My unbound config

unbound.conf

server:
    # log verbosity
    verbosity: 1

    use-syslog: yes

    interface: 127.0.0.1
    interface: ::1

    do-ip6: yes
    do-ip4: yes

    # port to answer queries from
    port: 53

    # Enable UDP, "yes" or "no".
    do-udp: yes

    # Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
    # quicker to resolve as the functions related to TCP checks are not done.i
    # NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains
    # due to their size.
    do-tcp: yes
    
    # control which client ips are allowed to make (recursive) queries to this
    # server. Specify classless netblocks with /size and action.  By default
    # everything is refused, except for localhost.  Choose deny (drop message),
    # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
    # and nonrecursive ok)
    #access-control: 10.0.0.0/8 allow
    access-control: 127.0.0.0/8 allow
    #access-control: 192.168.0.0/16 allow

    trust-anchor-file: trusted-key.key

    # enable to not answer id.server and hostname.bind queries.
    hide-identity: yes
    
    # enable to not answer version.server and version.bind queries.
    hide-version: yes

    # Will trust glue only if it is within the servers authority.
    # Harden against out of zone rrsets, to avoid spoofing attempts. 
    # Hardening queries multiple name servers for the same data to make
    # spoofing significantly harder and does not mandate dnssec.
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the
    # zone becomes  bogus.  Harden against receiving dnssec-stripped data. If you
    # turn it off, failing to validate dnskey data for a trustanchor will trigger
    # insecure mode for that zone (like without a trustanchor).  Default on,
    # which insists on dnssec data for trust-anchored zones.
    harden-dnssec-stripped: yes

    # Use 0x20-encoded random bits in the query to foil spoof attempts.
    # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
    # While upper and lower case letters are allowed in domain names, no significance
    # is attached to the case. That is, two names with the same spelling but
    # different case are to be treated as if identical. This means calomel.org is the
    # same as CaLoMeL.Org which is the same as CALOMEL.ORG.
    use-caps-for-id: yes

    # perform prefetching of close to expired message cache entries.  If a client
    # requests the dns lookup and the TTL of the cached hostname is going to
    # expire in less than 10% of its TTL, unbound will (1st) return the ip of the
    # host to the client and (2nd) pre-fetch the dns request from the remote dns
    # server. This method has been shown to increase the amount of cached hits by
    # local clients by 10% on average.
    prefetch: yes

    # number of threads to create. 1 disables threading. This should equal the number
    # of CPU cores in the machine. Our example machine has 4 CPU cores.
    num-threads: 4

    ## Unbound Optimization and Speed Tweaks ###
    
    # the number of slabs to use for cache and must be a power of 2 times the
    # number of num-threads set above. more slabs reduce lock contention, but
    # fragment memory usage.
    msg-cache-slabs: 8
    rrset-cache-slabs: 8
    infra-cache-slabs: 8
    key-cache-slabs: 8
    
    # Increase the memory size of the cache. Use roughly twice as much rrset cache
    # memory as you use msg cache memory. Due to malloc overhead, the total memory
    # usage is likely to rise to double (or 2.5x) the total cache memory. The test
    # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
    rrset-cache-size: 256m
    msg-cache-size: 128m
    
    # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
    # the kernel buffer larger so that no messages are lost in spikes in the traffic.
    so-rcvbuf: 1m
    
    ## /Unbound Optimization and Speed Tweaks ###

    # Enforce privacy of these addresses. Strips them away from answers.  It may
    # cause DNSSEC validation to additionally mark it as bogus.  Protects against
    # 'DNS Rebinding' (uses browser as network proxy).  Only 'private-domain' and
    # 'local-data' names are allowed to have these private addresses. No default.
    #  private-address: 192.168.0.0/16
    #  private-address: 172.16.0.0/12
    #  private-address: 10.0.0.0/8

    # Allow the domain (and its subdomains) to contain private addresses.
    # local-data statements are allowed to contain private addresses too.
    # private-domain: "home.lan"

    # If nonzero, unwanted replies are not only reported in statistics, but also
    # a running total is kept per thread. If it reaches the threshold, a warning
    # is printed and a defensive action is taken, the cache is cleared to flush
    # potential poison out of it.  A suggested value is 10000000, the default is
    # 0 (turned off). We think 10K is a good value.
    unwanted-reply-threshold: 10000

    # Should additional section of secure message also be kept clean of unsecure
    # data. Useful to shield the users of this validator from potential bogus
    # data in the additional section. All unsigned data in the additional section
    # is removed from secure messages.
    val-clean-additional: yes

    # Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo
    # account for a 70 percent share of all advertising traffic. Block them.
    # local-zone: "doubleclick.net" redirect
    # local-data: "doubleclick.net A 127.0.0.1"
    # local-zone: "googlesyndication.com" redirect
    # local-data: "googlesyndication.com A 127.0.0.1"
    # local-zone: "googleadservices.com" redirect
    # local-data: "googleadservices.com A 127.0.0.1"
    # local-zone: "google-analytics.com" redirect
    # local-data: "google-analytics.com A 127.0.0.1"
    # local-zone: "ads.youtube.com" redirect
    # local-data: "ads.youtube.com A 127.0.0.1"
    # local-zone: "adserver.yahoo.com" redirect
    # local-data: "adserver.yahoo.com A 127.0.0.1"
    # local-zone: "ask.com" redirect
    # local-data: "ask.com A 127.0.0.1"
    
    # Unbound will not load if you specify the same local-zone and local-data
    # servers in the main configuration as well as in this "include:" file. We
    # suggest commenting out any of the local-zone and local-data lines above if
    # you suspect they could be included in the unbound_ad_servers servers file.
    # A nice way to obtain a good, updated list is:
    # wget "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&startdate[day]=&startdate[month]=&startdate[year]=&mimetype=plaintext" -O /etc/unbound/unbound_ad_servers
    # Make nevertheless sure that no other config is included there!!
    include: "/etc/unbound/unbound_ad_servers"

remote-control:
    # Enable remote control with unbound-control(8) here.
    # set up the keys and certificates with unbound-control-setup.
    control-enable: yes
   
    # what interfaces are listened to for remote control.
    # give 0.0.0.0 and ::0 to listen to all interfaces.
    control-interface: 127.0.0.1
   
    # port number for remote control operations.
    control-port: 8953
   
    # unbound server key file.
    server-key-file: "/etc/unbound/unbound_server.key"
   
    # unbound server certificate file.
    server-cert-file: "/etc/unbound/unbound_server.pem"
   
    # unbound-control key file.
    control-key-file: "/etc/unbound/unbound_control.key"
   
    # unbound-control certificate file.
    control-cert-file: "/etc/unbound/unbound_control.pem"





## unbound.conf adapted by edermi, based on config found on https://calomel.org