{ config, ... }: { services = { unbound = { enable = true; localControlSocketPath = "/run/unbound/unbound.ctl"; settings = { server = { # Setting logfile to an empty string outputs to stderr log-queries = false; log-replies = true; log-tag-queryreply = true; log-local-actions = true; logfile = "/var/log/unbound/unbound.log"; verbosity = 0; port = 5335; do-ip4 = true; do-ip6 = true; do-udp = true; do-tcp = true; prefer-ip6 = true; hide-identity = true; hide-version = true; identity = "Server"; # Trust glue only if it is within the server's authority harden-glue = true; # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped = true; harden-referral-path = true; # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details use-caps-for-id = false; # Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems edns-buffer-size = 1472; # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch = true; prefetch-key = true; # This attempts to reduce latency by serving the outdated record before # updating it instead of the other way around. Alternative is to increase # cache-min-ttl to e.g. 3600. cache-min-ttl = 300; cache-max-ttl = 86400; serve-expired = true; # Set cache size. rrset-cache-size should be twice what msg-cache-size is rrset-cache-size = "256m"; msg-cache-size = "128m"; msg-cache-slabs = 16; rrset-cache-slabs = 16; infra-cache-slabs = 16; key-cache-slabs = 16; # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on # small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. num-threads = 16; # Increase number of queries per request and the number of ports outgoing-range = 8192; num-queries-per-thread = 4096; # Leave sections that are not requested out of the response message # Reduces response message significantly and may prevent TCP fallback # for some responses minimal-responses = true; # Ensure kernel buffer is large enough to not lose messages in traffic spikes so-rcvbuf = "8m"; so-sndbuf = "8m"; # Improve UDP performance with multithreading so-reuseport = true; # Ensure privacy of local IP ranges private-address = [ "192.168.0.0/16" "169.254.0.0/16" "172.16.0.0/12" "10.0.0.0/8" "fd00::/8" "fe80::/10" ]; }; }; }; prometheus.exporters = { node = { enable = true; enabledCollectors = [ "systemd" ]; }; unbound = { enable = true; unbound.host = "unix:///run/unbound/unbound.ctl"; }; }; logrotate = { settings = { unbound = { files = [ "/var/log/unbound/unbound.log" ]; frequency = "daily"; rotate = 7; compress = true; delaycompress = true; notifempty = true; postrotate = '' ${config.services.unbound.package}/bin/unbound-control log_reopen ''; }; }; }; }; }