## This is an example Unbound configuration file
## This is needed to use unbound_exporter
remote-control:
    control-enable: yes
    control-interface: /var/run/socket/unbound.ctl

# The rest of this file is standard Unbound configuration
# There's nothing special here.
server:
    module-config: "respip validator iterator"
    extended-statistics: yes
    cache-max-ttl: 86400
    cache-min-ttl: 300
    directory: "/opt/unbound/etc/unbound"
    do-ip4: yes
    do-ip6: no
    do-tcp: yes
    do-udp: yes
    edns-buffer-size: 1232
    interface: 0.0.0.0
    port: 1053
    prefer-ip6: no
    rrset-roundrobin: yes
    username: "_unbound"
    log-local-actions: no
    log-queries: no
    log-replies: no
    log-servfail: yes
    logfile: /opt/unbound/etc/unbound/unbound.log
    verbosity: 2
    infra-cache-slabs: 4
    incoming-num-tcp: 10
    key-cache-slabs: 4
    msg-cache-size: 142768128
    msg-cache-slabs: 4
    num-queries-per-thread: 4096
    num-threads: 3
    outgoing-range: 8192
    rrset-cache-size: 285536256
    rrset-cache-slabs: 4
    minimal-responses: yes
    prefetch: yes
    prefetch-key: yes
    serve-expired: yes
    so-reuseport: yes
    aggressive-nsec: yes
    delay-close: 10000
    do-daemonize: no
    do-not-query-localhost: no
    neg-cache-size: 4M
    qname-minimisation: yes
    access-control: 127.0.0.1/32 allow
    access-control: 192.168.0.0/16 allow
    access-control: 172.16.0.0/12 allow
    access-control: 10.0.0.0/8 allow
    access-control: fc00::/7 allow
    access-control: ::1/128 allow
    auto-trust-anchor-file: "/opt/unbound/etc/unbound/var/root.key"
    chroot: ""
    deny-any: yes
    harden-algo-downgrade: yes
    harden-below-nxdomain: yes
    harden-dnssec-stripped: yes
    harden-glue: yes
    harden-large-queries: yes
    harden-referral-path: no
    harden-short-bufsize: yes
    hide-http-user-agent: no
    hide-identity: yes
    hide-version: no
    http-user-agent: "DNS"
    identity: "DNS"
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10
    private-address: ::ffff:0:0/96
    ratelimit: 1000
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    unwanted-reply-threshold: 10000
    use-caps-for-id: yes
    val-clean-additional: yes
    include: /opt/unbound/etc/unbound/a-records.conf
    include: /opt/unbound/etc/unbound/srv-records.conf

rpz:
    name: unbound_exporter_cloak
    zonefile: /opt/unbound/etc/unbound/droplist.zone
    rpz-log: yes
    rpz-log-name: unbound_exporter_cloak
    rpz-action-override: nxdomain