# {{ ansible_managed }}
#
server:
	num-threads: 1
	interface: 127.0.0.1
	interface: ::1

	outgoing-num-tcp: 128
	incoming-num-tcp: 128
	so-rcvbuf: 1m
	so-sndbuf: 1m

	do-ip4: yes
	do-ip6: yes
	do-udp: yes
	do-tcp: yes

	access-control: ::0/0 refuse
	access-control: 0.0.0.0/0 refuse
	access-control: ::1 allow
	access-control: 127.0.0.0/8 allow
	access-control: 2a01:4f8:150:926f::0/64 allow
	access-control: 10.0.0.0/24 allow

	chroot: "/usr/local/etc/unbound"

	username: "unbound"
	directory: "/usr/local/etc/unbound"

	use-systemd: no
	do-daemonize: no
	use-syslog: no
	logfile: ""

	pidfile: "/usr/local/etc/unbound/unbound.pid"

	hide-identity: yes
	hide-version: yes
	hide-trustanchor: yes
	harden-dnssec-stripped: yes
	harden-below-nxdomain: yes
	qname-minimisation: yes
	qname-minimisation-strict: yes
	use-caps-for-id: yes

	private-address: 10.0.0.0/8
	private-address: 172.16.0.0/12
	private-address: 192.168.0.0/16
	private-address: 169.254.0.0/16
	private-address: fd00::/8
	private-address: fe80::/10
	private-address: ::ffff:0:0/96

	do-not-query-localhost: no 

	prefetch: yes
	prefetch-key: yes
	deny-any: no
	rrset-roundrobin: yes
	minimal-responses: yes
	disable-dnssec-lame-check: no

	module-config: "validator iterator"

	local-zone: "10.in-addr.arpa" nodefault

remote-control:
	control-enable: yes
	control-interface: /usr/local/etc/unbound/control

stub-zone:
	name: "."
	stub-prime: no
	stub-addr: 127.0.0.1@5353