jcanfield · September 24, 2025 20:27
diff --git a/stubby.yml b/stubby.yml
 resolution_type: GETDNS_RESOLUTION_STUB
 round_robin_upstreams: 1
 tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
 tls_query_padding_blocksize: 256
 edns_client_subnet_private: 1
 idle_timeout: 9000
 listen_addresses:
  - 127.0.0.1@8053
  -  0::1@8053
 dns_transport_list:
  - GETDNS_TRANSPORT_TLS
 tls_connection_retries: 5
 tls_backoff_time: 900
 timeout: 2000
 tls_ca_path: "/etc/ssl/certs/"
 dnssec: GETDNS_EXTENSION_TRUE
 dnssec_return_status: GETDNS_EXTENSION_TRUE
 dnssec_trust_anchors: "/var/lib/unbound/root.key"
 upstream_recursive_servers:
 ## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD )
  - address_data: 185.49.141.37
    tls_auth_name: "getdnsapi.net"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=

 ## 2 - The Surfnet/Sinodun DNS TLS Server #3  A+ ( NLD )
  - address_data: 145.100.185.18
    tls_port: 853
    tls_auth_name: "dnsovertls3.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=

 ## 3 - The The Surfnet/Sinodun DNS TLS Server A ( NLD )
  - address_data: 145.100.185.15
    tls_auth_name: "dnsovertls.sinodun.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=

 ## 4 - The The Surfnet/Sinodun DNS TLS Server #1  A ( NLD )
  - address_data: 145.100.185.16
    tls_auth_name: "dnsovertls1.sinodun.com"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=

 ## 5 - The DNSPRIVACY.at TLS Server #1  A+ ( DEU )
  - address_data: 94.130.110.185
    tls_auth_name: "ns1.dnsprivacy.at"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: Fr9YdIAIg7TXJLLHp0XbeWKBS2utev0stoEIb+7rZjM=

 ## 6 - The PI-DNS.COM Central Europe DNS TLS Server A+ ( DEU )
  - address_data: 88.198.91.187
    tls_auth_name: "dot.centraleu.pi-dns.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: ZdED9Ry+FfdsbpGVr2IxR/IB0D7FaVpSBWvsRWutrjg=

 ## 7 - The Lightning Wire Labs DNS TLS Server  A+ ( DEU )
  - address_data: 81.3.27.54
    tls_auth_name: "recursor01.dns.lightningwirelabs.com"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 9QRO8JyJCVMU+KAO9acW5xfQnSXRuj1OqAz5aZHwH+4=

 ## 8 - The dnsforge.de DNS TLS Server #1  A+ ( DEU )
  - address_data: 176.9.1.117
    tls_auth_name: "dnsforge.de"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=

 ## 9 - The dnsforge.de DNS TLS Server #2  A+ ( DEU )
  - address_data: 176.9.93.198
    tls_auth_name: "dnsforge.de"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=

 # 10 - The dns.dnshome.de DNS TLS Server #1  A+ ( DEU )
  - address_data: 185.233.106.232
    tls_auth_name: "dns.dnshome.de"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc=


 tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
 tls_min_version: GETDNS_TLS1_2
 tls_max_version: GETDNS_TLS1_3
 tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
diff --git a/unbound.conf b/unbound.conf
 server:
    private-address: 127.0.0.0/8
    private-address: 10.0.0.0/24
    
    interface: 0.0.0.0
    
    access-control: 10.0.0.0/24 allow
    access-control: ::1 allow
    access-control: 0.0.0.0/0 deny
    access-control: ::/0 deny
    
    # Base settings
    directory: "/etc/unbound"
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
    rrset-roundrobin: yes
    username: "unbound"
    
    # Cache
    cache-max-ttl: 86400
    cache-min-ttl: 300
    neg-cache-size: 4M
    msg-cache-size: 128525653
    rrset-cache-size: 257051306 

    # Cache Slabs
    infra-cache-slabs: 4
    key-cache-slabs: 4
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    # Cache Misc
    edns-buffer-size: 1472

    # Logging
    #use-syslog: no
    log-local-actions: no
    log-queries: no
    log-replies: no
    log-servfail: no
    logfile: "/var/log/unbound.log"
    verbosity: 0 # errors only

    # Peristence
    incoming-num-tcp: 128
    tcp-idle-timeout: 30000

    # Privacy
    qname-minimisation: yes
    do-not-query-localhost: no
    aggressive-nsec: yes
    hide-identity: yes
    hide-version: yes
    identity: "DNS"
    # Privacy no ipv4 awnsers
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16 
    private-address: 169.254.0.0/16

    # Hardening
    deny-any: yes
    harden-glue: yes
    harden-algo-downgrade: yes
    harden-below-nxdomain: yes
    harden-dnssec-stripped: yes
    harden-large-queries: yes
    harden-referral-path: no

    # Performance
    num-threads: 10
    minimal-responses: yes
    prefetch: yes
    prefetch-key: yes
    serve-expired: yes

    include: /etc/unbound/blackhole.conf
    
 forward-zone:
    name: "."
    # Forward all to stubby
    forward-addr: 127.0.0.1@8053
    forward-addr: ::1@8053
    
 # Stop!
 remote-control:
    control-enable: no
	resolution_type: GETDNS_RESOLUTION_STUB
	round_robin_upstreams: 1
	tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
	tls_query_padding_blocksize: 256
	edns_client_subnet_private: 1
	idle_timeout: 9000
	listen_addresses:
	- 127.0.0.1@8053
	- 0::1@8053
	dns_transport_list:
	- GETDNS_TRANSPORT_TLS
	tls_connection_retries: 5
	tls_backoff_time: 900
	timeout: 2000
	tls_ca_path: "/etc/ssl/certs/"
	dnssec: GETDNS_EXTENSION_TRUE
	dnssec_return_status: GETDNS_EXTENSION_TRUE
	dnssec_trust_anchors: "/var/lib/unbound/root.key"
	upstream_recursive_servers:
	## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD )
	- address_data: 185.49.141.37
	tls_auth_name: "getdnsapi.net"
	tls_port: 853
	tls_pubkey_pinset:
	- digest: "sha256"
	value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=

