Update 'Config/Unbound/pi-hole.conf'

Added multiple comments to sections explaining their purpose. Added private IPv6 range Added max queries per sec Added extra privacy measures Added caching with prefetch
2023-09-22 14:10:06 +02:00 · 2023-09-22 14:10:06 +02:00 · 46924deb99
commit 46924deb99
parent 23e42f5f0f
1 changed files with 43 additions and 11 deletions
--- a/Config/Unbound/pi-hole.conf
+++ b/Config/Unbound/pi-hole.conf
@ -3,6 +3,11 @@ server:
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
    interface: 127.0.0.1
+	
+    # A single thread is pretty sufficient for home or small office instances.
+    num-threads: 1
+	
+	# Define protocols for connections to and from Unbound.
    port: 5335
    do-ip4: yes
    do-udp: yes
@ -10,17 +15,44 @@ server:
    do-ip6: no
    prefer-ip6: no

-    harden-glue: yes
-    harden-dnssec-stripped: yes
-    use-caps-for-id: no
-    edns-buffer-size: 1472
-    prefetch: yes
-    num-threads: 1
-    so-rcvbuf: 1m
-
-    private-address: 192.168.0.0/16
+    # Private IP ranges, which shall never be returned or forwarded as public DNS response.
+    private-address: 10.0.0.0/8
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
-    private-address: 10.0.0.0/8
+    private-address: 192.168.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10
+
+    # Maximum number of queries per second
+    ratelimit: 1000
+
+    # Defend against and print warning when reaching unwanted reply limit.
+    unwanted-reply-threshold: 10000
+	
+    # Set EDNS reassembly buffer size to match new upstream default, as of DNS Flag Day 2020 recommendation.
+    edns-buffer-size: 1232
+	
+    # Hardening
+    harden-glue: yes
+    harden-dnssec-stripped: yes
+    harden-algo-downgrade: yes
+    harden-large-queries: yes
+    harden-short-bufsize: yes
+	
+	# Privacy
+    use-caps-for-id: yes
+	rrset-roundrobin: yes
+	
+    # Increase incoming and outgoing query buffer size to cover traffic peaks.
+    so-rcvbuf: 4m
+    so-sndbuf: 4m
+
+    # Caching
+    cache-min-ttl: 300
+    cache-max-ttl: 86400
+    serve-expired: yes
+    neg-cache-size: 4M
+    prefetch: yes
+    prefetch-key: yes
+    msg-cache-size: 50m
+    rrset-cache-size: 100m