# only give access to recursion clients from LAN IPs access-control: 127.0.0.1/32 allow access-control: 192.168.0.0/24 allow # adjust to your lan ip-range auto-trust-anchor-file: "var/root.key" chroot: "/opt/unbound/etc/unbound" harden-algo-downgrade: no harden-below-nxdomain: yes harden-dnssec-stripped: yes harden-glue: yes harden-large-queries: yes harden-referral-path: no harden-short-bufsize: yes hide-identity: yes hide-version: yes identity: "DNS" # These private network addresses are not allowed to be returned for public # internet names. Any occurrence of such addresses are removed from DNS # answers. Additionally, the DNSSEC validator may mark the answers bogus. # This protects against DNS Rebinding private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 ratelimit: 1000 tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt unwanted-reply-threshold: 10000 use-caps-for-id: no #gives many false errors val-clean-additional: yes