	## 2 - The Surfnet/Sinodun DNS TLS Server #3 A+ ( NLD )
	- address_data: 145.100.185.18
	tls_port: 853
	tls_auth_name: "dnsovertls3.sinodun.com"
	tls_pubkey_pinset:
	- digest: "sha256"
	value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=

	## 3 - The The Surfnet/Sinodun DNS TLS Server A ( NLD )
	- address_data: 145.100.185.15
	tls_auth_name: "dnsovertls.sinodun.com"
	tls_port: 443
	tls_pubkey_pinset:
	- digest: "sha256"
	value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=

	## 4 - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD )
	- address_data: 145.100.185.16
	tls_auth_name: "dnsovertls1.sinodun.com"
	tls_port: 443
	tls_pubkey_pinset:
	- digest: "sha256"
	value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=

	## 5 - The DNSPRIVACY.at TLS Server #1 A+ ( DEU )
	- address_data: 94.130.110.185
	tls_auth_name: "ns1.dnsprivacy.at"
	tls_port: 853
	tls_pubkey_pinset:
	- digest: "sha256"
	value: Fr9YdIAIg7TXJLLHp0XbeWKBS2utev0stoEIb+7rZjM=

	## 6 - The PI-DNS.COM Central Europe DNS TLS Server A+ ( DEU )
	- address_data: 88.198.91.187
	tls_auth_name: "dot.centraleu.pi-dns.com"
	tls_port: 853
	tls_pubkey_pinset:
	- digest: "sha256"
	value: ZdED9Ry+FfdsbpGVr2IxR/IB0D7FaVpSBWvsRWutrjg=

	## 7 - The Lightning Wire Labs DNS TLS Server A+ ( DEU )
	- address_data: 81.3.27.54
	tls_auth_name: "recursor01.dns.lightningwirelabs.com"
	tls_port: 853
	tls_pubkey_pinset:
	- digest: "sha256"
	value: 9QRO8JyJCVMU+KAO9acW5xfQnSXRuj1OqAz5aZHwH+4=

	## 8 - The dnsforge.de DNS TLS Server #1 A+ ( DEU )
	- address_data: 176.9.1.117
	tls_auth_name: "dnsforge.de"
	tls_port: 853
	tls_pubkey_pinset:
	- digest: "sha256"
	value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=

	## 9 - The dnsforge.de DNS TLS Server #2 A+ ( DEU )
	- address_data: 176.9.93.198
	tls_auth_name: "dnsforge.de"
	tls_port: 853
	tls_pubkey_pinset:
	- digest: "sha256"
	value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=

	# 10 - The dns.dnshome.de DNS TLS Server #1 A+ ( DEU )
	- address_data: 185.233.106.232
	tls_auth_name: "dns.dnshome.de"
	tls_port: 853
	tls_pubkey_pinset:
	- digest: "sha256"
	value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc=


	tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"
	tls_min_version: GETDNS_TLS1_2
	tls_max_version: GETDNS_TLS1_3
	tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
	server:
	private-address: 127.0.0.0/8
	private-address: 10.0.0.0/24

	interface: 0.0.0.0

	access-control: 10.0.0.0/24 allow
	access-control: ::1 allow
	access-control: 0.0.0.0/0 deny
	access-control: ::/0 deny

	# Base settings
	directory: "/etc/unbound"
	auto-trust-anchor-file: "/var/lib/unbound/root.key"
	tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
	rrset-roundrobin: yes
	username: "unbound"

	# Cache
	cache-max-ttl: 86400
	cache-min-ttl: 300
	neg-cache-size: 4M
	msg-cache-size: 128525653
	rrset-cache-size: 257051306

	# Cache Slabs
	infra-cache-slabs: 4
	key-cache-slabs: 4
	msg-cache-slabs: 4
	rrset-cache-slabs: 4
	# Cache Misc
	edns-buffer-size: 1472

	# Logging
	#use-syslog: no
	log-local-actions: no
	log-queries: no
	log-replies: no
	log-servfail: no
	logfile: "/var/log/unbound.log"
	verbosity: 0 # errors only

	# Peristence
	incoming-num-tcp: 128
	tcp-idle-timeout: 30000

	# Privacy
	qname-minimisation: yes
	do-not-query-localhost: no
	aggressive-nsec: yes
	hide-identity: yes
	hide-version: yes
	identity: "DNS"
	# Privacy no ipv4 awnsers
	private-address: 10.0.0.0/8
	private-address: 172.16.0.0/12
	private-address: 192.168.0.0/16
	private-address: 169.254.0.0/16

	# Hardening
	deny-any: yes
	harden-glue: yes
	harden-algo-downgrade: yes
	harden-below-nxdomain: yes
	harden-dnssec-stripped: yes
	harden-large-queries: yes
	harden-referral-path: no

	# Performance
	num-threads: 10
	minimal-responses: yes
	prefetch: yes
	prefetch-key: yes
	serve-expired: yes

	include: /etc/unbound/blackhole.conf

	forward-zone:
	name: "."
	# Forward all to stubby
	forward-addr: 127.0.0.1@8053
	forward-addr: ::1@8053

	# Stop!
	remote-control:
	control-enable: no