden-glue = true ;
2024-01-22 19:57:40 +01:00
2024-02-28 22:49:50 +01:00
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped = true ;
2024-01-22 19:57:40 +01:00
2024-02-28 22:49:50 +01:00
harden-referral-path = true ;
2024-01-22 19:57:40 +01:00
2024-02-28 22:49:50 +01:00
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id = false ;
2024-01-22 19:57:40 +01:00
2024-02-28 22:49:50 +01:00
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size = 1472 ;
2024-01-22 19:57:40 +01:00
2024-02-28 22:49:50 +01:00
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch = true ;
prefetch-key = true ;
2024-01-22 19:57:40 +01:00
2024-02-28 22:49:50 +01:00
# This attempts to reduce latency by serving the outdated record before
# updating it instead of the other way around. Alternative is to increase
# cache-min-ttl to e.g. 3600.
cache-min-ttl = 0 ;
serve-expired = true ;
2024-01-22 19:57:40 +01:00
2024-02-28 22:49:50 +01:00
rrset-cache-size = " 2 5 6 m " ;
msg-cache-size = " 1 2 8 m " ;
msg-cache-slabs = 4 ;
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads = 2 ;
2024-01-22 19:57:40 +01:00
2024-02-28 22:49:50 +01:00
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf = " 8 m " ;
2024-01-22 19:57:40 +01:00
2024-02-28 22:49:50 +01:00
# Ensure privacy of local IP ranges
private-address = [
" 1 9 2 . 1 6 8 . 0 . 0 / 1 6 "
" 1 6 9 . 2 5 4 . 0 . 0 / 1 6 "
" 1 7 2 . 1 6 . 0 . 0 / 1 2 "
" 1 0 . 0 . 0 . 0 / 8 "
" f d 0 0 : : / 8 "
" f e 8 0 : : / 1 0 "
] ;
} ;
} ;
} ;
prometheus . exporters = {
node = {
enable = true ;
enabledCollectors = [ " s y s t e m d " ] ;
} ;
unbound = {
enable = true ;
unbound . host = " u n i x : / / / r u n / u n b o u n d / u n b o u n d . c t l " ;
2024-01-22 19:57:40 +01:00
} ;
} ;
} ;
}
