diff --git a/Config/Unbound/pi-hole.conf b/Config/Unbound/pi-hole.conf index fdeca1e..5c7bab9 100644 --- a/Config/Unbound/pi-hole.conf +++ b/Config/Unbound/pi-hole.conf @@ -3,6 +3,11 @@ server: # logfile: "/var/log/unbound/unbound.log" verbosity: 0 interface: 127.0.0.1 + + # A single thread is pretty sufficient for home or small office instances. + num-threads: 1 + + # Define protocols for connections to and from Unbound. port: 5335 do-ip4: yes do-udp: yes @@ -10,17 +15,44 @@ server: do-ip6: no prefer-ip6: no - harden-glue: yes - harden-dnssec-stripped: yes - use-caps-for-id: no - edns-buffer-size: 1472 - prefetch: yes - num-threads: 1 - so-rcvbuf: 1m - - private-address: 192.168.0.0/16 + # Private IP ranges, which shall never be returned or forwarded as public DNS response. + private-address: 10.0.0.0/8 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 - private-address: 10.0.0.0/8 + private-address: 192.168.0.0/16 private-address: fd00::/8 - private-address: fe80::/10 \ No newline at end of file + private-address: fe80::/10 + + # Maximum number of queries per second + ratelimit: 1000 + + # Defend against and print warning when reaching unwanted reply limit. + unwanted-reply-threshold: 10000 + + # Set EDNS reassembly buffer size to match new upstream default, as of DNS Flag Day 2020 recommendation. + edns-buffer-size: 1232 + + # Hardening + harden-glue: yes + harden-dnssec-stripped: yes + harden-algo-downgrade: yes + harden-large-queries: yes + harden-short-bufsize: yes + + # Privacy + use-caps-for-id: yes + rrset-roundrobin: yes + + # Increase incoming and outgoing query buffer size to cover traffic peaks. + so-rcvbuf: 4m + so-sndbuf: 4m + + # Caching + cache-min-ttl: 300 + cache-max-ttl: 86400 + serve-expired: yes + neg-cache-size: 4M + prefetch: yes + prefetch-key: yes + msg-cache-size: 50m + rrset-cache-size: 100m \ No newline at end of file