# only give access to recursion clients from LAN IPs
   access-control: 127.0.0.1/32 allow
   access-control: 192.168.0.0/24 allow  # adjust to your lan ip-range
   auto-trust-anchor-file: "var/root.key"
   chroot: "/opt/unbound/etc/unbound"
   harden-algo-downgrade: no
   harden-below-nxdomain: yes
   harden-dnssec-stripped: yes
   harden-glue: yes
   harden-large-queries: yes
   harden-referral-path: no
   harden-short-bufsize: yes
   hide-identity: yes
   hide-version: yes
   identity: "DNS"
   # These private network addresses are not allowed to be returned for public
   # internet names. Any  occurrence of such addresses are removed from DNS
   # answers. Additionally, the DNSSEC validator may mark the  answers  bogus.
   # This  protects  against DNS Rebinding
   private-address: 10.0.0.0/8
   private-address: 172.16.0.0/12
   private-address: 192.168.0.0/16
   private-address: 169.254.0.0/16
   ratelimit: 1000
   tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
   unwanted-reply-threshold: 10000
   use-caps-for-id: no  #gives many false errors
   val-clean-additional: yes