include: "/etc/unbound/redxen-dns.conf"
include: "/etc/unbound/internal.conf"
server:
	directory: "/etc/unbound"
	access-control: 0.0.0.0/0 refuse_non_local
	access-control: ::/0 refuse_non_local

	# Local Host
	access-control: 127.0.0.0/8 allow
	# Wireguard Range
	access-control: 172.22.12.0/24 allow
	#log-replies: yes
	interface: {{ unbound.listen.ipv4 }}
	interface: {{ unbound.listen.ipv6 }}
	extended-statistics: yes
	root-hints: /usr/share/dns/root.hints
	rrset-roundrobin: yes
	trust-anchor-file: /usr/share/dns/root.key
	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
	port: {{ unbound.port }}
	prefetch: yes
	prefetch-key: yes
	do-daemonize: no
	minimal-responses: no
	logfile: ""
	cache-min-ttl: 60
	harden-glue: yes
	aggressive-nsec: yes
	serve-expired: yes
	serve-expired-ttl: 86400
	serve-expired-ttl-reset: yes
remote-control:
	control-enable: yes
	control-use-cert: no
	control-interface: 127.0.0.1
forward-zone:
	name: "."
	forward-tls-upstream: yes
{% for forward in unbound.forward %}
	forward-addr: {{ forward.ipa }}@{{ forward.port|default(853) }}#{{ forward.host }}
{% endfor %}