server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
    interface: 127.0.0.1
	
    # A single thread is pretty sufficient for home or small office instances.
    num-threads: 1
	
	# Define protocols for connections to and from Unbound.
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: no
    prefer-ip6: no

    # Private IP ranges, which shall never be returned or forwarded as public DNS response.
    private-address: 10.0.0.0/8
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10

    # Maximum number of queries per second
    ratelimit: 1000

    # Defend against and print warning when reaching unwanted reply limit.
    unwanted-reply-threshold: 10000
	
    # Set EDNS reassembly buffer size to match new upstream default, as of DNS Flag Day 2020 recommendation.
    edns-buffer-size: 1232
	
    # Hardening
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-algo-downgrade: yes
    harden-large-queries: yes
    harden-short-bufsize: yes
	
	# Privacy
    use-caps-for-id: yes
	rrset-roundrobin: yes
	
    # Increase incoming and outgoing query buffer size to cover traffic peaks.
    so-rcvbuf: 4m
    so-sndbuf: 4m

    # Caching
    cache-min-ttl: 300
    cache-max-ttl: 86400
    serve-expired: yes
    neg-cache-size: 4M
    prefetch: yes
    prefetch-key: yes
    msg-cache-size: 50m
    rrset-cache-size: 100m