gluetun/unbound.conf

server:
  # See https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/
  # logging
  verbosity: 0
  val-log-level: 0
  use-syslog: yes
  
  # performance
  num-threads: 1
  prefetch: yes
  prefetch-key: yes
  key-cache-size: 16m
  key-cache-slabs: 4
  msg-cache-size: 4m
  msg-cache-slabs: 4
  rrset-cache-size: 4m
  rrset-cache-slabs: 4
  cache-min-ttl: 3600
  cache-max-ttl: 9000
  
  # privacy
  rrset-roundrobin: yes
  hide-identity: yes
  hide-version: yes
  
  # security
  tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
  root-hints: "/etc/unbound/root.hints"
  trust-anchor-file: "/etc/unbound/root.key"
  harden-below-nxdomain: yes
  harden-referral-path: yes
  harden-algo-downgrade: yes
  # set above to no if there is any problem
  # Prevent DNS rebinding
  private-address: 127.0.0.1/8
  private-address: 10.0.0.0/8
  private-address: 172.16.0.0/12
  private-address: 192.168.0.0/16
  private-address: 169.254.0.0/16
  private-address: ::1/128
  private-address: fc00::/7
  private-address: fe80::/10
  private-address: ::ffff:0:0/96
  
  # network
  do-ip4: yes
  do-ip6: no
  interface: 127.0.0.1
  port: 53
  username: "nonrootuser"

  # other files
  include: "/etc/unbound/blocks-malicious.conf"
forward-zone:
  name: "."
  forward-addr: 1.1.1.1@853#cloudflare-dns.com
  forward-addr: 1.0.0.1@853#cloudflare-dns.com
  forward-tls-upstream: yes