01100001 · September 28, 2021 15:27
diff --git a/unbound.conf b/unbound.conf
 remote-control:
  control-enable: yes
 server:
  do-ip6: no
  do-ip4: yes
  do-udp: yes
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
  num-threads: 4
  # Enable logs
  verbosity: 1
  # List of Root DNS Server
  root-hints: "/var/lib/unbound/root.hints"
  # Use the root servers key for DNSSEC
  auto-trust-anchor-file: "/var/lib/unbound/root.key"
  # Respond to DNS requests on all interfaces
  interface: 0.0.0.0
  max-udp-size: 3072
  # Authorized IPs to access the DNS Server
  access-control: 0.0.0.0/0                 refuse
  access-control: 127.0.0.1                 allow
  access-control: 10.42.0.0/16              allow
  # not allowed to be returned for public internet  names
  private-address: 10.42.0.0/16
  # Hide DNS Server info
  hide-identity: yes
  hide-version: yes
  # Limit DNS Fraud and use DNSSEC
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes
  use-caps-for-id: yes
  # Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
  unwanted-reply-threshold: 10000000
  # Have the validator print validation failures to the log.
  val-log-level: 1
  # Minimum lifetime of cache entries in seconds
  cache-min-ttl: 300
  # Maximum lifetime of cached entries
  cache-max-ttl: 14400
  prefetch: yes
  prefetch-key: yes
  # Optimisations
  msg-cache-slabs: 8
  rrset-cache-slabs: 8
  infra-cache-slabs: 8
  key-cache-slabs: 8
  # increase memory size of the cache
  rrset-cache-size: 256m
  msg-cache-size: 128m
  # increase buffer size so that no messages are lost in traffic spikes
  so-rcvbuf: 1m
  # Enable unvalidated lookups to VPC internal domains
  private-domain: "internal"
  domain-insecure: "internal"
  unblock-lan-zones: yes
  insecure-lan-zones: yes

 forward-zone:
  name: "internal."
  forward-tls-upstream: no
  forward-addr: 10.42.0.2
 forward-zone:
  name: "10.in-addr.arpa."
  forward-addr: 10.42.0.2
 # All other queries go to trusted DNS providers
 forward-zone:
  name: "."
  forward-tls-upstream: yes
  # Quad9
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
  # Cloudflare DNS
  forward-addr: 1.1.1.1@853#cloudflare-dns.com
  forward-addr: 1.0.0.1@853#cloudflare-dns.com
	remote-control:
	control-enable: yes
	server:
	do-ip6: no
	do-ip4: yes
	do-udp: yes
	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
	num-threads: 4
	# Enable logs
	verbosity: 1
	# List of Root DNS Server
	root-hints: "/var/lib/unbound/root.hints"
	# Use the root servers key for DNSSEC
	auto-trust-anchor-file: "/var/lib/unbound/root.key"
	# Respond to DNS requests on all interfaces
	interface: 0.0.0.0
	max-udp-size: 3072
	# Authorized IPs to access the DNS Server
	access-control: 0.0.0.0/0 refuse
	access-control: 127.0.0.1 allow
	access-control: 10.42.0.0/16 allow
	# not allowed to be returned for public internet names
	private-address: 10.42.0.0/16
	# Hide DNS Server info
	hide-identity: yes
	hide-version: yes
	# Limit DNS Fraud and use DNSSEC
	harden-glue: yes
	harden-dnssec-stripped: yes
	harden-referral-path: yes
	use-caps-for-id: yes
	# Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
	unwanted-reply-threshold: 10000000
	# Have the validator print validation failures to the log.
	val-log-level: 1
	# Minimum lifetime of cache entries in seconds
	cache-min-ttl: 300
	# Maximum lifetime of cached entries
	cache-max-ttl: 14400
	prefetch: yes
	prefetch-key: yes
	# Optimisations
	msg-cache-slabs: 8
	rrset-cache-slabs: 8
	infra-cache-slabs: 8
	key-cache-slabs: 8
	# increase memory size of the cache
	rrset-cache-size: 256m
	msg-cache-size: 128m
	# increase buffer size so that no messages are lost in traffic spikes
	so-rcvbuf: 1m
	# Enable unvalidated lookups to VPC internal domains
	private-domain: "internal"
	domain-insecure: "internal"
	unblock-lan-zones: yes
	insecure-lan-zones: yes

	forward-zone:
	name: "internal."
	forward-tls-upstream: no
	forward-addr: 10.42.0.2
	forward-zone:
	name: "10.in-addr.arpa."
	forward-addr: 10.42.0.2
	# All other queries go to trusted DNS providers
	forward-zone:
	name: "."
	forward-tls-upstream: yes
	# Quad9
	forward-addr: 9.9.9.9@853#dns.quad9.net
	forward-addr: 149.112.112.112@853#dns.quad9.net
	# Cloudflare DNS
	forward-addr: 1.1.1.1@853#cloudflare-dns.com
	forward-addr: 1.0.0.1@853#cloudflare-dns.com